AIR Policy Language

• rule-based policy language for accountability and access control
• integrated explanations for policy decisions through dependency tracking
• more efficient and expressive reasoning through the use of goal direction
• grounded in Semantic Web technologies for greater interoperability, reusability, and extensibility

Importance of Explanations

• Explanations for policy decisions allow users to understand how the results were obtained
• Increase trust in the policy reasoning and enforcement process
• Used by policy administrators to confirm the correctness of the policy and to check that the result is as expected
• In the case of failed queries, they can be used to figure out what additional information is required for success
• Dependency tracking during reasoning process provides integrated justification support

DenyServiceEvent is not compatible with MA Disability
		  Discrimination Law

Importance of Explanations

• Explanations for policy decisions allow users to understand how the results were obtained
• Increase trust in the policy reasoning and enforcement process
• Used by policy administrators to confirm the correctness of the policy and to check that the result is as expected
• In the case of failed queries, they can be used to figure out what additional information is required for success
• Dependency tracking during reasoning process provides integrated justification support

DenyServiceEvent is not compatible with MA Disability
		  Discrimination Law

Denial of service based on health information

Dependency Tracking

• specific set of premises from which any conclusion/policy decision was derived is an effective explanation for the conclusion
• these premises are called the set of dependencies and dependency tracking is the process of maintaining dependency sets for derived conclusions
• We use Truth Maintenance System (TMS) for tracking dependencies of conclusions
  • keeps track of the logical structure of a derivation
  • has ability to assume and retract hypothetical premises
• Explanations are automatically generated by extracting and presenting relevant information from dependencies

AIR specifications

Each AIR policy consists of one or more rules policy = { rule } A rule is made up of a pattern that when matched causes an action to be fired. Optional: description, justification rule = { pattern, action [ description justification ]} An action can either be an assertion, which is a set of facts that are added to the knowledge base or a nested rule action = { assertion | rule } :MyFirstPolicy a air:Policy; air:rule [ air:pattern { ... }; air:assertion { ... }; air:rule [ ... ] ].

How AIR fits into our accountability framework

Accountability allows violators of applicable privacy policies to be identified and held accountable Privacy usage restrictions and resource access control policies are specified in AIR User's actions within the framework are captured and annotated transaction logs are maintained Policy compliance over transaction logs can be checked using the AIR reasoner

Demo Scenario

In order to prevent an epidemic, CDC contacts everyone whom an unconscious tubercolsis patient could have been in contact with people he works with, his choir, the members of his scout troop, people he has called, who have called him CDC gets his phone records from XPhone Sometime later Bob Same has phone troubles and calls XPhone to schedule an appt The customer service operator sees that CDC had obtained his records and infers that he must have some contagious disease So she refuses to schedule a repairman

MA Disability Discrimination Law

No otherwise qualified handicapped individual shall, solely by reason of his handicap, be excluded from participation in, be denied the benefits of, or be subject to discrimination under any program or activity within the Commonwealth

More info: http://www.mass.gov/legis/const.htm#cart114.htm

:MA_Disability_Discrimination_Policy a air:Policy;
   air:variable :EVENT, :REQUESTER, :ACTOR, :REASON, :REQUEST, :INSTRUCTION;
   air:rule [
       air:pattern {
          :EVENT a tami:RefuseRequest;
              tami:reply-to :REQUEST;
              tami:receiver :REQUESTER;
              tami:reason :REASON.
       };
       air:rule [
           air:pattern {
                :REQUEST tami:instruction :INSTRUCTION;
                                    a tami:Request.
                 :INSTRUCTION tami:intended_beneficiary :REQUESTER;
                                    a tami:BenefitInstruction.
                 :REQUESTER tami:location tami:MA.
           };
           air:rule [
               air:pattern { :EVENT a tami:RefuseRequest;
                                tami:reason :REASON.
                             :REASON tami:category tami:HealthInformation };
               air:assert { :EVENT air:non-compliant-with :MA_Disability_Discrimination_Policy }
           ]
      ];
   ].

AIR Demo

• Install Tabulator Extension: http://www.w3.org/2005/ajar/tab
• Remote
  • Call reasoner on web server with remote log and policy
  • Invoking reasoner:

    http://mr-burns.w3.org/cgi-bin/server_cgi.py?logFile="name of log file"&rulesFile="name of policy file"

  • View justification: JustificationUI
• Local
  • execute python reasoner on commandline with local log and policy
  • load output generated in firefox extension (load)

AIR Demo Screenshot

Recap of AIR features

• automated explanations for policy decisions
• more efficient and expressive reasoning
• extraction of relevant explanation for policy decision
• presenting explanations in Justification UI

More Information

• AIR specifications: http://dig.csail.mit.edu/TAMI/2007/AIR/
• AIR ontology: http://dig.csail.mit.edu/TAMI/2007/amord/air.ttl
• Paper on AIR submitted to IEEE Policy 2008: Integrated Policy Explanations via Dependency Tracking
• TAMI/E2ESA: http://dig.csail.mit.edu/TAMI/
• Details of scenario: http://dig.csail.mit.edu/TAMI/2007/s9/
• Improving UI: DIG blog entry