Inverting Proof Systems for Secrecy under OWA Giora Slutzki - PowerPoint PPT Presentation

Inverting Proof Systems for Secrecy under OWA Giora Slutzki Department of Computer Science Iowa State University Ames, Iowa 50010 slutzki@cs.iastate.edu May 9th, 2010 Jointly with Jia Tao and Vasant Honavar G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 1 / 34

Knowledge Representation Knowledge Representation Knowledge representation (KR) mechanisms aim to provide a high level description of a given application domain with the goal of facilitating construction of intelligent applications. Representation formalisms based on logic turn out to be eminently suitable because well-defined syntax 1 formal semantics 2 support development of adequate reasoning services 3 G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 2 / 34

Description Logic Description Logics Description Logics Description logics (DLs) are a family of logic based Knowledge Representation formalisms. DLs describe domain in terms of concepts (classes), roles (binary relationships) and individuals (objects). Decidable fragments of FOL. Closely related to Propositional Modal Logics. Formal semantics for DLs are typically model theoretic. G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 3 / 34

Description Logic Description Logic EL EL — Concept Expressions and Roles Vocabulary: N O , N C , N R Syntax and semantics: interpretation I = (∆ , · I ) Syntax Semantics ⊤ I = ∆ ⊤ a I ∈ ∆ a A I ⊆ ∆ A r I ⊆ ∆ × ∆ r C I ∩ D I C ⊓ D { x ∈ ∆ | ∃ y : ( x , y ) ∈ r I ∧ y ∈ C I } ∃ r . C Example: C ⊓ D , ∃ r . ( C ⊓ ∃ s . D ) G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 4 / 34

Description Logic Description Logic EL EL — Formulae and Knowledge Bases EL formulae are of the form Syntax Semantics C I ⊆ D I C ⊑ D a I ∈ C I C ( a ) ( a I , b I ) ∈ r I r ( a , b ) EL -knowledge base: Σ = �A , T � A : a finite non-empty set of assertions (ABox); T : a finite set of subsumptions (TBox). G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 5 / 34

Description Logic DL Reasoning Services DL Reasoning Services KB-satisfiability: Σ is satisfiable if it has a model Concept-satisfiability: C is satisfiable w.r.t. Σ if there is a model of Σ where the interpretation of C is not empty Subsumption: C is subsumed by D w.r.t. Σ if for every model of Σ , the interpretation of C is a subset of that of D Query-answering: a is an instance of C if the assertion C ( a ) is true in every model of Σ G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 6 / 34

Query Answering Query Answering Given a KB Σ = �A , T � , its main goal is to answer user queries. Here we assume that queries are assertions. G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 7 / 34

Query Answering Proof System for A* Proof System for A ∗ if C 1 ⊓ · · · ⊓ C k ( a ) ∈ A ∗ and C i ( a ) / ⊓ A ∈ A ∗ , 1 -rule: then A ∗ := A ∗ ∪ { C i ( a ) } where 1 ≤ i ≤ k ; ⊓ A if { C 1 ( a ) , ..., C k ( a ) } ⊆ A ∗ , C 1 ⊓ · · · ⊓ C k ∈ Sub C 2 -rule: ∈ A ∗ , and C 1 ⊓ · · · ⊓ C k ( a ) / then A ∗ := A ∗ ∪ { C 1 ⊓ · · · ⊓ C k ( a ) } ; ∃ A if { r ( a , b ) , C ( b ) } ⊆ A ∗ , ∃ r . C ∈ Sub C 1 -rule: ∈ A ∗ , then A ∗ := A ∗ ∪ {∃ r . C ( a ) } ; and ∃ r . C ( a ) / if ∃ r . C ( a ) ∈ A ∗ and ∄ b ∈ O ∗ such that ∃ A 2 -rule: { r ( a , b ) , C ( b ) } ⊆ A ∗ , then A ∗ := A ∗ ∪ { r ( a , c ) , C ( c ) } where c is fresh , and O ∗ := O ∗ ∪ { c } ; ⊑ T -rule: if C ( a ) ∈ A ∗ , C ⊑ D ∈ T and D ( a ) / ∈ A ∗ , then A ∗ := A ∗ ∪ { D ( a ) } . Theorem: The above proof system is sound and complete. G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 8 / 34

Query Answering Query Answering under OWA Query Answering under OWA Open World Assumption (OWA) The knowledge of the world is incomplete. Under OWA, if a statement cannot be proven by the reasoner, we do not conclude that it is false. Instead, we view the status of such statements as “Unknown”. Based on OWA, the answer to a query C ( a ) posed to the knowledge base Σ is defined as Yes, if Σ ⊢ C ( a ) , Unknown, otherwise. G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 9 / 34

Query Answering Secrecy-preserving Reasoning Secrecy-preserving Reasoning OWA: the KB has incomplete information. Main Idea of Secrecy-preserving Reasoning: A secrecy-preserving reasoner must answer “Unknown” to every query whose secrecy must be protected. Because of OWA, querying agents are not able to distinguish between the information that is unknown to the reasoner and the information that the reasoner needs to protect. Goal: To answer queries as informatively as possible without compromising secret information. G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 10 / 34

Query Answering Secrecy-preserving Reasoning Secrecy Envelopes Let S ⊆ A ∗ be a set of assertions whose secrecy must be protected. Secrecy Envelope E S ( A ∗ \ E S ) ∗ ∩ S = ∅ S ⊆ E S and Tight Envelope E t S (( A ∗ \ E t S ) ∪ { α } ) ∗ ∩ S � = ∅ . ∀ α ∈ E t S , Need good algorithms for computing secrecy envelopes. G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 11 / 34

Example Example: the knowledge base Σ Σ = �A , T � T = {∃ r . ( A ⊓ D ) ⊑ C , B ⊑ ∃ r . D , ∃ r . D ⊑ C , C ⊑ E } A = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) } T ∗ B ⊑ C , B ⊑ E , B ⊑ ∃ r . D C ⊑ E A ⊓ D ⊑ A , A ⊓ D ⊑ D ∃ r . ( A ⊓ D ) ⊑ C , ∃ r . ( A ⊓ D ) ⊑ E , ∃ r . ( A ⊓ D ) ⊑ ∃ r . D ∃ r . D ⊑ C , ∃ r . D ⊑ E A ∗ A ∪ { A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 12 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 13 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) , A ( a ) choose A ( a ) G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 14 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) , A ( a ) E ( a ) G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 15 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) , A ( a ) E ( a ) , B ( a ) because B ⊑ E ∈ T ∗ G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 16 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) , A ( a ) E ( a ) , B ( a ) , C ( a ) because C ⊑ E ∈ T ∗ G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 17 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) , A ( a ) E ( a ) , B ( a ) , C ( a ) , ∃ r . ( A ⊓ D )( a ) because ∃ r . ( A ⊓ D ) ⊑ E ∈ T ∗ G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 18 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) , A ( a ) E ( a ) , B ( a ) , C ( a ) , ∃ r . ( A ⊓ D )( a ) , ∃ r . D ( a ) because ∃ r . D ⊑ E ∈ T ∗ G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 19 / 34

Example A Redundant Envelope Example: a redundant envelope The secrecy set S = { A ⊓ D ( a ) , E ( a ) } A ∗ = { A ( a ) , B ( a ) , D ( a ) , C ( a ) , r ( a , a ) , r ( a , b ) , D ( b ) , A ⊓ D ( a ) , E ( a ) , ∃ r . D ( a ) , ∃ r . ( A ⊓ D )( a ) } The secrecy envelope E 1 A ⊓ D ( a ) , A ( a ) E ( a ) , B ( a ) , C ( a ) , ∃ r . ( A ⊓ D )( a ) , ∃ r . D ( a ) , D ( a ) because { r ( a , a ) , D ( a ) } ⊆ A ∗ and we choose D ( a ) G. Slutzki (ISU) Inverting Proof Systems for Secrecy May 9th, 2010 20 / 34