context-aware access control and presentation of linked data
DESCRIPTION
My PhD Thesis defence slideshow. The work discusses the influence of mobile context in accessing Linked Data from handheld devices. The work dissects this issue into two research questions: how to enable context-aware adaptation for Linked Data consumption, and how to protect access to RDF stores from context-aware devices.TRANSCRIPT
CONTEXT-AWARE ACCESS CONTROL AND PRESENTATION OF LINKED DATA
Luca COSTABELLO 29 November 2013
PhD Thesis Defence
2
Mobile Guide Museum triplestore
“Paintings metadata accessible only to on-site visitors.”
“Is it optimized for my tablet?”
“Does it provide practical information when I am on my way?”
“Does it have a visually-impaired mode?”
“Museum Data accessible this week only”
“Metadata can be edited by employers only”
3
How Does Mobile Context Influence Linked Data Access?
Context-Aware Linked Data Presentation
Context-Aware Linked Data
Access control
Mobile Context Model
Outline
4
Mobile Context Model 1 Presentation Model
Enforcing Access Control with Web Standards
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
Outline
5
Mobile Context Model 1 Presentation Model
Enforcing Access Control with Web Standards
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
Mobile Context Model • PRISSMA Ontology
6
7
Context Ontologies
SOU
PA
CoO
L
CON
ON
CoD
aMoS
Korp
ipää
Her
vás
DCO
Domain independence ✓ ✓ ✓ ✓ ✓ ✓ ✓ Coverage ✓ ✓ ✓ ✓ Variable Context Granularity ✓ Extensibility ✓ ✓ ✓
PRIS
SMA
✓ ✓
✓ ✓ ✓ ✓ ✓
Core ontology approach ✓ ✓ ✓ ✓ ✓ Lightweight Ontology
Reuse of Existing Terms
Availability on the Web ✓
The PRISSMA vocabulary
8
http://ns.inria.fr/prissma
Example: at the museum
9
:atTheMuseum a prissma:Context ;! prissma:environment :museumEnv .!!:museumEnv a prissma:Environment ;! prissma:poi :museumGeo.!!:museumGeo geo:lat "48.86034" ;! geo:long "2.337599" ;! prissma:radius ”200" .!!
prissma:environment
2.337599
48.86034
200
:museumGeogeo:lat
geo:long
prissma:radius
prissma:poi
prissma:Environment
prissma:Context:atTheMuseum
:museumEnv
Outline
10
Mobile Context Model 1 Presentation Model
Enforcing Access Control with Web Standards
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
Presentation Model • Extending Fresnel with PRISSMA
11
12
NA
C
Laak
ko
Chen
Zhan
g
Cham
aleo
n
Butt
er
Pate
rnò
MIM
OSA
CAM
B
Adi
pat
COIN
CSS
Med
ia
Que
ries
PRIS
SMA
Linked Data support ✓ Context-awareness ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Standard Languages ✓ ✓ ✓ ✓ ✓ ✓ ✓ Runtime adaptation ✓ ✓ ✓ ✓ Multimodality ✓ Client-side only ✓ ✓ ✓ ✓ ✓ Evaluation ✓ ✓ ✓ ✓ ✓
Adaptive Presentation Frameworks for the Web
13
Presentation Frameworks for the Semantic Web
Hay
stac
k
Noa
dste
r
Surr
ogat
es
Declarative approach ✓ ✓ Domain Independence ✓ ✓ ✓ Standard Languages ✓ ✓ Context Awareness
Automatic stylesheets
Evaluation
Distribution
Multimodality ✓
Xeno
n
Tal4
Rdf
LESS
Hid
e th
e St
ack
LDVM
✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
✓ ✓
Fres
nel
✓ ✓ ✓
✓
PRIS
SMA
✓ ✓ ✓ ✓
✓
✓
Fresnel [Pietriga et al. 2006]
14
Retrieved from [Pietriga et al. 2006]
Content formatting and additional
content!
Content selection and ordering!
Styling instructions for fonts, colors, and
borders!
15
:paintingGroup a fresnel:Group ;! fresnel:stylesheetLink <http://example.org/style.css> .!!!:paintingLens a fresnel:Lens;! fresnel:group :paintingGroup ;! fresnel:classLensDomain art:Painting ;! fresnel:showProperties (dc:title! dc:creator) .!!!:titleFormat a fresnel:Format ;!
!fresnel:group :paintingGroup ;!!fresnel:propertyFormatDomain dc:title ;!!fresnel:valueStyle ”title"^^fresnel:styleClass .!
!!!!!!!!!
Fresnel Example
Lens
Format
16
Extending Fresnel with PRISSMA
Context
PRISSMA Prism
Context Description
PRISSMA Context
Prism
fresnel:Purposeowl:equivalentClass
Extending Fresnel with PRISSMA
17
Context
Prism
Prismfresnel:Groupowl:equivalentClass
fresnel:purpose
fresnel:Lens
fresnel:Format
fresnel:group
fresnel:group
[ISWC DC, 2011]
18
:PaintingPrism a prissma:Prism, fresnel:Group ;! fresnel:stylesheetLink <http://example.org/style.css> ;!
!fresnel:purpose :atTheMuseum .!!:foaflens a fresnel:Lens;! fresnel:group :foafPrism;! fresnel:classLensDomain art:Painting ;! fresnel:showProperties (foaf:name! dcn:author) .!!:depictionFormat a fresnel:Format ;!
!fresnel:group :foafPrism ;!!fresnel:propertyFormatDomain foaf:name ;!!fresnel:valueStyle "depiction"^^fresnel:styleClass .!
!:atTheMuseum a prissma:Context ;! prissma:environment :museumEnv .!!:museumEnv a prissma:Environment ;! prissma:poi :museumGeo .!!:museumGeo geo:lat "48.86034" ;! geo:long "2.337599" ;! prissma:radius ”200" .!
Prism, Example
Lens
Format
Context
Prism
ExamplesPRISSMA Browser for Android
19
Smartphone, user walking in museum town. Tablet, user at home.
Outline
20
Mobile Context Model 1 Presentation Model
Enforcing Access Control with Web Standards
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
Error-Tolerant RDF Matching • Prism Selection Algorithm
21
Presentation Metadata Selection
22
Prism
:actualContext
Prism
:smartphoneMoving
Prism
:tabletAtHome
:maleVisitorAtTheMuseum
23
Ambiguity Incompleteness
The Problem of Context Imprecision
Sensor Noise
2.32434
48.843453
:poigeo:lat
geo:long
10
prissma:radius
2.337599
48.86034 5
:poigeo:lat
geo:long
prissma:radius
:user1
"computers"
foaf:interest
:user1
"computer science"
foaf:interest
:user1
:Karl :Anita
prissma:nearbyEntity
:John
:user1
:Karl :Anita
prissma:nearbyEntity
24
Error-tolerant matching for RDF Graphs
iSPA
RQL
Silk
Zou
RDF-specific ✓ ✓ ✓ Data Heterogeneity
Client-side Execution
Incremental index updates ✓ Selective matching cache
PRIS
SMA
✓ ✓ ✓ ✓
Mes
smer
and
Bu
nke
✓
Adapting Messmer to RDF and Mobile Context Optimal error-tolerant subgraph isomorphism algorithm
based on graph edit distance.
25
• Atomic element might be a graph: Context Units
• Core Classes • Entities • Literals • Geo • Time
• Customized Cost Functions • Strings (Monge-Elkan) • Geographic (Haversine distance + Decay) • Temporal (Interval Inclusion + Decay) • Missing nodes
2.32434
48.843453
:poigeo:lat
geo:long
10
prissma:radius
Extensions:
Prism Selection: Decomposition
26
prissma:environment
2.337599
48.86034
200
:museumGeogeo:lat
geo:long
prissma:radius
prissma:poi
prissma:Environment
prissma:Context:atTheMuseum
:museumEnv
prissma:Context
0 48.86034-2.337599
200
geo:latgeo:lon
prissma:radius
1
:museumGeo
prissma:Environment
2
{3,1,2,{prissma:poi}}
{4,0,3,{prissma:environment}}
:atTheMuseum
Context Units
Prism Selection: Search Algorithm!
1 foreach context unit S in D do!
2 compute_subgraph_isomorphisms(S,GI)!3 !
4 while C(fcheapest)< T { !
5 if S1 is Prism then!
6 R.add(S1)!7 !
8 foreach child of S1 do!
9 fchild= combine(fS1,fS2)!
10 }!11 return R!
27
prissma:Context
0 48.86034-2.337599
200
geo:latgeo:lon
prissma:radius
1
:museumGeo
prissma:Environment
2
{3,1,2,{prissma:poi}}
{4,0,3,{prissma:environment}}
:atTheMuseum
prissma:environment
2.3243448.843453
:actualPOI
geo:latgeo:long
prissma:poi
:ActualCtx:actualEnv
10
prissma:radius
C=0 ! C=0.34! C=0 !
1. Compute context units isomorphisms costs
Prism Selection: Search Algorithm!
1 foreach context unit S in D do!
2 compute_subgraph_isomorphisms(S,GI)!3 !
4 while C(fcheapest)< T { !
5 if S1 is Prism then!
6 R.add(S1)!7 !
8 foreach child of S1 do!
9 fchild= combine(fS1,fS2)!
10 }!11 return R!
28
prissma:Context
0 48.86034-2.337599
200
geo:latgeo:lon
prissma:radius
1
:museumGeo
prissma:Environment
2
{3,1,2,{prissma:poi}}
{4,0,3,{prissma:environment}}
:atTheMuseum
prissma:environment
2.3243448.843453
:actualPOI
geo:latgeo:long
prissma:poi
:ActualCtx:actualEnv
10
prissma:radius
C=0 ! C=0.34! C=0 !
C=0.17 !
C=0.09 !
T=0.6 !
✓ ✓ ✓
✓
✓ 2. Combine costs
Evaluation: Memory Consumption
29
0
50
100
150
200
250
300
0.1 0.3 0.5 0.7 0.9
Dec
ompo
siti
on It
ems
Percentage of common context units
Total decomposition Items Context Units (decomposition) Context Units (raw prisms)
0
5
10
15
20
25
0.1 0.3 0.5 0.7 0.9
Mem
ory
[KB]
Percentage of common context units
PRISSMA decomposition Jena Models
Evaluation: Response Time
30
If prisms are completely different if prisms are highly similar
→
Outline
31
Mobile Context Model 1 Presentation Model
Enforcing Access Control with Web Standards
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
Access Control Model
32
33
WA
C
Prot
eus
Abe
l
Fini
n
Flou
ris
PPO
ubiC
osm
Shi3
ld
HTTP Operations ✓ ✓ ✓ ✓ ✓ SPARQL ✓ ✓ Attribute-Based AC Model ✓ ✓ ✓Policies in RDF/SPARQL ✓ ✓ ✓ ✓ ✓ Resource-level Granularity ✓ ✓ ✓ ✓ Context Awareness ✓ ✓ ✓ ✓ Conflict Verification ✓ ✓ ✓ Evaluation ✓ ✓ ✓ ✓ ✓
Access Control Frameworks
Context-Aware Access Control Model [ECAI 2012]
34
UserDevice
Environment
Context
environment
device user
AccessConditionSet
AccessCondition
DisjunctiveACS
ConjunctiveACSsubClassOf
subClassOf
AccessPolicy
hasAccessCondition
AccessPrivilege
hasAccessPrivilegeappliesTo
hasAccessConditionSet
hasContexthasQueryAsk
s4ac:[Villata 2011]
Sample Access Policy
35
:policy1 a s4ac:AccessPolicy; ! s4ac:appliesTo :resource; ! s4ac:hasAccessPrivilege s4ac:Read;! s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; ! s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!
! s4ac:hasQueryAsk !!"""ASK !! !{?ctx a prissma:Context; !! ! prissma:environment ?env;!! ! prissma:user <http://example.org/john.rdf#me>. !! !?env prissma:currentPOI ?poi. !! !?poi prissma:based_near ?p.!! !?p geo:lat ?lat;geo:lon ?lon.!! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5!! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)!! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 !! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".!
Protected resource
Access Condition to be verified: «User must be John and request must come from a specific location»
36
Policy Manager New Named Graph creation
Access Privileges assignment
Policy Manager
37
Time-based access condition
Location-based access condition
Outline
38
Mobile Context Model 1 Presentation Model
Enforcing Access Control
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
Enforcing Access Control • The Shi3ld Framework
39
40
SELECT … !WHERE {…}!
Shi3ld Framework
GET /data/resource HTTP/1.1!
SPARQL (Shi3ld-SPARQL)
HTTP Operations (Shi3ld-HTTP) • SPARQL Graph Store Protocol (GSP) • Linked Data Platform (SPARQL-less)
[ECAI 2012]
[ESWC 2013]
INSERT DATA { !GRAPH :ctx1{…}}!
Authorization Procedure
41
UserDeviceEnvironment
Context
environmentdeviceuser
<http://carl-johnson.org#me>:env_AC1
<http://alice.org#me>
p:nearbyEntity
p:user p:environment
p:nearbyEntity
:ctx_AC1
foaf:gender"male"
1. Adding Client Attributes to the Query (SPARQL)
SELECT … !WHERE {…}! +
Authorization Procedure
42
Authorization: Shi3ld <...>!
UserDeviceEnvironment
Context
environmentdeviceuser
<http://carl-johnson.org#me>:env_AC1
<http://alice.org#me>
p:nearbyEntity
p:user p:environment
p:nearbyEntity
:ctx_AC1
foaf:gender"male"
1. Adding Client Attributes to the Query (HTTP)
GET /data/resource HTTP/1.1!Host: example.org!!
43
ASK {?context a prissma:Context; ! prissma:user ?u;! prissma:environment ?e.! ?u rel:employedBy :Louvre_Museum.! ?e prissma:nearbyEntity :Director. !} !
="false"
VALUES (?context) {(:client_attributes)}!
GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!
Authorization Procedure
2. Access Conditions Execution
INSERT DATA { !GRAPH :ctx1{…}}!
Authorization Procedure
44
3. Response Construction (SPARQL)
SELECT …!FROM :ng2,:ng3!WHERE {…}!
SELECT … !WHERE {…}!
:ng2!
:ng1!
:ng3!
Authorization Procedure
45
401 Unauthorized!
3. Response Construction (HTTP)
Response Time Evaluation (Shi3ld-SPARQL)
46
Corese-KGRAM SPARQL Engine 3.0.14 with Berlin SPARQL Benchmark Dataset 3.1
Dataset size still predominant Small fraction access granted → Faster
More context updates, more consumers → Slower
Response Time Evaluation (Shi3ld-HTTP)
47
Jena Fuseki 0.2.6 (Shi3ld-GSP), Corese-KGRAM 3.0.14 (Shi3ld-LDP)
• Response time linear w/ AC number
• Shi3ld-HTTP SPARQL-less: 25% faster
• AC complexity does not affect response time
Conclusions
48
49
Mobile Context Model 1 Presentation Model
Enforcing Access Control with Web Standards
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
How Does Mobile Context Influence Linked Data Access?
50
Mobile Context Model 1 Presentation Model
Enforcing Access Control with Web Standards
2
5
Error-Tolerant Subgraph Matching for Context Graphs 3
Access Control Model 4
Limitations and Open Issues
Machine learning to optimize cost functions parameterization.
Prisms Distribution: Linked Presentation-level Metadata.
User acceptability evaluation campaign.
Trustworthiness of Client Context
Explanation mechanism for “access denied” responses.
Deeper privacy-preserving mechanism.
Perspectives
51
Enhanced Information Retrieval for mobile users
Context-based Linked Data Discovery
Web of Data interlinking
Thanks
52
• L. Costabello. PRISSMA, Towards Mobile Adaptive Presentation of the Web of Data. Doctoral Consortium, ISWC 2011.
• L. Costabello, S. Villata, N. Delaforge and F. Gandon. Linked Data Access Goes Mobile: Context-Aware Authorization for Graph Stores, LDOW 2012.
• L. Costabello, S. Villata and F. Gandon. Context-Aware Access Control for RDF Graph Stores. ECAI 2012.
• S. Villata, L. Costabello, N. Delaforge and F. Gandon. A Social Semantic Web Access Control Model. Journal on Data Semantics, Springer, 2013.
• L. Costabello, S. Villata. O. Rodriguez-Rocha and F. Gandon. Access Control for HTTP Operations on Linked Data, ESWC 2013.
PRISSMA Shi3ld
wimmics.inria.fr/projects/prissma wimmics.inria.fr/projects/shi3ld
http://luca.costabello.info