Accountability and AIR Policy Language

Lalana Kagal

Oshani Seneviratne

13 May 2008

Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

Protection Strategies for Open Information Systems

  • Excesses and abuses in the use of information are most commonly considered problems of information security
  • Access control is simply not enough
  • Privacy preserving strategies vulnerable
  • Our solution: Providing accountability by checking policy compliance and identifying violations

Information Accountability

  • When information has been used, it should to possible to determine what happened, and to pinpoint use that is inappropriate
  • Rules and law should govern how information is used: "It is illegal to consider health status of applicant or her family in hiring decisions"
  • Interactions with data are logged in order to provide possibility of machine-assisted human-driven accountability

Information Accountability

  • Audit logging
  • Policy specification language
    • describe rules governing appropriate use
  • Accountability reasoning tools

The Web today

Web Architecture

The Web with Information Accountability Mechanisms

Web Architecture with Information Accountability
  • Policy Aware Transaction Logs
  • Policy Language Framework (AIR - Accountability In RDF)
  • Policy Reasoning Tools

AIR Policy Language

  • rule-based policy language for accountability and access control
  • automatic explanations for policy decisions through dependency tracking
  • customizable explanations, if required
  • more efficient and expressive reasoning through the use of goal direction
  • grounded in Semantic Web technologies for greater interoperability, reusability, and extensibility

Importance of Explanations

  • Explanations for policy decisions allow users to understand how the results were obtained
  • Increase trust in the policy reasoning and enforcement process
  • Used by policy administrators to confirm the correctness of the policy and to check that the result is as expected
  • In the case of failed queries, they can be used to figure out what additional information is required for success
  • Dependency tracking during reasoning process provides integrated justification support
DenyServiceEvent is not compatible with MA Disability
		  Discrimination Law
Denial of service based on health information

Dependency Tracking

  • specific set of premises from which any conclusion/policy decision was derived is an effective explanation for the conclusion
  • these premises are called the set of dependencies and dependency tracking is the process of maintaining dependency sets for derived conclusions
  • We use Truth Maintenance System (TMS) for tracking dependencies of conclusions
    • keeps track of the logical structure of a derivation
    • has ability to assume and retract hypothetical premises
  • Explanations are automatically generated by extracting and presenting relevant information from dependencies

AIR specifications

  • Each AIR policy consists of one or more rules
    policy = { rule }
  • A rule is made up of a pattern that when matched causes an action to be fired. Optional: description, justification
    rule = { pattern, action [ description justification ]}
  • An action can either be an assertion, which is a set of facts that are added to the knowledge base or a nested rule
    action = { assertion | rule }
     :MyFirstPolicy a air:Policy;
	 air:rule [
	     air:pattern { ... };
	     air:assertion { ... };
	     air:rule [ ... ]
AIR ontology

Simple AIR Example

All DIG members are allowed to view resources owned by the DIG group
:DIGPolicy a air:Policy;
  air:rule :DAP-1.

:DAP-1 a air:BeliefRule;
   rdfs:label "DIG Rule #1";
   air:pattern {
       :REQ a air:Request;
       foaf:openid :REQUESTER;
       air:resource :RESOURCE.
       :DIG data:owns :RESOURCE.
  air:description (:REQ " is a request made by a requester with openid, " :REQUESTER ", for DIG resource " :RESOURCE);
  air:rule :DAP-2.

:DAP-2 a air:BeliefRule;
   rdfs:label "DIG Rule #2";
   air:pattern {
       :DIG foaf:member :MEMBERLIST.
       :MEMBER list:in :MEMBERLIST.
       :MEMBER a foaf:Person;
       foaf:openid :REQUESTER.
    air:description ("The requester with openid, " :REQUESTER ", is a DIG member");
    air:assert{ :REQ air:compliant-with :DIGPolicy }.    

Automatic Justification

Automatic Explanation

Overriding Automatic Justification

:SomeOtherRule a air:BeliefRule;
    air:variable :REQ, :G1;
    air:matched-graph :G1;
    air:pattern { :REQ a air:Request; };
    air:rule :DAP-1.

:DAP-1 a air:BeliefRule; 
    air:rule :DAP-2.

:DAP-2 a air:BeliefRule;
   rdfs:label "DIG Rule #2";
   air:pattern {
       :DIG foaf:member :MEMBERLIST.
       :MEMBER list:in :MEMBERLIST.
       :MEMBER a foaf:Person;
       foaf:openid :REQUESTER.
    air:description ("The request is valid");
    air:assertion [
         air:statement {  :REQ air:compliant-with :DIGPolicy };
         air:justification [
           air:rule-id :SomeOtherRule;
           air:antecedent :G1

Overriding Automatic Justification

Explicit Explanation

How AIR fits into our accountability framework

  • Accountability allows violators of applicable privacy policies to be identified and held accountable
  • Privacy usage restrictions and resource access control policies are specified in AIR
  • User's actions within the framework are captured and annotated transaction logs are maintained
  • Policy compliance over transaction logs can be checked using the AIR reasoner

TAMI Architecture

Demo Scenario

  • In order to prevent an epidemic, CDC contacts everyone whom an unconscious tubercolsis patient could have been in contact with
    • people he works with, his choir, the members of his scout troop, people he has called, who have called him
  • CDC gets his phone records from XPhone
  • Sometime later Bob Same has phone troubles and calls XPhone to schedule an appt
  • The customer service operator sees that CDC had obtained his records and infers that he must have some contagious disease
  • So she refuses to schedule a repairman
Scenario 9

MA Disability Discrimination Law

No otherwise qualified handicapped individual shall, solely by reason of his handicap, be excluded from participation in, be denied the benefits of, or be subject to discrimination under any program or activity within the Commonwealth

More info: http://www.mass.gov/legis/const.htm#cart114.htm

:MA_Disability_Discrimination_Policy a air:Policy;
   air:rule [
       air:pattern {
          :EVENT a tami:RefuseRequest;
              tami:reply-to :REQUEST;
              tami:receiver :REQUESTER;
              tami:reason :REASON.
       air:rule [
           air:pattern {
                :REQUEST tami:instruction :INSTRUCTION;
                                    a tami:Request.
                 :INSTRUCTION tami:intended_beneficiary :REQUESTER;
                                    a tami:BenefitInstruction.
                 :REQUESTER tami:location tami:MA.
           air:rule [
               air:pattern { :EVENT a tami:RefuseRequest;
                                tami:reason :REASON.
                             :REASON tami:category tami:HealthInformation };
               air:assert { :EVENT air:non-compliant-with :MA_Disability_Discrimination_Policy }

AIR Demo

  • Install Tabulator Extension: http://dig.csail.mit.edu/2007/tab/
  • Remote
    • Call reasoner on web server with remote log and policy
    • Invoking reasoner:
      http://mr-burns.w3.org/cgi-bin/server_cgi.py?logFile="name of log file"&rulesFile="name of policy file"
    • View justification: JustificationUI
  • Local
    • execute python reasoner on commandline with local log and policy
    • load output generated in firefox extension (load)

AIR Demo Screenshot - Log

AIR log in Tabulator

AIR Demo Screenshot - Policy

AIR policy in Tabulator

AIR Demo Screenshot (Regular View)

Justification UI Screenshot

AIR Demo Screenshot (Lawyer View)

Justification UI Screenshot

AIR Contributions

  • automated explanations for policy decisions
  • more efficient and expressive reasoning
  • extraction of relevant explanation for policy decision
  • presenting explanations in Justification UI