Policy Representation

1
Policy Representation Reasoning

• Juri L. De Coi, Philipp Kärger, Daniel Olmedilla,
  Sergej Zerr
• L3s Research Center / Leibniz Hannover University
• L3S Research Seminar
• Hannover, 18th April, 2008

2
Outline

• Introduction to Policy Representation Reasoning
• Motivation, requirements, state of the art
• L3S Policy framework
• Protune in a Nutshell framework and language
• Protune in Action Policies on the Web
• Static content protection and dynamic generation
• Reactive Policies, Current and Further Policy
  Work
• Event reactivity, research ideas

3
IntroductionPolicy Representation Reasoning

• Daniel Olmedilla

4
Policy Representation ReasoningProblem

• Institutions, companies and people need to
  control the way they
• Make business
• Take decisions
• Offer their assets
• Etc
• Computers help us on our daily work performing
  tasks
• that we cannot perform (or we do it worse)
• hard to control manually, time-consuming,
  expensive, error-prone
• automatically on our behalf
• But generally, we need to control how decisions
  and actions are taken

5
Policy Representation ReasoningWhat is a
Policy?

• Wikipedia
• deliberate plan of action to guide decisions and
  achieve rational outcome(s)
• Not necessarily related to IT
• In an IT setting
• Set of considerations designed to guide decisions
  of courses of actions
• Broad definition
• Set of statements defining the behaviour of an
  entity in a given situation

5
6
Policy Representation ReasoningPolicies are
everywhere (I)

• Rules of ethics for robots
• A robot may not injure a human being or, through
  inaction, allow a human being to come to harm.
• A robot must obey orders given to it by human
  beings, except where such orders would conflict
  with the First Law.
• A robot must protect its own existence as long as
  such protection does not conflict with the First
  or Second Law.

6
7
Policy Representation ReasoningPolicies are
everywhere (II)
Declarative
7
8
Policy Representation ReasoningPolicies are
everywhere (III)
9
Policy Representation ReasoningPolicies are
everywhere (IV)

• B2B contracts
• e.g. quantity flexible contracts, late delivery
  penalties, etc.
• Negotiation
• e.g. rules associated with auction mechanisms
• Security
• e.g. access control policies
• Privacy
• Information Collection Policies (aka P3P
  Privacy Policies)
• Obfuscation Policies
• Workflow management
• What to do under different sets of conditions
• Context aware computing
• What service to invoke to access a particular
  contextual attribute
• Context-sensitive preferences

by Norman Sadeh, Semantic Web Policy Workshop
panel, ISWC 2005
9
10
Policy Representation ReasoningThe goal

• Build applications/agents where
• Behaviour is flexible
• Can be changed/updated dynamically
• without re-coding, re-compiling, re-installing,
  etc
• In a costless manner
• Can be managed by administrators/users without
  needing to be computer experts
• Can be understood by normal users

11
Policy Representation ReasoningBenefits

• Explicit license for autonomous behaviour
• Reusability
• Efficiency
• Extensibility
• Context-sensitivity
• Verifiability
• Support for simple as well as sophisticated
  agents
• Protection from poorly-designed, buggy or
  malicious agents
• Reasoning about agent behaviour
• Compact representation, possibly declarative
• Etc.

12
Policy Representation ReasoningRequirements /
Challenges

• Many policies, one framework
• Conflict Resolution
• Integration with external sources
• Policies as active objects
• Executing actions
• Negotiations
• User awareness and control
• Cooperative enforcement

13
Policy Representation Reasoning Many policies,
one framework (I)

• The term policy covers
• Security/Privacy policies, Trust management
• Business rules
• Quality of Service directives
• Service-level agreements
• Communication and conversation policies
• and more...
• In many cases they are interleaved
• If customers are younger than 26 give a 20
  discount on international tickets
• Up to 15 of network bandwidth can reserved if
  payment is done with an accepted credit card
• Customers can rent a car if they are 18 or older,
  and exhibit a driving license and a valid credit
  card

14
Policy Representation ReasoningMany policies,
one framework (II)

• It is appealing to integrate all policies in one
  framework
• One common infrastructure
• for interoperability and decision making
• Where policies can be harmonized coordinated

15
Policy Representation ReasoningConflict
Resolution (I)
Positive authorization
You can access file123.txt
Obligation
You must inform your boss
Negative authorization
You can not access file123.txt
Dispensation
You dont need to inform your boss
15
16
Policy Representation ReasoningConflict
Resolution (II)

• Security typically assumes everything is denied
  by default ? no need for disallow policies
• The cost of disclosing a sensitive resource is
  higher than not disclosing a public one
• But, if there exists the need, then it is
  required to provide techniques for
• Conflict detection
• Conflict harmonization

17
Policy Representation ReasoningIntegration
with external systems

• Policies are not islands
• Decisions need data, information, and knowledge
• Each organization has its own
• Already available through legacy software and
  data
• A realistic solution must interoperate with them
• Third parties
• Credit card sites for validity checking
• External databases
• Variety of web resources

17
18
Policy Representation ReasoningNegotiations (I)
Bob
Alice
19
Policy Representation ReasoningNegotiations
(II)

• Used for
• Access control
• Service-level agreements
• Dynamic contracts
• E.g., in web service composition
• Autonomic computing
• Pervasive environments
• E.g., sensor networks
• Etc.

20
Policy Representation ReasoningUser awareness
and control

• Explain policies and system decisions
• Make rules reasoning intelligible to the common
  user
• Encourage people to personalize their policies
• Make it easy for users to write their own rules

20
21
Policy Representation ReasoningCooperative
Policy Enforcement

• Crucial for the success of a service
• Never say (only) no!
• Encourage first-time users
• Who don't know how to use your service
• Explain policy decisions
• Especially failures
• Advanced queries Why not
• Advanced queries How-to, What-if

You cant open this door, but you can ask Alice
for permission
22
Policy Representation ReasoningMain State of
the Art Approaches

• Ponder
• OO language, well established, focus on network
  management
• XACML
• Standard by OASIS, it being taken up by companies
• KAOS
• Based on DL reasoning
• REI
• Combination of DL representation and LP semantics
• PeerTrust
• Based on guarded distributed logic programs
• And many others

22
23
Protune policy framework
(not too)
technical details

• Juri Luca De Coi

24
Protune Policy FrameworkOutline

• Getting started
• Protune Features
• Usability issues

25
Getting started
26
Protune Policy FrameworkOverview
Alice
Bob
Policy .
Request
Intelligent policy engine
27
Protune Policy Framework Just to get the
flavor...
IF conditions are fullfilled THEN allow action

• disclose(/EWSCpaper2008.pdf) ?
• sendL3SEmployeeId.
• disclose(X) ?
• status(X, published).
• status(/EWSCpaper2007.pdf, published).
• status(/EWSCpaper2008.pdf, notPublished).

EWSCpaper2008.pdf can be disclosed to the other
peer if it has sent an L3S employee id.
A resource can be disclosed if its status is
published
28
Protune Features
29
Protune Policy Framework Standard example

• disclose(X) ?
• status(X, notPublished),
• sendL3SEmployeeId.
• status(/EWSCpaper2007.pdf, published).
• status(/EWSCpaper2008.pdf, notPublished).

Actions may be needed in order to make decisions
30
Protune Policy Framework Metapolicy type

• disclose(X) ?
• status(X, notPublished),
• sendL3SEmployeeId.
• status(/EWSCpaper2007.pdf, published).
• status(/EWSCpaper2008.pdf, notPublished).
• sendL3SEmployeeId-gttypeaction.
• status(X, Y)-gttypelogical.

Usual predicate
Action
31
Protune Policy Framework Metapolicy actor
Who executes the action?

• disclose(X) ?
• status(X, notPublished),
• sendL3SEmployeeId.
• status(/EWSCpaper2007.pdf, published).
• status(/EWSCpaper2008.pdf, notPublished).
• sendL3SEmployeeId-gttypeaction.
• sendL3SEmployeeId-gtactorpeer.
• status(X, Y)-gttypelogical.

The requester?
The local system?
A third party?
32
Protune Policy Framework Available actions

• Access to relational databases
• Access to RDF repositories
• Credential exchange
• Searching of regular expressions within a file
• Interface to an LDAP server
• Time and location management

33
Protune Policy Framework Explanations
34
Usability issues
35
Protune Policy Framework Usability issues

• download(User, Resource) ?
• authenticated(User),
• have(User, Subscription),
• availableFor(Subscription, Resource).
• authenticated(Bob).
• have(Bob, lncsSubscription).
• availableFor(lncsSubscription, ESWCpaper2007.pdf).
  
• authenticated(User)-gttypelogical.
• availableFor(Subscription, Resource)-gttypelogical
  .
• have(User, Subscription)-gttypelogical.

Every user who is authenticated and who has a
subscription that is available for a resource can
download the resource.
36
Protune Policy Framework Using natural language
Problem

• How to deal with ambiguities?

37
Protune Policy Framework Using natural language
Ambiguities (I)
Bob looks at the girl on the hill with a telescope
38
Protune Policy Framework Using natural language
Ambiguities (II)
2 girls lift 2 tables
39
Protune Policy Framework Solution Use a
controlled natural language

• What does controlled mean?
• Rules are used in order to automatically
  disambiguate ambiguous sentences
• Bob looks at the girl on the hillwith a
  telescope
• Only a subset of valid English sentences are
  valid sentences

Example disambiguation rule Propositional
phrases refer to the predicate of the sentence
40
Protune Policy Framework Disambiguation using
ACE (I)
Bob looks at the girl on the hill with a telescope
Bob looks with a telescope at the girl who is on
the hill.
Bob looks at the girl on the hill with a
telescope.
Bob looks at the girl who is on the hill with a
telescope.
41
Protune Policy Framework Disambiguation using
ACE (II)
2 girls lift 2 tables
2 girls lift 2 tables.
Each of 2 girls lifts one table.
Each of 2 girls lifts 2 tables.
42
Protune Policy Framework The ACE ? Protune
translation (I)
Every user who is authenticated and who has a
subscription that is available for a resource can
download the resource.
drs(, drs(A, B, C, D, E, F, G, H,
object(A, user, countable, na, eq, 1)-1,
property(B, authenticated, pos)-1,
predicate(C, be, A, B)-1, object(D,
subscription, countable, na, eq, 1)-1,
object(E, resource, countable, na, eq, 1)-1,
property(F, available, pos)-1,
predicate(G, be, D, F)-1, modifier_pp(G,
for, E)-1, predicate(H, have, A, D)-1
) gt drs(, ltgt drs(I,
predicate(I, download, A, E)-1 )
) ).
download(User, Resource) ? authenticated(User),
availablefor(Subscription, Resource),
have(User, Subscription).
43
Protune Policy Framework The ACE ? Protune
translation (II)
Every user who provides a declaration
whose username is the user's name and whose
password is the user's password is authenticated.
authenticated(User) ? User.nameUsername,
User.passwordPassword, provide(User,
Declaration), Declaration.passwordPassword,
Declaration.usernameUsername.
44
Protune Policy Framework The ACE ? Protune
translation (III)

• Every user who sends a credential
• that is valid and
• whose type is "creditCard" and
• whose owner is authenticated and
• on which a price is charged
• pays the price with "creditCard".

'paywith'(User, Price, creditCard) ?
valid(Credential), Credential.typecreditCard,
authenticated(Owner), 'chargedon'(Price,
Credential), send(User, Credential),
Credential.ownerOwner.
45
Policy Based Protection and Personalized
Generationof Web Content

• Sergej Zerr

46
Protune in Action Policies on the WebTrust
within an Open Environment
Bookstore Web server
LMS
47
Protune in Action Policies on the WebUsing
Trust Negotiation
Web Package
x
Applet
Servlet Container (e.g Tomcat)
var protectedResources new Array(
http//test.de/test.jsp )
ltpoljsppolicycondition policyname "exchangedCred
ential(member) gt ltpoljspiftruegtSuccess!!
lt/poljspiftruegt lt/poljsppolicyconditiongt
PolicyFilter.Jar
48
1. Reactive Policies2. More policy research
topics

• Philipp Kärger

49
Reactive PoliciesWhile doing valuable research
Always accept files sent by L3S members but only
if its not an exe file.
L3S members can only call me during business
hours.
My students can call me only on Wednesday
morning. After the semester, deny their calls.
Show my date of birth only to family members.
Automatically accept share contact dates for
L3S members and for the contacts of my family.
Notify me if one of my contacts has birthday and
goes online.
If someone phones me while I am on a call, deny
the call and open a chat instead.
50
Reactive PoliciesCurrent Policies

• they define under which conditions things are
  true, e.g.,
• who exactly gets access
• why we grant access
• what is needed to get access

51
Reactive PoliciesWhat is a reactive policy?

• But what is missing in
• current policy frameworks?
• When is the policy evaluated?
• ? Triggering Events
• What exactly happens if a policy is evaluated to
  true or false?
• ? Actions (as reactions to events)

IF EVENT call comes in HAPPENS AND I am on
another call HOLDS PERFORM ACTION deny call and
open chat
If someone phones me while I am on a call, deny
the call and open a chat instead.
Reactivity!
1. client gets discount IF client is a VIP
client 2. client is a VIP client IF client
bought for gt200Euro
client gets discount IF client is a VIP
client client is a VIP client IF client
bought for gt200Euro
IF EVENT car appears HAPPENS AND car is too
fast HOLDS PERFORM ACTION take picture and send
it to PD
52
Reactive PoliciesReactivity

• Reactivity in Databases
• Active Database Systems, Book, 1995
• many more
• Reactivity on the web
• An Event Condition Action Language for XML,
  WWW2002
• EDBT 2006 Workshop Reactivity on the Web
• REWERSE Work Package Evolution and Reactivity
• some more

53
Reactive PoliciesApproach

• Claim
• We need policies that allow for reactivity.
• Solution
• Reactive Policies
• also called Event Condition Action Policies

54
Reactive PoliciesEvent Condition Action Policies

• always three components
• Event when is the rule evaluated
• Condition what has to be satisfied
• Action what is the reaction to the event
• ON a call comes inIF I am on another callDO
  deny call and open chat

If someone phones me while I am on a call, deny
the call and open a chat instead.
55
Reactive PoliciesSolution

• How do we get all this to work?
• r³ and Protune
• Combining a Reactive Framework and a Policy
  Framework

56
Reactive Policiesr3 Resourceful Reactive Rules

• (developed at the AI Center, Universida de Nova
  de Lisboa (Portugal))
• (Semantic) Web Rule Engine for Reactive Rules
• evaluates rules of the form
• ltrulegt
• lteventgtmyEventLanguageSkypeCallComesIn(User)lt/ev
  entgt
• ltconditiongtmyConditionLanguageisNotTrusted(User)
  lt/conditiongt
• ltactiongtmyActionLanguagedenyCall(User)lt/actiongt
• lt/rulegt
• plugging in arbitrary languages makes it really
  flexible

57
Reactive PoliciesCombining r3 and Protune
any event language (e.g., XChange, Prova)
Protune goals
ltrulegt lteventgtmyEventLanguageSkypeCallComesIn(Us
er)lt/eventgt ltconditiongtPROTUNEisNotTrusted(User)
lt/conditiongt ltactiongtPROTUNEdenyCall(User)lt/acti
ongt lt/rulegt
Protune external actions
58
Reactive PoliciesBenefits
enhance reactivity with policies

• Protune
• allows for negotiations, information exchange
• provides explanations
• allows for (external) actions

• r³
• allows for arbitrary event languages
• evalutates Event Condition Action rules
• handles the binding across events, conditions,
  actions

making policies reactive
59
Reactive Policies Summary

• Reactive Policies policy-enabled Reactivity
• policies need some kind of reactivity
• no current policy framework allows for reactivity
• no current reactive rule framework allows for
  policies
• ECA policies
• provide access control
• provide semantics for events and actions
• combining r³ and Protune merges both worlds
• advanced access control with policies
• engine for reactive rules extends

60
More research ideas

• Daniel, Juri, Philipp, Sergej, and some more

61
More research ideasOutline

• Changing policies while negotiating.
• Using preferences to guide decisions in
  negotiations.
• Access control to RDF repositories.
• Access control for desktop sharing.

62
More research ideas 1. Changing policies while
negotiating

• Problem What if I change my policies while my
  agent is negotiating?

Policy Only university members can call me.
I want to call you via Skype.
Ok, you have to prove that you work for L3S.
New Policy Only L3S members can call me.

63
More research ideas 2. Preferences guiding
negotiations

• Problem What if there are two possibilities to
  succeed in a negotiation?

I prefer to disclose my Student ID instead of
disclosing my passport.
Philipp Kärger, Daniel Olmedilla, Wolf-Tilo
Balke Using Preferences for Credential
Disclosure in Policy-Driven Trust Negotiations.
Just submitted.
64
More research ideas 3. Access control to RDF
repositories

• RDF data is accessible only under certain
  conditions.
• Problem how to enforce this for querying?

RDF store (sensitive data)
Return all triples FROM the ones I am
interested in WHERE my conditions are true.
Return all triples FROM the ones I am
interested in WHERE my conditions are true
AND the policys conditions are true.
expansion
Fabian Abel, Juri Luca De Coi, Nicola Henze, Arne
W. Koesling, Daniel Krause, Daniel
Olmedilla Enabling Advanced and
Context-Dependent Access Control in RDF
Stores. ISWC 2007
Policies conditions that have to be fulfilled to
access information.
65
More research ideas 4. Access control for
desktop sharing (I)
I want access to your private document.
Metadataauthor title date inverted
index
Juri L. De Coi, Ekaterini Ioannou, Arne Koesling,
and Daniel Olmedilla. Access control for
sharing semantic data across desktops. Workshop
on Privacy Enforcement and Accountability with
Semantics (PEAS), 2007.
Is there a document containing FBI in the
title?
66
More research ideas 4. Access control for
desktop sharing (II)
Pre-evaluate for each file, each metadata, and
each user.
Policies
Policies Who is allowed to see what metadata of
what file under which conditions.
67
End of the SeminarLet us give you a policy

• ON seminar just finished
• IF you liked it
• OR
• you had fun
• OR
• you learned something
• OR
• you liked the ice cream
• DO big applause ?

68
Thanks!
Questions? decoi_at_L3S.de
http//www.L3S.de/web/DECOI kaerger_at_L3S.de
http//www.L3S.de/kaerger olmedilla_at_L3S.de
http//www.olmedilla.info/ zerr_at_L3S.de
http//www.L3S.de/web/ZERR
69
References

• Antoniou et al., Rule-based policy specification.
  Secure Data Management in Decentralized Systems.
  Springer, 2007.http//www.l3s.de/olmedilla/pub/2
  007/2007_bookDDMS_rule_policies.pdf
• Bonatti, Olmedilla. Rule-based policy
  representation and reasoning for the semantic
  web. In Reasoning Web, Third International Summer
  School 2007. Springer.http//www.l3s.de/olmedill
  a/pub/2007/2007_ReasoningWeb-policies.pdf
• Antoniou et al. (Eds.) Reasoning Web 2007.
  Springer LNCS 4636, pp.1153
• Bradshaw et al., Making Agents Acceptable to
  people, Intelligent technologies for information
  analysis Advances in agents, data mining and
  statistical learning. Springerhttp//www.ihmc.us/
  research/projects/KAoS/biit-jeff.pdf