Dr. Bhavani Thuraisingham

February 2010

Building Trustworthy Semantic Webs

Lecture #14 : OWL (Web Ontology Language) and Security

204/20/23 05:04

Outline of the Unit

0 What are ontologies

0 Why is RDF not sufficient?

0 What are the security issues for ontologies

0 What is OWL?

0 OWL Syntax and Semantics

0 Security Issues with Examples

0 Example: Semantic Access Control

0 Ontology Engineering

0 Summary and Directions

304/20/23 05:04

Ontology

0 Common definitions for any entity, person or thing

0 Several ontologies have been defined and available for use

0 Defining common ontology for an entity is a challenge

0 Mappings have to be developed for multiple ontologies

0 Specific languages have been developed for ontologies

404/20/23 05:04

Why RDF is not sufficient?

0 RDF was developed as XML is not sufficient to specify semantics- E.g., class/subclass relationship

0 RDF has issues also- Cannot express several other properties such as Union,

Interaction, relationships, etc0 Need a richer language0 Ontology languages were developed by the semantic web

community for this purpose0 Essentially RDF is not sufficient to specify ontologies

504/20/23 05:04

Security and Ontology

0 Ontologies used to specify security policies- Example: OWL to specify security policies- Choice between XML, RDF, OWL, Rules ML, etc.

0 Security for Ontologies- Access control on Ontologies

=Give access to certain parts of the Ontology

604/20/23 05:04

OWL: Background

0 It’s a language for ontologies and relies on RDF

0 DARPA (Defense Advanced Research Projects Agency) developed early language DAML (DARPA Agent Markup Language)

0 Europeans developed OIL (Ontology Interface Language)

0 DAML+OIL combines both and was the starting point for OWL

0 OWL was developed by W3C

704/20/23 05:04

OWL Features

0 Subclass relationship

0 Class membership

0 Equivalence of classes

0 Classification

0 Consistency (e.g., x is an instance of A, A is a subclass of B, x is not an instance of B)

0 Three types of OWL: OWL-Full, OWL-DL, OWL-Lite

0 Automated tools for managing ontologies

- Ontology engineering

804/20/23 05:04

OWL Specification (e.g., Classes)

< owl: Class rdf: about = “#associateProfessor”>

<owl: disjointWith rdf: resource “#professor”/> <owl: disjointWith rdf: resource = #assistantProfessor”/>

</owl:Class>

<owl: Class rdf: ID = “faculty”>

<owl: equivalentClass rdf: resource = “academicStaffMember”/>

</owl: Class>

Faculty and Academic Staff Member are the same

Associate Professor is not a professor

Associate professor is not an Assistant professor

904/20/23 05:04

OWL Specification (e.g., Property)

Courses are taught by Academic staff members

< owl: ObjectProperty rdf: about = “#isTaughtby”>

<rdfs domain rdf: resource = “#course”/>

<rdfs: range rdf: resource = “#academicStaffMember”/>

<rdfs: subPropertyOf rdf: resource = #involves”/>

</owl: ObjectProperty>

1004/20/23 05:04

OWL Specification (e.g., Property Restriction)

All first year courses are taught only by professors

< owl: Class rdf: about = “#”firstyearCourse”>

<rdfs: subClassOf>

<owl: Restriction>

<owl: onProperty rdf: resource = “#isTaughtBy”>

<owl: allValuesFrom rdf: resource = #Professor”/>

</rdfs: subClassOf>

</owl: Class>

1104/20/23 05:04

Example

0 Before we discuss security for OWL and specify policies in OWL, we need to provide an example of an OWL ontology.

0 The following example describes the University Ontology. The different properties shown are DatatypeProperty (hasCredits) and ObjectProperty (hasTaught, isTaughtBy etc). Sub properties are also shown (‘hasCompleted’ is a sub property of ‘hasRegistered’). The ‘disjointWith’ property ensures that two classes do not have any individuals in common. For example, an individual from the ‘Faculty’ class cannot be an individual of the ‘Student’ class. Using sub properties, policies can be specified. In the following example, a faculty member can access the ‘AnnualReports’ only is she/he is the Dean.

0 Note that OWL uses RDF and hence XML syntax. Furthermore, OWL has more powerful reasoning capabilities.

0 The following example and subsequent security examples will make this clear.

1204/20/23 05:04

Example0 <?xml version="1.0"?>

0 <!DOCTYPE rdf:RDF [

0 <!ENTITY owl "http://www.w3.org/2002/07/owl#" >

0 <!ENTITY xsd "http://www.w3.org/2001/XMLSchema#" >

0 <!ENTITY rdfs "http://www.w3.org/2000/01/rdf-schema#" >

0 <!ENTITY rdf "http://www.w3.org/1999/02/22-rdf-syntax-ns#" >

0 ]>

0 <rdf:RDF xmlns="http://www.owl-ontologies.com/Ontology1178660130.owl#"

0 xml:base="http://www.owl-ontologies.com/Ontology1178660130.owl"

0 xmlns:xsd="http://www.w3.org/2001/XMLSchema#"

0 xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"

0 xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"

0 xmlns:owl="http://www.w3.org/2002/07/owl#">

1304/20/23 05:04

Example0 <owl:Ontology rdf:about=""/>

0 <owl:Class rdf:ID="AnnualReports">

0 <rdfs:subClassOf rdf:resource="#Department"/>

0 </owl:Class>

0 <owl:ObjectProperty rdf:ID="canAccess">

0 <rdfs:domain rdf:resource="#Faculty"/>

0 <rdfs:range rdf:resource="#AnnualReports"/>

0 <rdfs:subPropertyOf rdf:resource="#isDean"/>

0 </owl:ObjectProperty>

0 <owl:Class rdf:ID="Course">

0 <rdfs:subClassOf rdf:resource="#Department"/>

0 </owl:Class>

0 <owl:Class rdf:ID="Department"/>

0 <owl:Class rdf:ID="Faculty">

1404/20/23 05:04

Example0 <rdfs:subClassOf rdf:resource="#Department"/>

0 <owl:disjointWith rdf:resource="#Student"/>

0 <owl:disjointWith rdf:resource="#Staff"/>

0 </owl:Class>

0 <owl:ObjectProperty rdf:ID="hasCompleted">

0 <rdfs:subPropertyOf rdf:resource="#hasRegistered"/>

0 </owl:ObjectProperty>

0 <owl:DatatypeProperty rdf:ID="hasCredits">

0 <rdfs:domain rdf:resource="#Course"/>

0 <rdfs:range rdf:resource="&xsd;int"/>

0 </owl:DatatypeProperty>

0 <owl:ObjectProperty rdf:ID="hasDean">

0 <rdfs:domain>

0 <owl:Class>

1504/20/23 05:04

Example0 <owl:unionOf rdf:parseType="Collection">

0 <owl:Class rdf:about="#Course"/>

0 <owl:Class rdf:about="#Department"/>

0 <owl:Class rdf:about="#Faculty"/>

0 <owl:Class rdf:about="#Staff"/>

0 <owl:Class rdf:about="#Student"/>

0 </owl:unionOf>

0 </owl:Class>

0 </rdfs:domain>

0 <rdfs:range rdf:resource="#Faculty"/>

0 </owl:ObjectProperty>

0 <owl:DatatypeProperty rdf:ID="hasName">

0 <rdfs:domain>

0 <owl:Class>

1604/20/23 05:04

Example

0 <rdfs:range rdf:resource="#Faculty"/>

0 </owl:ObjectProperty>

0 <owl:DatatypeProperty rdf:ID="hasName">

0 <rdfs:domain>

0 <owl:Class>

0 <owl:unionOf rdf:parseType="Collection">

0 <owl:Class rdf:about="#Department"/>

0 <owl:Class rdf:about="#Faculty"/>

0 <owl:Class rdf:about="#Staff"/>

0 <owl:Class rdf:about="#Student"/>

0 </owl:unionOf>

0 </owl:Class>

0 </rdfs:domain>

0

1704/20/23 05:04

Example

0 <rdfs:range rdf:resource="&xsd;string"/>

0 </owl:DatatypeProperty>

0 <owl:ObjectProperty rdf:ID="hasPrerequisite">

0 <rdf:type rdf:resource="&owl;TransitiveProperty"/>

0 <owl:inverseOf rdf:resource="#isPrerequisiteOf"/>

0 </owl:ObjectProperty>

0 <owl:ObjectProperty rdf:ID="hasRegistered">

0 <rdfs:domain rdf:resource="#Student"/>

0 <rdfs:range rdf:resource="#Course"/>

0 </owl:ObjectProperty>

0 <owl:ObjectProperty rdf:ID="isDean">

0 <rdfs:domain rdf:resource="#Faculty"/>

0 <rdfs:range rdf:resource="&xsd;boolean"/>

0

1804/20/23 05:04

Example

0 </owl:ObjectProperty>

0 <owl:ObjectProperty rdf:ID="isPrerequisiteOf">

0 <rdf:type rdf:resource="&owl;TransitiveProperty"/>

0 <owl:inverseOf rdf:resource="#hasPrerequisite"/>

0 </owl:ObjectProperty>

0 <owl:Class rdf:ID="Staff">

0 <rdfs:subClassOf rdf:resource="#Department"/>

0 <owl:disjointWith rdf:resource="#Student"/>

0 <owl:disjointWith rdf:resource="#Faculty"/>

0 <rdfs:comment rdf:datatype="&xsd;string"

0 >This class represents the non-teaching, non-student members of the

0 department</rdfs:comment>

0 </owl:Class>

0

1904/20/23 05:04

Example0 <owl:Class rdf:ID="Student">

0 <rdfs:subClassOf rdf:resource="#Department"/>

0 <owl:disjointWith rdf:resource="#Staff"/>

0 <owl:disjointWith rdf:resource="#Faculty"/>

0 </owl:Class>

0 <owl:ObjectProperty rdf:ID="taughtBy">

0 <rdfs:domain rdf:resource="#Course"/>

0 <rdfs:range rdf:resource="#Faculty"/>

0 <owl:inverseOf rdf:resource="#teachesCourse"/>

0 </owl:ObjectProperty>

0

2004/20/23 05:04

Example

0 <owl:ObjectProperty rdf:ID="teachesCourse">

0 <rdf:type rdf:resource="&owl;InverseFunctionalProperty"/>

0 <rdfs:domain rdf:resource="#Faculty"/>

0 <rdfs:range rdf:resource="#Course"/>

0 <owl:inverseOf rdf:resource="#taughtBy"/>

0 </owl:ObjectProperty>

0 </rdf:RDF>

2104/20/23 05:04

Policies in OWL

0 How can policies be specified?0 Should policies be specified as shown in the examples,

extensions to OWL syntax?0 Should policies be specified as OWL documents?0 Is there an analogy to XPath expressions for OWL policies?

- <policy-spec cred-expr = “//Professor[department = ‘CS’]” target = “annual_ report.xml” path = “//Patent[@Dept = ‘CS’]//Node()” priv = “VIEW”/>

2204/20/23 05:04

Policies in OWL: Example

< owl: Class rdf: about = “#associateProfessor”>

<owl: disjointWith rdf: resource “#professor”/> <owl: disjointWith rdf: resource = #assistantProfessor”/>

Level = L1

</owl:Class>

<owl: Class rdf: ID = “faculty”>

<owl: equivalentClass rdf: resource = “academicStaffMember”/>

Level = L2

</owl: Class>

2304/20/23 05:04

Example

0 “Only those attending a class from a professor has read access to the lecture notes of the professor”

0 Below we specify this policy in OWL.

0 <owl:Class rdf:ID="BhavaniLectureNotesCS609">

0 <rdfs:subClassOf rdf:resource="http://localhost/unionto#LectureNotes"/>

0 </owl:Class>

0 <owl:Class rdf:ID="CS609Students">

0 <rdfs:subClassOf rdf:resource="http://localhost/unionto#Students"/>

0 </owl:Class>

0 <owl:ObjectProperty rdf:ID="canAccess">

0 <rdfs:domain rdf:resource="#CS609Students"/>

0 <rdfs:range rdf:resource=" http://localhost/unionto# BhavaniLectureNotesCS609"/>

0 </owl:ObjectProperty>

2404/20/23 05:04

Example Policies

0 Temporal Access Control

- After 1/1/05, only doctors have access to medical records

0 Role-based Access Control

- Manager has access to salary information

- Project leader has access to project budgets, but he does not have access to salary information

- What happens is the manager is also the project leader?

0 Positive and Negative Authorizations

- John has write access to EMP

- John does not have read access to DEPT

- John does not have write access to Salary attribute in EMP

- How are conflicts resolved?

2504/20/23 05:04

Privacy Policies

0 Privacy constraints processing

- Simple Constraint: an attribute of a document is private

- Content-based constraint: If document contains information about X, then it is private

- Association-based Constraint: Two or more documents taken together is private; individually each document is public

- Release constraint: After X is released Y becomes private

0 Augment a database system with a privacy controller for constraint processing

2604/20/23 05:04

Access Control Strategy0 Subjects request access to OWL documents under two modes: Browsing and

authoring

- With browsing access subject can read/navigate documents- Authoring access is needed to modify, delete, append documents

0 Access control module checks the policy based and applies policy specs0 Views of the document are created based on credentials and policy specs0 In case of conflict, least access privilege rule is enforced0 Works for Push/Pull modes0 Query Modification?

2704/20/23 05:04

System Architecture for Access Control

UserPull/Query Push/result

OWLDocuments

RDF-Access

RDF-AdminAdmin Tools

Policybase

Credentialbase

2804/20/23 05:04

OWL Databases

0 Data is presented as OWL documents

0 Query language? OWL=QL?

0 Query optimization (depends on query language)

0 Managing transactions on OWL documents

0 Metadata management: OWL schemas?

0 Access methods and index strategies

0 OWL security and integrity management

2904/20/23 05:04

Inference/Privacy Control

Policies

Ontologies

Rules

OWL Data ManagementOWLDocumentsWeb Pages, Databases

Inference Engine/Rules Processor(Reasoning in OWL?)

Interface to the Semantic WebTechnologyBy UTD

3004/20/23 05:04

Semantic Access Control

Ashraful AlamDr. Bhavani Thuraisingham

3104/20/23 05:04

Semantic Access Control (SAC)

Traditional Access Control

Traditional Access Control Semantic WebSemantic Web

Semantic Access ControlSemantic Access Control

3204/20/23 05:04

Motivation

0 Shortcomings of Traditional Access Control

- Proprietary systems

- Lack of modularity

- Changes in access control schemas break the system

- Changes in data schemas break the system

- Path to resources (e.g., XPATH) is clumsy

//school/department/professor/personal/ssn – LONG!

- Non-optimal for distributed/federation environment

3304/20/23 05:04

Modularity Problem

People this policy applies to

Resources this policy applies to

Actions allowed for this policyTarget

Box

3404/20/23 05:04

SAC Ontology

0 Written in OWL (Web Ontology Language)0 User-centric0 Modular0 Easily extensible0 Available at :

http://utd61105.campus.ad.utdallas.edu/geo/voc/newaccessonto

3504/20/23 05:04

SAC Components

0 Subjects: Software Agents or Human clients0 Resources: Assets exposed through WS0 Actions: Read, Write, Execute0 Conditions: Additional constraints (e.g., geospatial

parameters) on policy enforcement

Resources

Subjects

ActionsCondition

Policy Set

3604/20/23 05:04

Application: Geo-WS Security

0 Data providers (e.g., geospatial clearinghouses, research centers) need access control on serviceable resources.

0 Access policies have geospatial dimension

- Bob has access on Building A

- Bob does NOT have access on Building B

- Building A and B have overlapping area

0 Current access control mechanisms are static and non-modular.

3704/20/23 05:04

Geo-WS Security: Architecture

ClientClientDAGIS

DAGIS

Geospatial Semantic WS Provider

Enforcement Module

Decision Module

Authorization Module

Semantic-enabled Policy DB

Web Service Client Side Web Service Provider Side

3804/20/23 05:04

Geo-WS Security: Semantics

0 Policy rules are based on description logic (DL).

0 DL allows machine-processed deductions on policy base.

0 Example 1:

- DL Rule: ‘Stores’ Inverse ‘Is Stored In’

- Fact: Airplane_Hanger(X) ‘stores’ Airplane(Y)

0 Example 2:

- DL Rule: ‘Is Located In’ is Transitive.

- Fact: Polygon(S) ‘Is Located In’ Polygon(V)

Polygon(V) ‘Is Located In’ Polygon(T)

3904/20/23 05:04

Secure Inferencing

Geospatial DataStore

Semantic-enabled Policy DB

Inferencing Module

Obvious facts

Deduced facts

4004/20/23 05:04

Geo-WS Security: Example

0 Resource :=

Washington, Oregon, California, West Coast

0 Rule:=

West Coast = WA Union OR Union CA

0 Policy:=

- Subject:= Bob

- Resources:= WA, OR, CA

- Action:=Read

0 Query: Retrieve Interstate Highway topology of West

Coast

4104/20/23 05:04

SAC in Action

0 Environment: University Campus0 Campus Ontology

http://utd61105.campus.ad.utdallas.edu/geo/voc/campusonto

0 Main Resources- Computer Science Building- Pharmacy Building- Electric Generator in each Building

4204/20/23 05:04

SAC in Action

0 User Access: - Bob has ‘execute’ access to all Building Resources- Bob doesn’t have any access to CS Building- Bob has ‘modify’ access to Building resources within a

certain geographic extent0 Policy File located at

http://utd61105.campus.ad.utdallas.edu/geo/voc/policyfile1

4304/20/23 05:04

SAC Improvements

0 Subjects, Resources, Actions and Conditions are defined independently

0 Reduced policy look-up cost -- only policies related to the requester is processed

0 No long path name!

4404/20/23 05:04

Distributed Access Control

Travel Site Reimbursement Site Bank Site

Travel Data& Ontology

ReimbursementData

Bank Site& Ontology

Client Query Interface

Middleware

4504/20/23 05:04

Semantic web technologies discussed so far

0 XML, XML Schema

0 RDF, RDF Schema

0 Ontology, OWL

0 Logic, Rules, Inference

0 Some discussion of security issues for each technology

- Policy specification, Securing documents

4604/20/23 05:04

Types of Application

0 Horizontal Information Products at Elsevier: Integration

0 Data integration at Audi: Integration

0 Skill finding at Swiss Life: Search

0 Think Tank Portal at EnterSearch: Knowledge man agent

0 E-Learning: Knowledge management

0 Web Services: Web services (for any of the other applications discussed)

0 Multimedia Collection at Scotland Yard: Searching

0 Online Procurement at Daimler Chrysler: E-Business

0 Device Interoperability at Nokia: Interoperability

4704/20/23 05:04

Revisiting Ontology

0 Common definitions for any entity, person or thing

0 Several ontologies have been defined and available for use

0 Defining common ontology for an entity is a challenge

0 Mappings have to be developed for multiple ontologies

0 Specific languages have been developed for ontologies

- RDF, OWL, DAML+OIL, etc.

4804/20/23 05:04

What is Ontology Engineering?0 Tools and Techniques to

- Create Ontologies

- Specify Ontologies

- Maintain Ontologies

- Query Ontologies

- Evolve Ontologies

- Reuse Ontologies

- Incorporate features such as security, data quality, integrity

4904/20/23 05:04

Manual Construction of Ontologies0 Determine Scope

0 Consider Reuse

0 Enumerate Terms

0 Define Taxonomy

0 Define Properties

0 Define facets

0 Define Instances

0 Check for Anomalies

5004/20/23 05:04

Reusing Existing Ontologies0 The goal is not to reinvent the wheel

0 Several ontologies have been developed for different domains

0 Codieid Bodies of Expert Knowledge

0 Integrated Vocabularies

0 Upper Level Ontologies

0 Topic Hierarchies

0 Linguistic Resources

0 Ontology Libraries

5104/20/23 05:04

Semi/Automatics Methods for Ontology Generation

0 Much of the research is focusing on developing ontologies using tools from multiple heterogeneous data sources

0 Essentially extracting concepts and expanding on concepts from the data sources

0 Uses combination of data integration, metadata extraction, and machine learning techniques

0 E.g. Clustering of concepts, Classification of concepts etc.0 Text Book describes Semantic Web Knowledge Management

Architecture

5204/20/23 05:04

What is Knowledge Management?

0 Knowledge management, or KM, is the process through which organizations generate value from their intellectual property and knowledge-based assets

0 KM involves the creation, dissemination, and utilization of knowledge

0 Ontologies are a form of Knowledge?

0 Reference: http://www.commerce-database.com/knowledge-management.htm?source=google

5304/20/23 05:04

Summary and Directions

0 Ontologies are a necessity for the web0 OWL is getting recognition; several other ontology languages

(DAML, OIL, etc.)0 Very little work on security and ontologies?0 How can we specify the policies in OWL?0 How can query modification be carried out for OWL

documents?0 Design access control for OWL databases0 Need tools for developing semantic web technologies

- XML documents, RDF documents, Ontologies, etc.0 How to integrate the multiple ontologjes and tools?0 Security and Ontologies0 Security engineering and ontology engineering