RuleML and SWRL, Proof and Trust Semantic Web F. Abel and D. Krause IVS Semantic Web Group January 17, 2008 1 Solution 1: RuleML Express the following RuleML code as a human-readable First Order Logic or Description Logic rule: <rule> <head> <predicate> colleagues </predicate> <var> X </var> <var> Y </var> </head> <body> <predicate> worksfor </predicate> <var> X </var> <var> C </var> <predicate> worksfor </predicate> <var> Y </var> <var> C </var> </body> </rule> Solution: X. Y.(worksF or(x, C) worksf or(y, C) colleagues(x, Y )) 2 Solution 2: SWRL Express the following SWRL code as a human-readable First Order Logic or Description Logic rule: <rdf:rdf xmlns="http://www.abc.de/company#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w1.org/1000/01/rdf-schema#" xmlns:swrl="http://www.w3.org/2003/11/swrlx#" xmlns:ruleml="http://www.w3.org/2003/11/ruleml" 1
xmlns:org="http://www.abc.de/organization.owl#" xml:base="http://www.abc.de/company"> <ruleml:imp> <ruleml:_rlab ruleml:href="#employsandworksforrule"/> <ruleml:_body> <swrlx:individualpropertyatom swrlx:property="&org;employs"> <ruleml:var>x</ruleml:var> <ruleml:var>y</ruleml:var> </swrlx:individualpropertyatom> </ruleml:_body> <ruleml:_head> <swrlx:individualpropertyatom swrlx:property="&org;worksfor"> <ruleml:var>y</ruleml:var> <ruleml:var>x</ruleml:var> </swrlx:individualpropertyatom> </ruleml:_head> </ruleml:imp> </rdf:rdf> Solution: X. Y.(employs(X, Y ) worksf or(y, X)) 3 Solution 3: RuleML, SWRL 1. How do we express disjunctions in the body e.g. X. Y.(a(X, Y ) b(x, Y ) c(x, Y )) with RuleML/SWRL? Answer: RuleML and SWRL only allow to specify Horn-like rules. Horn rules have at maximum 1 positive element when they are transformed into a disjunctive normal form. Hence, such rules can only be realized by splitting the rules into different rules, i.e.: (a) X. Y.(a(X, Y ) c(x, Y )) (b) X. Y.(b(X, Y ) c(x, Y )) Those different rules are interpreted as OR-connected rules. 2. What are the advantages of SWRL in comparison to RuleML? Rules have semantic meaning. For example, predicates/properties are referenced via URI: org:worksfor (= http://www.abc.de/organization.owl#worksfor). Hence, an application, which knows this resource (org:worksfor) also knows about the meaning of this resource. And an application, which does not know this resource yet, can visit the ontology in which the resource is defined. There it will find statements that (partially) explain the meaning of org:worksfor, i.e.: org:worksfor is an owl:objectproperty rdfs:domain of org:worksfor is foaf:person rdfs:range of org:worksfor is foaf:organization org:worksfor is a sub-property of dc:relation rules can be equipped with an URI re-use of rules (possibly in other documents) is eased It s possible to utilize language constructs of OWL (e.g. owl:cardinality,..). 2
4 Solution 4: Proof and Trust 1. What is the purpose of the Proof layer? provides evidence that a given answer is correct explains how an answer was deduced example: query: Select the type of a resource: @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>. @prefix : <http://abc.de/people#>. SELECT?type WHERE { :daniel rdf:type?type} query: Two answers: (:daniel, rdf:type, foaf:person) (:daniel, rdf:type, foaf:agent) proof: How the answer was derived (this is an informal syntax there exist markup languages for this purpose, e.g. PML or N3 Rules can be used)... (X, rdfs:subclassof, Y) -> (A, rdf:type, X) AND (A, rdf:type, Y) -> (:daniel, rdf:type, foaf:agent) Based on which data was the answer deduced? 2. What is the purpose of the Trust layer? In order to make answers to queries reliable and trustful different aspects have to be considered. For example, signatures can be used in in order to ensure that the party, who sent the answer, is really the entity he/she pretends to be. If a communication partner is not known in advance other approaches has to be used to establish trust. For example, service providers can be certified by organizations, whose purpose is to check if a service provider is trustful. Then, service consumers can define rules for communication, e.g. I only trust you if you can prove that you are certified as trustful by Organization XY. Another approach could be that a service consumer defines rules like I only trust you if you can prove that at least 5 of my friends have already used your service (and thus trust you). ( Chain of trust). 3
No. pol 1 pol 2 pol 3 pol 4 pol 5 pol 6 pol 7 Policy triples (#alice, foaf:phone, Z). deny access to triples (X, foaf:phone, Z) IF (X, foaf:currentproject, #rewerse) AND Requester = RecommenderService. triples (X, foaf:phone, Z) IF Requester is certified by BBB AND (#alice, foaf:knows, X). triples (X, Y, Z) IF Time is the current time AND 09:00 < Time AND Time < 17:00 AND Y = foaf:name AND X!= #tom. triples (#alice, foaf:interest, Z) IF (Z, rdf:type, foaf:document) AND (X, foaf:currentproject, P) AND (Z, foaf:topic, T) AND (P, foaf:theme, T). triples (#alice OnlineEcommerceAccount X) IF Invoker of Requester = Y AND (#alice foaf:knows Y). triples (X Y Z) IF (X rdfs:type foaf:person) AND credential (Requester, C) AND issuer (C, X). Table 1: Example of high-level rules controlling access to RDF statements 4
5 Solution 5: Proof and Trust Design a system that realizes functions of the Proof and Trust layer by using rules! 1 Example: Access Control for RDF stores. Users define their own rules that specify which concrete RDF data is allowed to be accessed by which service/application/... Such rules could look as outlined in Table 1. Their intended meaning is as follows: 1. anyone can receive Alice s phone number 2. the RecommenderService is not allowed to access the phone number(s) of members of the REWERSE project 3. recognized trusted services (which have to provide a suitable credential) are allowed to access the phone number(s) of people Alice knows 4. RDF statements containing name of entities different from Alice s boss Tom can be accessed during work time 5. this policy controls access to Alice s interests. Only interests related to her current project(s) can be accessed 6. a service can only access Alice s online ecommerce account if the service was invoked by a person which is known by Alice 7. only those services are allowed to access information about a person if they can supply the credential of this person The enforcement of these rules could be implemented on top of an RDF store, e.g. by rewriting RDF queries, which are sent to the RDF store, in a way that they respect the rules and hence, only return RDF data that is allowed to be accessed. 1 Just write down the concept of such a system. For example a system, which controls access to RDF data, or a system, which gives proofs for derived answers. 5