1. Policy Representation & Reasoning
Juri L. De Coi, Philipp Kärger, Daniel Olmedilla, Sergej Zerr
L3s Research Center / Leibniz Hannover University
L3S Research Seminar
Hannover, 18th April, 2008

2. Best Student Award at VIT: Sukriti Ramesh CONGRATULATIONS!!
Because of
Academic performance (last 4 years)
Personality & communication skills
Social work
Project work (including L3S)
Even though it was with Odysseas 
But especially because of her answer to what does Mahatma's Gandhi phrase "See no evil, hear no evil, speak no evil" mean for you?
Ask her for details !
L3S Research Seminar
April 18th, 2008 2 2

3. Increasing Seminar Attendance Seminar Appeal
Wolfgang and Wolf-Tilo agree with the formula
They wanted to take an action, as the winners in the L3S Workshop did so they decided to
 Sponsor ice cream today ! Voluntarily !!!!!
L3S Research Seminar
April 18th, 2008 3 3

4. Outline Introduction to Policy Representation & Reasoning
Motivation, requirements, state of the art
L3S Policy framework
Protune in a Nutshell: framework and language
Protune in Action: Policies on the Web
Static content protection and dynamic generation
Reactive Policies, Current and Further Policy Work
Event reactivity, research ideas
L3S Research Seminar
April 18th, 2008

5. Introduction: Policy Representation & Reasoning
Daniel Olmedilla 5

6. Policy Representation & Reasoning Problem
Institutions, companies and people need to control the way they
Make business
Take decisions
Offer their assets
Etc …
Computers help us on our daily work performing tasks
that we cannot perform (or we do it worse)
hard to control manually, time-consuming, expensive, error-prone
automatically on our behalf
But generally, we need to control how decisions and actions are taken
L3S Research Seminar
April 18th, 2008

7. Policy Representation & Reasoning What is a Policy?
Wikipedia:
deliberate plan of action to guide decisions and achieve rational outcome(s)
Not necessarily related to IT
In an IT setting:
Set of considerations designed to guide decisions of courses of actions
Broad definition:
Set of statements defining the behaviour of an entity in a given situation
L3S Research Seminar
April 18th, 2008 7 7

8. Policy Representation & Reasoning Policies are everywhere (I)
Rules of ethics for robots
A robot may not injure a human being or, through inaction, allow a human being to come to harm.
A robot must obey orders given to it by human beings, except where such orders would conflict with the First Law.
A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
[Isaac Asimov. Runaround ]
L3S Research Seminar
April 18th, 2008 8 8

9. Policy Representation & Reasoning Policies are everywhere (II)
Declarative
L3S Research Seminar
April 18th, 2008 9 9

10. Policy Representation & Reasoning Policies are everywhere (III)
L3S Research Seminar
April 18th, 2008

11. Policy Representation & Reasoning Policies are everywhere (IV)
B2B contracts
e.g. quantity flexible contracts, late delivery penalties, etc.
Negotiation
e.g. rules associated with auction mechanisms
Security
e.g. access control policies
Privacy
Information Collection Policies (aka “ P3P Privacy Policies”)
Obfuscation Policies
Workflow management
What to do under different sets of conditions
Context aware computing
What service to invoke to access a particular contextual attribute
Context-sensitive preferences
[ by Norman Sadeh, Semantic Web Policy Workshop panel, ISWC 2005 ]
L3S Research Seminar
April 18th, 2008 11 11

12. Policy Representation & Reasoning The goal
Build applications/agents where
Behaviour is flexible
Can be changed/updated dynamically
without re-coding, re-compiling, re-installing, etc…
In a costless manner
Can be managed by administrators/users without needing to be computer experts
Can be understood by normal users
L3S Research Seminar
April 18th, 2008

13. Policy Representation & Reasoning Benefits
Explicit license for autonomous behaviour
Reusability
Efficiency
Extensibility
Context-sensitivity
Verifiability
Support for simple as well as sophisticated agents
Protection from poorly-designed, buggy or malicious agents
Reasoning about agent behaviour
Compact representation, possibly declarative
Etc.
L3S Research Seminar
April 18th, 2008

14. Policy Representation & Reasoning Requirements / Challenges
Many policies, one framework
Conflict Resolution
Integration with external sources
Policies as active objects
Executing actions
Negotiations
User awareness and control
Cooperative enforcement
L3S Research Seminar
April 18th, 2008

15. Policy Representation & Reasoning Many policies, one framework (I)
The term policy covers:
Security/Privacy policies, Trust management
Business rules
Quality of Service directives
Service-level agreements
Communication and conversation policies
and more...
In many cases they are interleaved
If customers are younger than 26 give a 20% discount on international tickets
Up to 15% of network bandwidth can reserved if payment is done with an accepted credit card
Customers can rent a car if they are 18 or older, and exhibit a driving license and a valid credit card
L3S Research Seminar
April 18th, 2008

16. Policy Representation & Reasoning Many policies, one framework (II)
It is appealing to integrate all policies in one framework
One common infrastructure
for interoperability and decision making
Where policies can be harmonized & coordinated
L3S Research Seminar
April 18th, 2008

17. Policy Representation & Reasoning Conflict Resolution (I)
Positive authorization
You can access file123.txt
Alice
Obligation
You must inform your boss
Negative authorization
You can not access file123.txt
Ivan
Dispensation
You don’t need to inform your boss
L3S Research Seminar
April 18th, 2008 17 17

18. Policy Representation & Reasoning Conflict Resolution (II)
Security typically assumes “everything is denied by default”  no need for disallow policies
The cost of disclosing a sensitive resource is higher than not disclosing a public one
But, if there exists the need, then it is required to provide techniques for
Conflict detection
Conflict harmonization
L3S Research Seminar
April 18th, 2008

19. Policy Representation & Reasoning Integration with external systems
Policies are not islands
Decisions need data, information, and knowledge
Each organization has its own
Already available through legacy software and data
A realistic solution must interoperate with them
Third parties
Credit card sites for validity checking
External databases
Variety of web resources
L3S Research Seminar
April 18th, 2008 19 19

20. Policy Representation & Reasoning Negotiations (I)
Alice
Bob
Step 1: Alice requests a service from Bob
Step 2: Bob discloses his policy protecting the service
Step 3: Alice discloses her policy protecting the VISA
Step 4: Bob discloses his BBB credential
Step 5: Alice discloses her VISA card credential
Step 6: Bob grants access to the service
Service
L3S Research Seminar
April 18th, 2008

21. Policy Representation & Reasoning Negotiations (II)
Used for
Access control
Service-level agreements
Dynamic contracts
E.g., in web service composition
Autonomic computing
Pervasive environments
E.g., sensor networks
Etc.
L3S Research Seminar
April 18th, 2008

22. Policy Representation & Reasoning User awareness and control
Explain policies and system decisions
Make rules & reasoning intelligible to the common user
Encourage people to personalize their policies
Make it easy for users to write their own rules
L3S Research Seminar
April 18th, 2008 22 22

23. Policy Representation & Reasoning Cooperative Policy Enforcement
Crucial for the success of a service
Never say (only) “no”!
Encourage first-time users
Who don't know how to use your service
Explain policy decisions
Especially failures
Advanced queries: Why not
Advanced queries: How-to, What-if
You can’t open this door, but you can ask Alice for permission
L3S Research Seminar
April 18th, 2008

24. Policy Representation & Reasoning Main State of the Art Approaches
Ponder
OO language, well established, focus on network management
XACML
Standard by OASIS, it being taken up by companies
KAOS
Based on DL reasoning
REI
Combination of DL representation and LP semantics
PeerTrust
Based on guarded distributed logic programs
And many others
L3S Research Seminar
April 18th, 2008 24 24

25. Protune policy framework:
(not too)
technical details
Juri Luca De Coi

26. Protune Policy Framework Outline
Getting started
Protune Features
Usability issues
Replace „requirements“ with „features“
L3S Research Seminar
April 18th, 2008

27. Getting started

28. Protune Policy Framework Overview
Alice
Bob
Policy
……….
Request
Intelligent
policy
engine
Decision
L3S Research Seminar
April 18th, 2008

29. Protune Policy Framework Just to get the flavor...
IF conditions are fullfilled
THEN allow action
disclose(‘/EWSCpaper2008.pdf’) 
sendL3SEmployeeId.
disclose(X) 
status(X, published).
status(‘/EWSCpaper2007.pdf’, published).
status(‘/EWSCpaper2008.pdf’, notPublished).
EWSCpaper2008.pdf can be disclosed to the other peer if it has sent an L3S employee id.
A resource can be disclosed if its status is „published“
Remove „execute“ from all slides.
Replace „:-“ with „“. Mention that I am speaking about rules.
L3S Research Seminar
April 18th, 2008

30. Protune Features

31. Protune Policy Framework Standard example
disclose(X) 
status(X, notPublished),
sendL3SEmployeeId.
status(‘/EWSCpaper2007.pdf’, published).
status(‘/EWSCpaper2008.pdf’, notPublished).
Actions may be needed in order to make decisions
Remove the first rule.
Separate rules
L3S Research Seminar
April 18th, 2008

32. Protune Policy Framework Metapolicy “type”
disclose(X) 
status(X, notPublished),
sendL3SEmployeeId.
status(‘/EWSCpaper2007.pdf’, published).
status(‘/EWSCpaper2008.pdf’, notPublished).
sendL3SEmployeeId->type:action.
status(X, Y)->type:logical.
Usual predicate
Action
Write „action“ instead of „provisional“
3 Keep the comics on the next slide
L3S Research Seminar
April 18th, 2008

33. Protune Policy Framework Metapolicy “actor”
Who executes the action?
disclose(X) 
status(X, notPublished),
sendL3SEmployeeId.
status(‘/EWSCpaper2007.pdf’, published).
status(‘/EWSCpaper2008.pdf’, notPublished).
sendL3SEmployeeId->type:action.
sendL3SEmployeeId->actor:peer.
status(X, Y)->type:logical.
The requester?
The local system?
A third party?
L3S Research Seminar
April 18th, 2008

34. Protune Policy Framework Available actions
Access to relational databases
Access to RDF repositories
Credential exchange
Searching of regular expressions within a file
Interface to an LDAP server
Time and location management
3. Repeat that such actions may be needed in order to make decisions.
L3S Research Seminar
April 18th, 2008

35. Protune Policy Framework Explanations
L3S Research Seminar
April 18th, 2008

36. Usability issues
Until now only for computer scientists. Since now for common users.

37. Protune Policy Framework Usability issues
download(User, Resource) 
authenticated(User),
have(User, Subscription),
availableFor(Subscription, Resource).
authenticated(‘Bob’).
have(‘Bob’, lncsSubscription).
availableFor(lncsSubscription, ESWCpaper2007.pdf).
authenticated(User)->type:logical.
availableFor(Subscription, Resource)->type:logical.
have(User, Subscription)->type:logical.
Every user who is authenticated and who has a subscription that is available for a resource can download the resource.
Leave out metapolicy
L3S Research Seminar
April 18th, 2008

38. Protune Policy Framework Using natural language: Problem
How to deal with ambiguities?
Put the example before the description of ACE.
3. Explain that we want to use natural language, but we have the problems of ambiguities.
L3S Research Seminar
April 18th, 2008

39. Protune Policy Framework Using natural language: Ambiguities (I)
Bob looks at the girl on the hill with a telescope
3. Put every interpretation in the same slide. Together with the sentence.
L3S Research Seminar
April 18th, 2008

40. Protune Policy Framework Using natural language: Ambiguities (II)
2 girls lift 2 tables
3. Put every interpretation in the same slide. Together with the sentence.
L3S Research Seminar
April 18th, 2008

41. Protune Policy Framework Solution: Use a controlled natural language
What does “controlled” mean?
Rules are used in order to automatically disambiguate ambiguous sentences
Bob looks at the girl on the hill with a telescope
Only a subset of valid English sentences are valid sentences
Example disambiguation rule:
Propositional phrases refer to the predicate of the sentence
L3S Research Seminar
April 18th, 2008

42. Protune Policy Framework Disambiguation: using ACE (I)
Bob looks at the girl on the hill with a telescope
3. Put every interpretation in the same slide. Together with the sentence.
Bob looks with a telescope at the girl who is on the hill.
Bob looks at the girl on the hill with a telescope.
Bob looks at the girl who is on the hill with a telescope.
L3S Research Seminar
April 18th, 2008

43. Protune Policy Framework Disambiguation: using ACE (II)
2 girls lift 2 tables
3. Put every interpretation in the same slide. Together with the sentence.
2 girls lift 2 tables.
Each of 2 girls lifts one table.
Each of 2 girls lifts 2 tables.
L3S Research Seminar
April 18th, 2008

44. Protune Policy Framework The ACE  Protune translation (I)
Every user who is authenticated and who has a subscription
that is available for a resource can download the resource.
drs([], [
drs([A, B, C, D, E, F, G, H], [
object(A, user, countable, na, eq, 1)-1,
property(B, authenticated, pos)-1,
predicate(C, be, A, B)-1,
object(D, subscription, countable, na, eq, 1)-1,
object(E, resource, countable, na, eq, 1)-1,
property(F, available, pos)-1,
predicate(G, be, D, F)-1,
modifier_pp(G, for, E)-1,
predicate(H, have, A, D)-1 ])
=>
<>
drs([I], [
predicate(I, download, A, E)-1
]).
download(User, Resource) 
authenticated(User),
‘available#for’(Subscription, Resource),
have(User, Subscription).
Show the policy in the same slide.
3. Do not mention Zürich
Add a couple of other automatically generated policies.
L3S Research Seminar
April 18th, 2008

45. Protune Policy Framework The ACE  Protune translation (II)
Every user who provides a declaration whose
username is the user's name and whose password
is the user's password is authenticated.
authenticated(User) 
User.name:Username,
User.password:Password,
provide(User, Declaration),
Declaration.password:Password,
Declaration.username:Username.
L3S Research Seminar
April 18th, 2008

46. Protune Policy Framework The ACE  Protune translation (III)
Every user who sends a credential
that is valid and
whose type is "creditCard" and
whose owner is authenticated and
on which a price is charged
pays the price with "creditCard".
'pay#with'(User, Price, creditCard) 
valid(Credential),
Credential.type:creditCard,
authenticated(Owner),
'charged#on'(Price, Credential),
send(User, Credential),
Credential.owner:Owner.
L3S Research Seminar
April 18th, 2008

47. Policy Based Protection and Personalized Generation of Web Content
Sergej Zerr

48. Protune in Action: Policies on the Web Trust within an Open Environmentx x B x
Bookstore
Web server
LMS
L3S Research Seminar
April 18th, 2008

49. Protune in Action: Policies on the Web Using Trust Negotiation
Web Package x
Applet
Servlet Container
(e.g Tomcat)
var protectedResources=
new Array( ‘ );
<poljsp:policycondition policyname=
"exchangedCredential(member)“ >
<poljsp:iftrue>Success!!</poljsp:iftrue>
</poljsp:policycondition>
PolicyFilter.Jar
L3S Research Seminar
April 18th, 2008

50. 1. Reactive Policies 2. More policy research topics
Structure:
Reactive policies:
why should policies be reactive – a motivation
reactive policies: events, conditions, and actions
a first attempt of a prototype: combining PROTUNE and r³
Summary
The policy research idea zoo:
1. changing policies while negotiating
2. using preferences to guide decisions in negotiations
3. specifying policies with resticted natural languages (the ACE stuff)
4. access control to RDF repositories
5. precomputing policies to reduce computation time
Philipp Kärger

51. Reactive Policies While doing valuable research …
Always accept files sent by L3S members but only if it’s not an exe file.
L3S members can only call me during business hours.
My students can call me only on Wednesday morning. After the semester, deny their calls.
Show my date of birth only to family members.
Automatically accept “share contact dates” for L3S members and for the contacts of my family.
Notify me if one of my contacts has birthday and goes online.
If someone phones me while I am on a call, deny the call and open a chat instead.
L3S Research Seminar
April 18th, 2008

52. Reactive Policies Current Policies
they define under which conditions things are true, e.g.,
who exactly gets access
why we grant access
what is needed to get access
L3S Research Seminar
April 18th, 2008

53. Reactive Policies What is a reactive policy?
But what is missing in
current policy frameworks?
When is the policy evaluated?
 Triggering Events
What exactly happens if a policy is evaluated to true or false?
 Actions (as reactions to events)
who may contact you under which condition
member of L3S
file is an exe file
define events
two calls at the same time
my mother’s birthday
somebody changes online status
define (re-)actions
send automatic reply and close chat
download file to a specific folder
deny call but start chat instead
pass the call to the answering machine
IF EVENT “call comes in” HAPPENS
AND “I am on another call” HOLDS
PERFORM ACTION “deny call and open chat”
If someone phones me while I am on a call, deny the call and open a chat instead.
Reactivity!
L3S Research Seminar
April 18th, 2008
1. client gets discount
IF client is a VIP client
2. client is a VIP client
IF client bought for >200Euro
“client gets discount” IF “client is a VIP client”
“client is a VIP client” IF “client bought for >200Euro”
IF EVENT “car appears” HAPPENS
AND “car is too fast” HOLDS
PERFORM ACTION “take picture and send it to PD”

54. Reactive Policies Reactivity
Reactivity in Databases:
“Active Database Systems”, Book, 1995
many more
Reactivity on the web:
“An Event Condition Action Language for XML”, WWW2002
EDBT 2006 Workshop “Reactivity on the Web”
REWERSE Work Package “Evolution and Reactivity”
some more
L3S Research Seminar
April 18th, 2008

55. Reactive Policies Approach
Claim:
We need policies that allow for reactivity.
Solution:
Reactive Policies
also called Event Condition Action Policies
L3S Research Seminar
April 18th, 2008

56. Reactive Policies Event Condition Action Policies
always three components:
Event: when is the rule evaluated
Condition: what has to be satisfied
Action: what is the reaction to the event
ON a call comes in IF I am on another call DO deny call and open chat
If someone phones me while I am on a call, deny the call and open a chat instead.
L3S Research Seminar
April 18th, 2008

57. Reactive Policies Solution
How do we get all this to work?
r³ and Protune
Combining a Reactive Framework and a Policy Framework
L3S Research Seminar
April 18th, 2008

58. Reactive Policies r3 – Resourceful Reactive Rules
(developed at the AI Center, Universida de Nova de Lisboa (Portugal))
(Semantic) Web Rule Engine for Reactive Rules
evaluates rules of the form:
<rule>
<event>myEventLanguage:SkypeCallComesIn(User)</event>
<condition>myConditionLanguage:isNotTrusted(User)</condition>
<action>myActionLanguage:denyCall(User)</action>
</rule>
plugging in arbitrary languages makes it really flexible
L3S Research Seminar
April 18th, 2008

59. Reactive Policies Combining r3 and Protune
any event language (e.g., XChange, Prova)
Protune goals
<rule>
<event>myEventLanguage:SkypeCallComesIn(User)</event>
<condition>PROTUNE:isNotTrusted(User)</condition>
<action>PROTUNE:denyCall(User)</action>
</rule>
Protune external actions
L3S Research Seminar
April 18th, 2008

60. Reactive Policies Benefits
enhance reactivity with policies
Protune
allows for negotiations, information exchange
provides explanations
allows for (external) actions r³
allows for arbitrary event languages
evalutates Event Condition Action rules
handles the binding across events, conditions, actions
making policies reactive
L3S Research Seminar
April 18th, 2008

61. Reactive Policies Summary
Reactive Policies – policy-enabled Reactivity
policies need some kind of reactivity
no current policy framework allows for reactivity
no current reactive rule framework allows for policies
ECA policies
provide access control
provide semantics for events and actions
combining r³ and Protune merges both worlds
advanced access control with policies
engine for reactive rules extends
L3S Research Seminar
April 18th, 2008

62. Daniel, Juri, Philipp, Sergej, and some more
More research ideas …
1. changing policies while negotiating
2. using preferences to guide decisions in negotiations
4. access control to RDF repositories
5. precomputing policies to reduce computation time
Daniel, Juri, Philipp, Sergej, and some more

63. More research ideas Outline
Changing policies while negotiating.
Using preferences to guide decisions in negotiations.
Access control to RDF repositories.
Access control for desktop sharing.
L3S Research Seminar
April 18th, 2008

64. More research ideas 1. Changing policies while negotiating
Problem: What if I change my policies while my agent is negotiating?
Policy:
Only university members can call me.
I want to call you via Skype.
Ok, you have to prove that you work for L3S. …
New Policy:
Only L3S members can call me.
L3S Research Seminar
April 18th, 2008

65. More research ideas 2. Preferences guiding negotiations
Problem: What if there are two possibilities to succeed in a negotiation?
I prefer to disclose my Student ID instead of disclosing my passport.
Philipp Kärger, Daniel Olmedilla, Wolf-Tilo Balke
“Using Preferences for Credential Disclosure in Policy-Driven Trust Negotiations.”
Just submitted.
L3S Research Seminar
April 18th, 2008

66. More research ideas 3. Access control to RDF repositories
RDF data is accessible only under certain conditions.
Problem: how to enforce this for querying?
RDF store (sensitive data)
Return all triples
FROM
the ones I am interested in
WHERE
my conditions are true.
Return all triples
FROM
the ones I am interested in
WHERE
my conditions are true
AND
the policy’s conditions are true.
expansion
Fabian Abel, Juri Luca De Coi, Nicola Henze, Arne W. Koesling, Daniel Krause, Daniel Olmedilla
“Enabling Advanced and Context-Dependent Access Control in RDF Stores.”
ISWC 2007
Policies: conditions that have to be fulfilled to access information.
L3S Research Seminar
April 18th, 2008

67. More research ideas 4. Access control for desktop sharing (I)
“I want access to your private document.”
Metadata: author: … title: … date: … inverted index:
Juri L. De Coi, Ekaterini Ioannou, Arne Koesling, and Daniel Olmedilla.
“Access control for sharing semantic data across desktops.”
Workshop on Privacy Enforcement and Accountability with Semantics (PEAS), 2007.
“Is there a document containing ‘FBI’ in the title?”
L3S Research Seminar
April 18th, 2008

68. More research ideas 4. Access control for desktop sharing (II)
Pre-evaluate for each file, each metadata, and each user.
Policies
Policies: Who is allowed to see what metadata of what file under which conditions.
L3S Research Seminar
April 18th, 2008

69. End of the Seminar Let us give you a policy
ON seminar just finished IF you liked it OR you had fun you learned something you liked the ice cream DO big applause 
L3S Research Seminar
April 18th, 2008

70. Questions? Thanks! decoi@L3S.de – http://www.L3S.de/web/DECOI– – –
L3S Research Seminar
April 18th, 2008

71. References
Antoniou et al., Rule-based policy specification. Secure Data Management in Decentralized Systems. Springer,
Bonatti, Olmedilla. Rule-based policy representation and reasoning for the semantic web. In Reasoning Web, Third International Summer School Springer.
Antoniou et al. (Eds.): Reasoning Web Springer LNCS 4636, pp.1–153
Bradshaw et al., Making Agents Acceptable to people, Intelligent technologies for information analysis: Advances in agents, data mining and statistical learning. Springer
L3S Research Seminar
April 18th, 2008

72. Hidden slides