Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Use Case
Data Property Assertions
Data Intelligence
Ontology-Based Access Control for Fair Data
Related Work
References
All Topics
Philosophy
Metaphysics

Ontology-based Access Control for FAIR Data

Profile image of Christopher BrewsterChristopher Brewster

2019, Data Intelligence

https://doi.org/10.1162/DINT_A_00029
visibility

description

12 pages

link

1 file

Abstract

This paper focuses on fine-grained, secure access to FAIR data, for which we propose ontology-based data access policies. These policies take into account both the FAIR aspects of the data relevant to access (such as provenance and licence), expressed as metadata, and additional metadata describing users. With this tripartite approach (data, associated metadata expressing FAIR information, and additional metadata about users), secure and controlled access to object data can be obtained. This yields a security dimension to the “A” (accessible) in FAIR, which is clearly needed in domains like security and intelligence. These domains need data to be shared under tight controls, with widely varying individual access rights. In this paper, we propose an approach called Ontology-Based Access Control (OBAC), which utilizes concepts and relations from a data set's domain ontology. We argue that ontology-based access policies contribute to data reusability and can be reconciled with priv...

Figures (4)
Figure 1. Categorization of illicit goods in the Agora marketplace. An example of a metadata graph is depicted in Figure 1, which is a fragment of the categorization of illicit goods in the Agora dark Web market, generated automatically from a public Agora data dump [8]®. Once raw data become linked to metadata graphs, structure-sensitive access protocols can effectively regulate views on the underlying raw data through traversal of the metadata graph. Possible restrictions involve semantic (ontology) labels on visiting nodes (“only party drugs are visible”), or topological aspects of the graph (such as the radius around nodes in the metadata graph that can be inspected by a given user). Even combinations of semantic and structure-based access restrictions are possible (“only party drugs statistics are visible, but not individual posts with vendor nicknames”). LEAs often start investigations with hunches. Information access protocols, backed by increasingly liberal investigation mandates, allow investigators to follow up on those hunches, by digging deeper in the data graph. We propose that OBAC is just the right approach to implementing such role- and context-dependent policies.
Figure 1. Categorization of illicit goods in the Agora marketplace. An example of a metadata graph is depicted in Figure 1, which is a fragment of the categorization of illicit goods in the Agora dark Web market, generated automatically from a public Agora data dump [8]®. Once raw data become linked to metadata graphs, structure-sensitive access protocols can effectively regulate views on the underlying raw data through traversal of the metadata graph. Possible restrictions involve semantic (ontology) labels on visiting nodes (“only party drugs are visible”), or topological aspects of the graph (such as the radius around nodes in the metadata graph that can be inspected by a given user). Even combinations of semantic and structure-based access restrictions are possible (“only party drugs statistics are visible, but not individual posts with vendor nicknames”). LEAs often start investigations with hunches. Information access protocols, backed by increasingly liberal investigation mandates, allow investigators to follow up on those hunches, by digging deeper in the data graph. We propose that OBAC is just the right approach to implementing such role- and context-dependent policies.
Figure 2. Access to object data through structured metadata.
Figure 2. Access to object data through structured metadata.
Table 1. Example results of SPARQL queries. Note: These results only include items that have USA as their origin and destination, even though this is not explicitly mentioned in the SPARQL query. The above query gives the following example results (Table 1). From this data browsing session, the officer finds hints that especially the Steroids related drugs are increasing in the USA region. To further investigate this, the officer gets another role with a broader mandate that is needed to access vendor information. The graph pattern for the role USA_drugs_officer_broad that reflects this broader mandate is as follows:
Table 1. Example results of SPARQL queries. Note: These results only include items that have USA as their origin and destination, even though this is not explicitly mentioned in the SPARQL query. The above query gives the following example results (Table 1). From this data browsing session, the officer finds hints that especially the Steroids related drugs are increasing in the USA region. To further investigate this, the officer gets another role with a broader mandate that is needed to access vendor information. The graph pattern for the role USA_drugs_officer_broad that reflects this broader mandate is as follows:
Table 2. Example results of SPARQL queries.
Table 2. Example results of SPARQL queries.

Related papers

Privacy-preserving semantic access control across heterogeneous information sources
Prasenjit Mitra

2004

Today, many applications require users from one organization to access data belonging to another organizations. While traditional solutions offered for the federated and mediated databases facilitate this by sharing metadata, this may not be acceptable for certain organizations due to privacy concerns. In this paper, we propose a novel solution -Privacy-preserving Access Control Toolkit (PACT) -that enables privacy-preserving secure semantic access control and allows sharing of data among heterogeneous databases without having to share metadata. PACT uses encrypted ontologies, encrypted ontology-mapping tables and conversion functions, encrypted role hierarchies and encrypted queries. The encrypted results of queries are sent directly from the responding system to the requesting system, bypassing the mediator to further improve the security of the system. PACT provides semantic access control using ontologies and semantically expanded authorization tables at the mediator. One of the distinguishing features of the PACT is that it requires very little changes to underlying databases. Despite using encrypted queries and encrypted mediation, we demonstrate that PACT provides acceptable performance.

View PDFchevron_right
Towards FAIR Data Access
cesare concordia

Research Ideas and Outcomes

Background In the past decade many different national, EU and global projects have been successful in raising awareness about Open Science and the importance of making data findable and accessible such as stated in the FAIR principles (Wilkinson et al. 2016). In this respect, there have been many advances with respect to options for discovering data. A multitude of either thematic or general catalogues are providing faceted browsing interfaces for humans and Application Programming Interfaces (APIs) for use by machines and similarly, data-citations in publications offer references to resources hosted by repositories. However, using such catalogues and data-citations, researchers are not guaranteed to obtain access to the data itself. Mostly the resource link in the catalogue (and also in the metadata) or citation is a “landing-page”, a description of the resource meant for human consumption. The landing-page may contain instructions how to access or download the resource itself but ...

View PDFchevron_right
Leveraging Ontologies upon a Holistic Privacy-Aware Access Control Model
Joaquin Alfaro

Lecture Notes in Computer Science, 2014

Access control is a crucial concept in both ICT security and privacy, providing for the protection of system resources and personal data. The increasing complexity of nowadays systems has led to a vast family of solutions fostering comprehensive access control models, with the ability to capture a variety of parameters and to incorporate them in the decision making process. However, existing approaches are characterised by limitations regarding expressiveness. We present an approach that aims at overcoming such limitations. It is fully based on ontologies and grounded on a rich in semantics information model. The result is a privacy-aware solution that takes into consideration a variety of aspects and parameters, including attributes, context, dependencies between actions and entities participating therein, as well as separation and binding of duty constraints.

View PDFchevron_right
Building a Fair System Using Access Rights
Nada Essaouini

The law of computer and freedoms specifies that the access to personal data is a right that must be ensured. Indeed, this law provides sanctions when this right is violated. It is important to preserve this access right because it allows people to verify the accuracy of their personal data and thus, emit a rectification request or ask for the deletion of this data if it is necessary. In this paper, we propose a formal model which enables to extend security policies with right rules in order to express access right. In our approach, we make a distinction between access permission and access right and propose a semantics of a guaranteed right and means to detect violations. The model is based on the situation calculus. It allows, through planning tools, to provide an off-line policy analysis in order to detect in advance the situations which prevent a right to be exercised. In addition to the concept of secure system which is defined as a system that meets the requirements of access control, we propose to introduce the concept of a fair system that meets the requirements of the access right. We formalize this notion and give a characteristic which enables to prove if a system specification is fair with respect to right requirements.

View PDFchevron_right
Access Control via Lightweight Ontologies
Bruno Crispo

2011

The paper presents Relation Based Access Control RelBAC, a model and a logic for access control which models communities, possibly nested, and resources, possibly organized inside complex file systems, as lightweight ontologies, and permissions as relations between subjects and objects. RelBAC allows us to represent expressive access control rules beyond the current state of the art, and to deal with the strong dynamics of subjects, objects and permissions which arise in Web 2.0 applications (e.g. social networks). Finally, as shown in the paper, using RelBAC, it becomes possible to reason about access control policies and, in particular to compute candidate permissions by matching subject ontologies (representing their interests) with resource ontologies (describing their characteristics).

View PDFchevron_right
A proposal for Ontology Security Standards
Muhammad Reza

2008

Semantic technologies, such as RDF (Resource Description Framework) and OWL (Web Ontology Language), are being widely used to store information. Ontology is mostly used in semantic platforms or embedded in other applications as a repository system. Data is the most crucial asset of information systems, and ontology can be used as a data repository, so it should be well protected. Trust, proof and security are three major aspects of semantic systems which are less investigated and are mostly afterthoughts of the semantic web. In this paper security problem(s) of ontology, as a layer of the semantic web, is discussed.

View PDFchevron_right
Personalizable Ontology Based Access Control
Okan Bursa, Ozgu Can

Gazi University Journal of …, 2010

The main idea of Semantic Web is creating web pages which are also understood by machines and using ontologies to unify data. Improving a secure Semantic Web is one of the main works in Semantic Web research area. For this purpose, policies are used. Policy is a set of rules and provides an access control mechanism for a resource without making any change in that resource. Policy management in Semantic Web is used to define rules for accessing a resource and to provide users to interpret and comply with these rules. One of the key features to develop successful personalized Semantic Web applications is to build user profiles. In this paper, we developed an Ontology-Based Access Control (OBAC) model. This model represents domain and profile information semantically and has a profile based policy approach in order to achieve a personalized policy management for Semantic Web. We store personal information in profiles and model this information semantically to make it part of access control model. Thus, we created two kinds of policies: domain and profile based policies. We implemented an Ontology-Based Access Control application which creates, modifies, and deletes policy ontologies. Policy conflicts are also resolved to provide fine-grained policies in OBAC model. The main contributions of this work are: defining semantically rich resource and entity policies for an Ontology-Based Access Control mechanism and making use of these policies in terms of the personalization scope.

View PDFchevron_right
A Model-driven Approach to enable Access Control for Ontologies
Willy Chen

2009

Currently, the adoption of these technologies in large-scaled applications within enterprises is slowed down by their failure to meet some basic requirements of commercial applications. One of those is the support of sophisticated security policies for protecting the knowledge contained in ontologies and their instances from unauthorized use. In this paper, we propose a model-driven approach to enable access control for lightweight ontologies based on a role-based security model and well-known standard technologies.

View PDFchevron_right
Semantics-aware privacy and access control: Motivation and preliminary results
Ernesto Damiani

2004

Abstract Semantic Web languages like OWL and RDFS promise to be viable means for representing metadata describing users and resources available over the Internet. Recently, interest has been raised on the use of such languages to represent individual data items contained in Personally Identifiable Information (PII), supporting fine-grained release. To achieve this goal, the informative content of a credential must be dissected into atomic components so that users can selectively single out those to be released.

View PDFchevron_right
SecurOntology: A semantic web access control framework
Angel Garcia Crespo

Computer Standards & Interfaces, 2011

Security and privacy are key concerns on the Internet. Policies representing resource access based on knowledge-oriented descriptions have gained momentum with the emergence of semantic technologies. Traditional access control frameworks were syntactic and error prone, lacking the necessary expressivity and efficiency of a solution where soundness and completeness of the underlying logics in access control descriptions could be critical to harness their potential. In this paper, SecurOntology is presented. SecurOntology encompasses a three-fold strategy: an ontology for access control, a logical declarative framework and a software architecture as a proof-of-concept of the advantages of this solution.

View PDFchevron_right

References (24)

  1. T. Berners-Lee. Information management: A proposal. (1990). Available at: https://www.w3.org/History/1989/ proposal.html.
  2. T. Berners-Lee, J. Hendler & O. Lassila. The semantic web. Scientific American 284(5) (2001), 34-43. Available at: http://www.sciam.com/article.cfm?articleID=00048144-10D2-1C70-84A9809EC588EF21.
  3. C. Bizer, T. Heath & T. Berners-Lee. Linked data -The story so far. International Journal on Semantic Web and Information Systems 5(3)(2009), 1-22. doi:10.4018/jswis.2009081901.
  4. B. Mons, C. Neylon, J. Velterop, M. Dumontier, L.O. Bonino da Silva Santos & M.D. Wilkinson. Cloudy, increasingly FAIR; revisiting the FAIR Data guiding principles for the European Open Science Cloud. Information Services & Use 37 (2017), 49-56. doi:10.3233/ISU-170824.
  5. M.D. Wilkinson, M. Dumontier, Ij.J. Aalbersberg, G. Appleton, M. Axton, A. Baak, … & B. Mons. The FAIR guiding principles for scientific data management and stewardship. Scientific Data 3(2016), 160018. doi: 10.1038/sdata.2016.18.
  6. W. Safire. You are a suspect, The New York Times. (2002). Available at: https://www.nytimes.com/2002/11/14/ opinion/you-are-a-suspect.html.
  7. S. Wood. The paradox of police data. KULA: Knowledge Creation, Dissemination, and Preservation Studies 2(2018), 9. doi:10.5334/kula.34.
  8. P. James. Dark net marketplace data (Agora 2014-2015). (2017). Available at: https://kaggle.com/ philipjames11/dark-net-marketplace-drug-data-agora-20142015.
  9. Apache Jena -Apache Jena Fuseki, Apache, 2018. Available at: https://jena.apache.org/documentation/ fuseki2/.
  10. B. Parducci, H. Lochhart & R. Levinson (eds.) OASIS eXtensible access control Markup Language (XACML) TC. (2017). Available at: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
  11. AuthZForce (Community Edition) -Authzforce, 2019. Available at: https://authzforce.ow2.org/.
  12. E. Yuan & J. Tong. Attributed based access control (ABAC) for Web services. In: IEEE International Conference on Web Services (ICWS'05), 2005, pp. 561-569. doi:10.1109/ICWS.2005.25.
  13. V.C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller & K. Scarfone. Guide to attribute based access control (ABAC) definition and considerations, National Institute of Standards and Technology, 2014. doi:10.6028/NIST.SP.800-162.
  14. T. Priebe, W. Dobmeier & N. Kamprath. Supporting attribute-based access control with ontologies. In: The First International Conference on Availability, Reliability and Security (ARES'06), 2006, pp. 465-472. doi:10.1109/ARES.2006.127.
  15. H. Shen. A semantic-aware attribute-based access control model for Web services. In: A. Hua & S.-L. Chang (eds.) Algorithms and Architectures for Parallel Processing. Berlin: Springer, 2009, pp. 693-703.
  16. N.K. Sharma & A. Joshi. Representing attribute based access control policies in OWL. In: 2016 IEEE Tenth International Conference on Semantic Computing (ICSC), 2016, pp. 333-336. doi:10.1109/ICSC.2016.16.
  17. A. Padia, T. Finin & A. Joshi. Attribute-based fine grained access control for triple stores. In: The 3rd Society, Privacy and the Semantic Web -Policy and Technology Workshop, the 14th International Semantic Web Conference, 2015. Available at: https://ebiquity.umbc.edu/paper/abstract/id/706/Attribute-based-Fine- Grained-Access-Control-for-Triple-Stores.
  18. M. Console & M. Lenzerini. Data quality in ontology-based data access: The case of consistency. In: The Twenty-Eighth AAAI Conference on Artificial Intelligence, 2014, pp. 1020-1026. Available at: https://www. aaai.org/ocs/index.php/AAAI/AAAI14/paper/view/8552.
  19. Ontology-based Access Control for FAIR Data
  20. P. Holub, F. Kohlmayer, F. Prasser, M.Th. Mayrhofer, I. Schlünder, G.M. Martin,… & J.-E. Litton. Enhancing reuse of data and biological material in medical research: From FAIR to FAIR-Health. Biopreservation and Biobanking 16(2)(2018), 97-105. doi:10.1089/bio.2017.0110.
  21. M. Corpas, N.V. Kovalevskaya, A. McMurray & F.G.G. Nielsen. A FAIR guide for data providers to maximize sharing of human genomic data. PLOS Computational Biology 14 (2018), e1005873. doi:10.1371/journal. pcbi.1005873.
  22. I. Singh, M. Kuscuoglu, D.M. Harkins, G. Sutton, D.E. Fouts & K.E. Nelson. OMeta: An ontology-based, data- driven metadata tracking system. BMC Bioinformatics 20(2019), 8. doi:10.1186/s12859-018-2580-9.
  23. A. Landi, M. Thompson, V. Giannuzzi, F. Bonifazi, I. Labastida, L.O. Bonino da Silva Santos & M. Roos. The "A" of FAIR -as open as possible, as closed as necessary. Data Intelligence 2(2020), 47-55. doi: 10.1162/ dint_a_00027.
  24. I. Labastida & T. Margoni. Licensing FAIR data for reuse. Data Intelligence 2(2020), 199-207. doi: 10.1162/ dint_a_00042.

Related papers

A FAIRification Framework for the Findability, Accessibility, Interoperability and Reusability of Cyber Security Ontologies Using FAIR Data Principles
Hlomani Hlomani

International journal of advanced networking and applications, 2024

This paper proposes a FAIR-inspired framework for integrated cyber security ontologies that offers a systematic approach to applying FAIR data principles in the field of cyber security. The framework is developed based on a combination of adopted research and incorporates the FAIRification process. This FAIRification process is instrumental in guiding the development of cyber security ontology models, which are essential for realizing the principles of Findability, Accessibility, Interoperability, and Reusability. The framework addresses the absence of applied FAIR standards in existing cyber security ontology models, utilizing sampled cyber security models as reference systems for source data. The resulting cyber security ontology models create a virtual data warehouse, integrating data from domain experts and existing models. The FAIRification process emphasizes collaboration among cyber security stakeholders, including private and public entities, analysts, engineers, and administrators, to ensure the meaningful interpretation of data based on cyber security ontologies. Detailed discussions within the framework cover the FAIR principles, outlining specific criteria for Findability, Accessibility, Interoperability, and Reusability. Notably, the framework emphasizes the importance of formal, accessible, shared, and broadly applicable language for knowledge representation in achieving Interoperability. Further components of the framework involve the curation and validation of data, development of cyber security ontology data models, and the creation of ontology metadata models. These models play a crucial role in making cyber security data Findable, Accessible, and Reusable, aligning with the FAIR principles. Additionally, data management systems, including the dataset integration system and resource metadata system, are introduced to facilitate the integration and annotation of ontologized data. The framework's use of a data triplestore, FAIR data, and the grlc server enhances the Accessibility of cyber security data on the web. The triplestore represents knowledge graphs in RDF, allowing for efficient querying through SPARQL. The grlc server further facilitates the generation of web APIs, making cyber security data Accessible in an open, free, and universally implementable manner.

View PDFchevron_right
Revisiting Ontology Based Access Control: The Case for Ontology Based Data Access
Ozgu Can

Proceedings of the 8th International Conference on Information Systems Security and Privacy, 2022

Ontology Based Data Access (OBDA) is a semantic paradigm to perform a mapping between an ontology and a data source for querying heterogeneous data sources. The result of this mapping ensures data access and data integration. Therefore, OBDA allows to query various datasets and provides data virtualization by integrating multiple and varied data sources. Ontology Based Access Control (OBAC) enables the realization of an access control mechanism by using Semantic Web technologies. OBAC allows to model the access control knowledge and uses domain knowledge to create policy ontologies. This paper revisits the OBAC approach by considering the OBDA to query legacy data that are stored in different types of data sources. For this purpose, OBAC is examined within the scope of OBDA and a conceptual model is proposed to extend OBAC with OBDA to provide data virtualization and to consolidate users' access privileges. Thus, security and management of complex information systems could be carried out by using Semantic Web technologies.

View PDFchevron_right
An Access Control Model for Linked Data
Nicolas Delaforge, Fabien Gandon

Lecture Notes in Computer Science, 2011

Linked Open Data refers to a set of best practices for the publication and interlinking of structured data on the Web in order to create a global interconnected data space called Web of Data. To ensure the resources featured in a dataset are richly described and, at the same time, protected against malicious users, we need to specify the conditions under which a dataset is accessible. Being able to specify access terms should also encourage data providers to publish their data. We introduce a lightweight vocabulary, called Social Semantic SPARQL Security for Access Control Ontology (S4AC), allowing the definition of fine-grained access control policies formalized in SPARQL, and enforced when querying Linked Data. In particular, we define an access control model providing the users with means to define policies for restricting the access to specific RDF data, based on social tags, and contextual information.

View PDFchevron_right
Ontologies and Rules for Access Control: a Feature Oriented Survey
Yannick Chevalier

HAL (Le Centre pour la Communication Scientifique Directe), 2022

Access-control systems are key components to guarantee the security and confidentiality of resource repositories. Most access-control systems that are today de facto standards were designed before the generalization of cloud services and Internet of Things. Such systems are particularly heavy to maintain in today's context, which gave rise to more flexible approaches based on logical description using semantic web technologies. In this paper, we propose a survey of these semantic approaches. Although this survey does not aim at being exhaustive, it offers the reader an overview of the main trends and their limitations.

View PDFchevron_right
Access Control for Shared Ontologies
Daniel Buehrer

International Journal of Electronic Commerce Studies, 2013

Entities and their relationships for various fields of specialization can be described by ontologies. For example, the classes, relationships, and methods for designing a virus may be put into a Protégé ontology. If that design is to be integrated with a missile design, it will require a standard way of sharing and cross-referencing both classes and objects of the ontologies. This should be done in a secure way which only allows access to specified researchers using specified classes, relations, methods, and documentation. In this paper, we introduce a framework for ontology sharing that enables ontologies to easily be deployed on the web. Kernel0 is the ontology of classes, relations, attributes, and objects. It describes its own typing constraints and meta-data in the same way as data. Objects can have relationships to objects of other ontologies. Kernel-1 authorization definitions in our framework are able to dynamically determine the permissions of each user or group for queried objects. Our authorization has the ability to perform inferences via IS-A inheritance and by evaluating implicit relations and operator definitions. All modifications of values in the knowledge base are checked for both appropriate authorization and satisfaction of all typing constraints.

View PDFchevron_right

Related topics

  • Computer Science
  • Ontology
  • Semantic Technology
  • Data Intelligence

    • Cited by

    Data sharing in agricultural supply chains: Using semantics to enable sustainable food systems
    Christopher Brewster

    Semantic Web

    The agrifood system faces a great many economic, social and environmental challenges. One of the biggest practical challenges has been to achieve greater data sharing throughout the agrifood system and the supply chain, both to inform other stakeholders about a product and equally to incentivise greater environmental sustainability. In this paper, a data sharing architecture is described built on three principles (a) reuse of existing semantic standards; (b) integration with legacy systems; and (c) a distributed architecture where stakeholders control access to their own data. The system has been developed based on the requirements of commercial users and is designed to allow queries across a federated network of agrifood stakeholders. The Ploutos semantic model is built on an integration of existing ontologies. The Ploutos architecture is built on a discovery directory and interoperability enablers, which use graph query patterns to traverse the network and collect the requisite da...

    View PDFchevron_right
    How Patient Organizations Can Drive FAIR Data Efforts to Facilitate Research and Health Care: A Report of the Virtual Second International Meeting on Duchenne Data Sharing, March 3, 2021
    Elizabeth Vroom

    Journal of Neuromuscular Diseases, 2021

    Background: For patients with rare diseases such as Duchenne and Becker muscular dystrophy (DMD/BMD), access to their health data is key to being able to advocate for themselves and be in control of their care. Since 2018, the DMD/BMD patient community has been committed to making DMD/BMD-related data FAIR, i.e., Findable, Accessible, Interoperable, and Reusable. On March 3, 2021, the second international meeting on FAIR data sharing for DMD/BMD was held virtually. Objective: The aim of this meeting report is to summarize the presentations and discussions of the meeting. Methods: During this meeting, the progress of FAIRification efforts since the first international meeting in 2019, new developments, stakeholder perspectives, and experiences from implementing FAIR data principles in practice were presented and discussed. Results: Over 120 attendees representing various stakeholder groups (ie, patient organizations, clinicians, clinical and academic researchers, pharmaceutical compa...

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved