policy representation & reasoning

Policy Representation & Reasoning

Juri L. De Coi, Philipp Kärger, Daniel Olmedilla, Sergej Zerr

L3s Research Center / Leibniz Hannover University

L3S Research SeminarHannover, 18th April, 2008

De Coi, Kärger, Olmedilla, Zerr 2

Best Student Award at VIT: Sukriti RameshCONGRATULATIONS!!

Because of• Academic performance (last 4

years)• Personality & communication skills• Social work• Project work (including L3S)

Even though it was with Odysseas

But especially because of her answer to what does Mahatma's Gandhi phrase "See no evil, hear no evil, speak no evil" mean for you? Ask her for details !

April 18th, 2008 2L3S Research Seminar


Increasing Seminar Attendance Seminar Appeal

Wolfgang and Wolf-Tilo agree with the formula

They wanted to take an action, as the winners in the L3S Workshop did so they decided to

Sponsor ice cream today ! Voluntarily !!!!!


De Coi, Kärger, Olmedilla, Zerr

Outline

Introduction to Policy Representation & Reasoning Motivation, requirements, state of the art

L3S Policy framework Protune in a Nutshell: framework and language

Protune in Action: Policies on the Web Static content protection and dynamic

generation

Reactive Policies, Current and Further Policy Work Event reactivity, research ideas


Introduction:Policy Representation &

Reasoning

Daniel Olmedilla


Policy Representation & ReasoningProblem

Institutions, companies and people need to control the way they Make business Take decisions Offer their assets Etc …

Computers help us on our daily work performing tasks that we cannot perform (or we do it worse)

hard to control manually, time-consuming, expensive, error-prone

automatically on our behalf

But generally, we need to control how decisions and actions are taken



Policy Representation & ReasoningWhat is a Policy?

Wikipedia: deliberate plan of action to guide decisions and

achieve rational outcome(s) Not necessarily related to IT

In an IT setting: Set of considerations designed to guide decisions of

courses of actions

Broad definition: Set of statements defining the behaviour of an

entity in a given situation



Policy Representation & ReasoningPolicies are everywhere (I)

Rules of ethics for robots

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2. A robot must obey orders given to it by human beings, except where such orders would conflict with the First Law.

3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

[Isaac Asimov. Runaround. 1942 ]



Policy Representation & ReasoningPolicies are everywhere (II)

Declarative



Policy Representation & ReasoningPolicies are everywhere (III)



Policy Representation & ReasoningPolicies are everywhere (IV)

B2B contracts e.g. quantity flexible contracts, late delivery penalties,

etc. Negotiation

e.g. rules associated with auction mechanisms Security

e.g. access control policies Privacy

Information Collection Policies (aka “ P3P Privacy Policies”)

Obfuscation Policies Workflow management

What to do under different sets of conditions Context aware computing

What service to invoke to access a particular contextual attribute

Context-sensitive preferences[ by Norman Sadeh, Semantic Web Policy Workshop panel, ISWC 2005 ]



Policy Representation & ReasoningThe goal

Build applications/agents whereBehaviour is flexible

Can be changed/updated dynamically without re-coding, re-compiling, re-

installing, etc… In a costless manner

Can be managed by administrators/users without needing to be computer experts

Can be understood by normal users



Policy Representation & ReasoningBenefits

Explicit license for autonomous behaviour Reusability Efficiency Extensibility Context-sensitivity Verifiability Support for simple as well as sophisticated agents Protection from poorly-designed, buggy or malicious

agents Reasoning about agent behaviour Compact representation, possibly declarative Etc.



Policy Representation & ReasoningRequirements / Challenges

Many policies, one frameworkConflict Resolution Integration with external sourcesPolicies as active objects

Executing actionsNegotiationsUser awareness and controlCooperative enforcement



Policy Representation & Reasoning Many policies, one framework (I)

The term policy covers: Security/Privacy policies, Trust management

Business rules

Quality of Service directives

Service-level agreements

Communication and conversation policies and more...

In many cases they are interleaved

If customers are younger than 26 give a 20% discount on international tickets

Up to 15% of network bandwidth can reserved if payment is done with an accepted credit card

Customers can rent a car if they are 18 or older, and exhibit a driving license and a valid credit card



Policy Representation & ReasoningMany policies, one framework (II)

It is appealing to integrate all policies in one framework

One common infrastructure for interoperability and decision

making

Where policies can be harmonized & coordinated



Policy Representation & ReasoningConflict Resolution (I)

Ivan

Alice

You can access

file123.txt

You can not access

file123.txt

You must inform your

boss

You don’t need to inform your

boss

Positive authorization

Negative authorization

Obligation

Dispensation



Policy Representation & ReasoningConflict Resolution (II)

Security typically assumes “everything is denied by default” no need for disallow policies

The cost of disclosing a sensitive resource is higher than not disclosing a public one

But, if there exists the need, then it is required to provide techniques for

Conflict detection

Conflict harmonization



Policy Representation & ReasoningIntegration with external systems

Policies are not islands

Decisions need data, information, and knowledge

Each organization has its own

Already available through legacy software and data

A realistic solution must interoperate with them

Third parties

Credit card sites for validity checking

External databases Variety of web resources



Policy Representation & ReasoningNegotiations (I)

Step 1: Alice requests a service from Bob

Step 5: Alice discloses her VISA card credential

Step 4: Bob discloses his BBB credential

Step 6: Bob grants access to the serviceService

BobAlice

Step 2: Bob discloses his policy protecting the service

Step 3: Alice discloses her policy protecting the VISA



Policy Representation & ReasoningNegotiations (II)

Used for Access control Service-level agreements Dynamic contracts

E.g., in web service composition

Autonomic computing

Pervasive environments

E.g., sensor networks

Etc.



Policy Representation & ReasoningUser awareness and control

Explain policies and system decisions Make rules & reasoning intelligible to the common user

Encourage people to personalize their policies Make it easy for users to write their own rules



Policy Representation & ReasoningCooperative Policy Enforcement

Crucial for the success of a service

Never say (only) “no”!

Encourage first-time users

Who don't know how to use your service

Explain policy decisions

Especially failures

Advanced queries: Why not

Advanced queries: How-to, What-if

You can’t open this door, but

you can ask Alice for permission



Policy Representation & ReasoningMain State of the Art Approaches

Ponder OO language, well established, focus on network

management

XACML Standard by OASIS, it being taken up by companies

KAOS Based on DL reasoning

REI

Combination of DL representation and LP semanticsPeerTrust

Based on guarded distributed logic programs

And many othersApril 18th, 2008 24L3S Research Seminar

Protune policy framework:

Juri Luca De Coi

(not too)technical details


Protune Policy FrameworkOutline

Getting started

Protune Features

Usability issues

April 18th, 2008L3S Research Seminar 26

Getting started


Intelligentpolicyengine

Policy……….

Alice Bob

Request

Protune Policy FrameworkOverview


Decision


Protune Policy Framework Just to get the flavor...

disclose(‘/EWSCpaper2008.pdf’) sendL3SEmployeeId.

disclose(X) status(X, published).

status(‘/EWSCpaper2007.pdf’, published).

status(‘/EWSCpaper2008.pdf’, notPublished).


EWSCpaper2008.pdf can be disclosed to the other peer if it has sent an L3S

employee id.

A resource can be disclosed if its

status is „published“

IF conditions are fullfilled

THEN allow action

Protune Features


Protune Policy Framework Standard example

disclose(X) status(X, notPublished),sendL3SEmployeeId.




Actions may be needed in order

to make decisions


Protune Policy Framework Metapolicy “type”




sendL3SEmployeeId->type:action.

status(X, Y)->type:logical.


Action

Usual predicate


Protune Policy Framework Metapolicy “actor”




sendL3SEmployeeId->type:action.

sendL3SEmployeeId->actor:peer.

status(X, Y)->type:logical.


Who executes

the action?The requester?

The local system?A third party?


Protune Policy Framework Available actions

Access to relational databases

Access to RDF repositories

Credential exchange

Searching of regular expressions within a file

Interface to an LDAP server

Time and location management



Protune Policy Framework Explanations


Usability issues


Protune Policy Framework Usability issues

download(User, Resource) authenticated(User), have(User, Subscription),availableFor(Subscription, Resource).

authenticated(‘Bob’).have(‘Bob’, lncsSubscription).availableFor(lncsSubscription, ESWCpaper2007.pdf).authenticated(User)->type:logical.availableFor(Subscription, Resource)->type:logical.have(User, Subscription)->type:logical.


Every user who is authenticated and who has a subscription that

is available for a resource can download

the resource.


Protune Policy Framework Using natural language: Problem

How to deal with ambiguities?



Protune Policy Framework Using natural language: Ambiguities (I)


Bob looks at the girl on the hill with a telescope


Protune Policy Framework Using natural language: Ambiguities (II)


2 girls lift 2 tables


Protune Policy Framework Solution: Use a controlled natural language

What does “controlled” mean? Rules are used in order to

automatically disambiguate ambiguous sentences Bob looks at the girl on the hill

with a telescope

Only a subset of valid English sentences are valid sentences


Example disambiguation rule:Propositional phrases refer to the predicate of the

sentence


Protune Policy Framework Disambiguation: using ACE (I)


Bob looks at the girl on the hill with a telescope

Bob looks with a

telescope at the girl who

is on the hill.

Bob looks at the girl on

the hill with a telescope.

Bob looks at the girl who

is on the hill with a telescope.


Protune Policy Framework Disambiguation: using ACE (II)


2 girls lift 2 tables

2 girls lift 2 tables.

Each of 2 girls lifts one table.

Each of 2 girls lifts 2

tables.


Protune Policy Framework The ACE Protune translation (I)


Every user who is authenticated and who has a subscriptionthat is available for a resource can download the resource.

drs([], [ drs([A, B, C, D, E, F, G, H], [

object(A, user, countable, na, eq, 1)-1, property(B, authenticated, pos)-1,

predicate(C, be, A, B)-1, object(D, subscription, countable, na, eq, 1)-1,

object(E, resource, countable, na, eq, 1)-1, property(F, available, pos)-1,

predicate(G, be, D, F)-1, modifier_pp(G, for, E)-1,

predicate(H, have, A, D)-1 ])

=> drs([], [

<> drs([I], [

predicate(I, download, A, E)-1 ]) ])]).

download(User, Resource) authenticated(User),

‘available#for’(Subscription, Resource), have(User, Subscription).


Protune Policy Framework The ACE Protune translation (II)


Every user who provides a declaration whoseusername is the user's name and whose password

is the user's password is authenticated.

authenticated(User) User.name:Username,

User.password:Password, provide(User, Declaration),

Declaration.password:Password, Declaration.username:Username.


Protune Policy Framework The ACE Protune translation (III)


Every user who sends a credential• that is valid and• whose type is "creditCard" and• whose owner is authenticated and• on which a price is chargedpays the price with "creditCard".

'pay#with'(User, Price, creditCard) valid(Credential),

Credential.type:creditCard, authenticated(Owner),

'charged#on'(Price, Credential), send(User, Credential),

Credential.owner:Owner.

Policy Based Protection and Personalized Generation

of Web Content

Sergej Zerr


Protune in Action: Policies on the WebTrust within an Open Environment


BookstoreWeb server LMS

Ax

Bx

x


Protune in Action: Policies on the WebUsing Trust Negotiation


Servlet Container(e.g Tomcat)

PolicyFilter.Jar

<poljsp:policycondition policyname="exchangedCredential(member)“ >

<poljsp:iftrue>Success!!</poljsp:iftrue></poljsp:policycondition>

Appletx

var protectedResources=new Array( ‘http://test.de/test.jsp‘ );

Web Package

1. Reactive Policies2. More policy research topics

Philipp Kärger


Reactive PoliciesWhile doing valuable research …


Notify me if one of my contacts has

birthday and goes online.

If someone phones me while I

am on a call, deny the call

and open a chat instead.

Show my date of birth only to family

members.

Automatically accept “share

contact dates” for L3S members and for the contacts of

my family.

Always accept files sent by L3S members but only if it’s not an

exe file.

My students

can call me only on

Wednesday morning. After the semester, deny their

calls.

L3S members can only call me

during business hours.


Reactive PoliciesCurrent Policies

they define under which conditions things are true, e.g.,

who exactly gets access why we grant access what is needed to get access



Reactive PoliciesWhat is a reactive policy?

But what is missing in current policy

frameworks?

When is the policy evaluated? Triggering Events

What exactly happens if a policy is evaluated to true or false?

Actions (as reactions to events)


IF EVENT “call comes in” HAPPENSAND “I am on another call” HOLDS

PERFORM ACTION “deny call and open chat”

If someone phones me while

I am on a call, deny the call

and open a chat instead. Reactivity!


Reactive PoliciesReactivity

Reactivity in Databases:“Active Database Systems”, Book, 1995many more

Reactivity on the web:“An Event Condition Action Language for XML”,

WWW2002EDBT 2006 Workshop “Reactivity on the Web”REWERSE Work Package “Evolution and Reactivity”some more



Reactive PoliciesApproach

Claim:We need policies that allow for reactivity.

Solution:Reactive Policies

also called Event Condition Action Policies



Reactive PoliciesEvent Condition Action Policies

- always three components:- Event: when is the rule evaluated- Condition: what has to be satisfied- Action: what is the reaction to the event

ON a call comes inIF I am on another callDO deny call and open chat


If someone phones me while

I am on a call, deny the call

and open a chat instead.


Reactive PoliciesSolution

How do we get all this to work?

r³ and ProtuneCombining a Reactive Framework and a Policy

Framework



Reactive Policiesr3 – Resourceful Reactive Rules

(developed at the AI Center, Universida de Nova de Lisboa (Portugal))

(Semantic) Web Rule Engine for Reactive Rulesevaluates rules of the form:

<rule><event>myEventLanguage:SkypeCallComesIn(User)</event><condition>myConditionLanguage:isNotTrusted(User)</condition><action>myActionLanguage:denyCall(User)</action>

</rule>

plugging in arbitrary languages makes it really flexible



Reactive PoliciesCombining r3 and Protune


Protune external actions

any event language (e.g., XChange,

Prova)

<rule>

<event>myEventLanguage:SkypeCallComesIn(User)</event>

<condition>PROTUNE:isNotTrusted(User)</condition>

<action>PROTUNE:denyCall(User)</action></rule>

Protune goals


Reactive PoliciesBenefits


Protune• allows for negotiations,

information exchange• provides explanations

• allows for (external) actions

r³• allows for arbitrary event

languages • evalutates Event Condition

Action rules• handles the binding across events, conditions, actions

making policies reactive

enhance reactivity with

policies


Reactive Policies Summary

• Reactive Policies – policy-enabled Reactivity• policies need some kind of reactivity

no current policy framework allows for reactivity no current reactive rule framework allows for

policies

• ECA policies provide access control provide semantics for events and actions

• combining r³ and Protune merges both worlds advanced access control with policies engine for reactive rules extends


More research ideas …

•Daniel, Juri, Philipp, Sergej, and some more


More research ideasOutline

1. Changing policies while negotiating.

2. Using preferences to guide decisions in negotiations.

3. Access control to RDF repositories.

4. Access control for desktop sharing.



More research ideas 1. Changing policies while negotiating

Problem: What if I change my policies while my agent is negotiating?


I want to call you via Skype.

Ok, you have to prove

that you work for L3S.

Policy:Only university

members can call me.

… New Policy:Only L3S

members can call me.


More research ideas 2. Preferences guiding negotiations

Problem: What if there are two possibilities to succeed in a negotiation?


Philipp Kärger, Daniel Olmedilla, Wolf-Tilo

Balke

“Using Preferences for Credential Disclosure in Policy-Driven Trust

Negotiations.”

Just submitted.

I prefer to disclose my Student ID

instead of disclosing my

passport.


More research ideas 3. Access control to RDF repositories

• RDF data is accessible only under certain conditions.

• Problem: how to enforce this for querying?


Return all triplesFROM

the ones I am interested in

WHERE my conditions are true.



WHERE my conditions are true.



WHERE my conditions are true

AND the policy’s conditions

are true.



WHERE my conditions are true

AND the policy’s conditions

are true.

expansionexpansion

Policies: conditions that have to be fulfilled to access information.

Policies: conditions that have to be fulfilled to access information.

RDF store (sensitive data)

Fabian Abel, Juri Luca De Coi, Nicola Henze,

Arne W. Koesling, Daniel Krause, Daniel

Olmedilla

“Enabling Advanced and Context-Dependent Access Control in RDF

Stores.”

ISWC 2007


More research ideas 4. Access control for desktop sharing (I)


Juri L. De Coi, Ekaterini Ioannou, Arne Koesling, and Daniel Olmedilla.

“Access control for sharing semantic data

across desktops.”

Workshop on Privacy Enforcement and

Accountability with Semantics (PEAS),

2007.

Metadata:author: …

title: …date: …inverted index:

“Is there a document containing ‘FBI’ in the

title?”

“I want access to your private document.”


More research ideas 4. Access control for desktop sharing (II)


Pre-evaluate for each file, each metadata, and each user.

PoliciesPolicies

Policies: Who is allowed to see what metadata of what file under which conditions.


End of the SeminarLet us give you a policy

ON seminar just finishedIF you liked it

ORyou had fun ORyou learned something ORyou liked the ice cream

DO big applause



Questions?

[email protected] – http://www.L3S.de/web/[email protected] – http://www.L3S.de/web/KAERGER

[email protected] – http://www.olmedilla.info/[email protected] – http://www.L3S.de/web/ZERR

Thanks!


mailto:[email protected]

http://www.l3s.de/web/DECOI


http://www.l3s.de/web/KAERGERKDECOI


http://www.olmedilla.info/




http://www.l3s.de/web/DECOI


References

• Antoniou et al., Rule-based policy specification. Secure Data Management in Decentralized Systems. Springer, 2007.http://www.l3s.de/~olmedilla/pub/2007/2007_bookDDMS_rule_policies.pdf

• Bonatti, Olmedilla. Rule-based policy representation and reasoning for the semantic web. In Reasoning Web, Third International Summer School 2007. Springer.http://www.l3s.de/~olmedilla/pub/2007/2007_ReasoningWeb-policies.pdf

• Antoniou et al. (Eds.): Reasoning Web 2007. Springer LNCS 4636, pp.1–153

• Bradshaw et al., Making Agents Acceptable to people, Intelligent technologies for information analysis: Advances in agents, data mining and statistical learning. Springerhttp://www.ihmc.us/research/projects/KAoS/biit-jeff.pdfApril 18th, 2008L3S Research Seminar 71

http://www.l3s.de/~olmedilla/pub/2007/2007_bookDDMS_rule_policies.pdf

http://www.l3s.de/~olmedilla/pub/2007/2007_bookDDMS_rule_policies.pdf

http://www.l3s.de/~olmedilla/pub/2007/2007_ReasoningWeb-policies.pdf

http://www.l3s.de/~olmedilla/pub/2007/2007_ReasoningWeb-policies.pdf

http://www.ihmc.us/research/projects/KAoS/biit-jeff.pdf

Hidden slides

policy representation & reasoning

Documents

research ideasapril

2008l3s research seminarde

philipp krger

l3s workshop

policy workevent reactivity

artl3s policy frameworkprotune

decisions of courses

robotsa robot