Towards Privacy-Preserving Ontology Publishing F. Baader & A. - - PowerPoint PPT Presentation

towards privacy preserving ontology publishing
SMART_READER_LITE
LIVE PREVIEW

Towards Privacy-Preserving Ontology Publishing F. Baader & A. - - PowerPoint PPT Presentation

May 09, 2023 18 likes •270 views

Towards Privacy-Preserving Ontology Publishing F. Baader & A. Nuradiansyah Technische Universitt Dresden October 27, 2018 F. Baader & A. Nuradiansyah DL 2018 October 27, 2018 1 / 1 Privacy-Preserving Ontology Publishing In privacy,

slide-1
SLIDE 1

Towards Privacy-Preserving Ontology Publishing

  • F. Baader & A. Nuradiansyah

Technische Universität Dresden October 27, 2018

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 1 / 1

slide-2
SLIDE 2

Privacy-Preserving Ontology Publishing

In privacy, repair may not be enough! Given an ontology O, a policy P = {α1, . . . , αn} is a finite set of axioms to be hidden, i.e., an attacker should not be able to see αi as a consequence of O.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 2 / 1

slide-3
SLIDE 3

Privacy-Preserving Ontology Publishing

In privacy, repair may not be enough! Given an ontology O, a policy P = {α1, . . . , αn} is a finite set of axioms to be hidden, i.e., an attacker should not be able to see αi as a consequence of O. Suppose O | = αi for some αi ∈ P i.e., O does not comply with P. Let O′ be a repair of O w.r.t. αi such that O′ | = αi for all i.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 2 / 1

slide-4
SLIDE 4

Privacy-Preserving Ontology Publishing

In privacy, repair may not be enough! Given an ontology O, a policy P = {α1, . . . , αn} is a finite set of axioms to be hidden, i.e., an attacker should not be able to see αi as a consequence of O. Suppose O | = αi for some αi ∈ P i.e., O does not comply with P. Let O′ be a repair of O w.r.t. αi such that O′ | = αi for all i. But, when O′ is published on the Web, . . . an attacker may know an ontology O′′ such that O′′ | = αi, but O′ ∪ O′′ | = αi. In this case, it is still not safe to publish O′.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 2 / 1

slide-5
SLIDE 5

Privacy-Preserving Ontology Publishing

What people already did:

In (Cuenca Grau & Kostylev, 2016):

Privacy-Preserving Data Publishing Information to be published: a relational dataset with (labeled) nulls Policy is a conjunctive query. Considering three privacy properties when publishing datasets: policy-compliant, policy-safety, and optimality. Published information does not have background knowledge.

What we want to do:

Privacy-Preserving Ontology Publishing (PPOP) Addressed in the context of Description Logic Ontologies

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 3 / 1

slide-6
SLIDE 6

PPOP with Role-Free ABoxes in EL

Starting point: EL Ontologies with role-free ABoxes and empty TBoxes. An ABox A is role-free if all the axioms β ∈ A are only in the form of D(a). W.l.o.g., only one concept assertion in A speaks about one individual If C1(a) ∈ A and C2(a) ∈ A, then (C1 ⊓ C2)(a) ∈ A Safe Ontologies

reduced

− − − − → Safe Concepts Information to be published for an individual a: an EL concept C Policy is a finite set of EL concepts D1, . . . , Dp, such that Di ≡ ⊤ for all i ∈ {1, . . . , p}.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 4 / 1

slide-7
SLIDE 7

Compliance, Safety, and Optimality

Given a policy P = {D1, . . . , Dp} and an EL concept C, the EL concept C ′ is

compliant with P if C ′ ⊑ Di for all i ∈ {1, . . . , p}. safe for P if C ′ ⊓ C ′′ is compliant with P for all EL-concepts C ′′ that are compliant with P.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 5 / 1

slide-8
SLIDE 8

Compliance, Safety, and Optimality

Given a policy P = {D1, . . . , Dp} and an EL concept C, the EL concept C ′ is

compliant with P if C ′ ⊑ Di for all i ∈ {1, . . . , p}. safe for P if C ′ ⊓ C ′′ is compliant with P for all EL-concepts C ′′ that are compliant with P. a P-compliant (safe) generalization of C if C ⊑ C ′ and C ′ is compliant with (safe for) P.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 5 / 1

slide-9
SLIDE 9

Compliance, Safety, and Optimality

Given a policy P = {D1, . . . , Dp} and an EL concept C, the EL concept C ′ is

compliant with P if C ′ ⊑ Di for all i ∈ {1, . . . , p}. safe for P if C ′ ⊓ C ′′ is compliant with P for all EL-concepts C ′′ that are compliant with P. a P-compliant (safe) generalization of C if C ⊑ C ′ and C ′ is compliant with (safe for) P. a P-optimal compliant (safe) generalization of C if C ⊑ C ′, C ′ is a P-compliant (safe) generalization of C, and there is no P-compliant (safe) generalization of C s.t. C ′′ ⊏ C ′.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 5 / 1

slide-10
SLIDE 10

Illustration on Compliance, Safety, and Optimality

Consider a policy P = {D} specifying what information should be kept “secret” about linda D = Patient ⊓ ∃seen_by.(Doctor ⊓ ∃works_in.Cardiology) Assume information C is published about linda C = Patient ⊓ Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.Cardiology) Note C is not compliant with D, i.e., C ⊑ D.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 6 / 1

slide-11
SLIDE 11

Illustration on Compliance, Safety, and Optimality

Consider a policy P = {D} specifying what information should be kept “secret” about linda D = Patient ⊓ ∃seen_by.(Doctor ⊓ ∃works_in.Cardiology) Assume information C is published about linda C = Patient ⊓ Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.Cardiology) Note C is not compliant with D, i.e., C ⊑ D. Generalizing C to C1 yields a compliant concept C1 = Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.Cardiology) But, C1 is not safe for D since if the attacker knows Patient(linda), then C1 ⊓ Patient ⊑ D is revealed.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 6 / 1

slide-12
SLIDE 12

Illustration on Compliance, Safety, and Optimality

Consider a policy P = {D} specifying what information should be kept “secret” about linda D = Patient ⊓ ∃seen_by.(Doctor ⊓ ∃works_in.Cardiology) Assume information C is published about linda C = Patient ⊓ Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.Cardiology) Note C is not compliant with D, i.e., C ⊑ D. Let us make it safe! C2 = Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.⊤) But, C2 is still not optimal since more information than necessary is removed.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 6 / 1

slide-13
SLIDE 13

Illustration on Compliance, Safety, and Optimality

Consider a policy P = {D} specifying what information should be kept “secret” about linda D = Patient ⊓ ∃seen_by.(Doctor ⊓ ∃works_in.Cardiology) Assume information C is published about linda C = Patient ⊓ Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.Cardiology) Note C is not compliant with D, i.e., C ⊑ D. Let us make it safe! C2 = Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.⊤) But, C2 is still not optimal since more information than necessary is removed. Make it optimal! C3 = Female ⊓ ∃seen_by.(Doctor ⊓ Male ⊓ ∃works_in.⊤) ⊓ ∃seen_by.(Male ⊓ ∃works_in.Cardiology)

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 6 / 1

slide-14
SLIDE 14

Characterizing Compliant

Let con(C) be the set of all atoms A or ∃r.E occurring in the top-level conjunction of C.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 7 / 1

slide-15
SLIDE 15

Characterizing Compliant

Let con(C) be the set of all atoms A or ∃r.E occurring in the top-level conjunction of C. con(C) covers con(D) iff for all F ∈ con(D), there is E ∈ con(C) such that E ⊑ F

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 7 / 1

slide-16
SLIDE 16

Characterizing Compliant

Let con(C) be the set of all atoms A or ∃r.E occurring in the top-level conjunction of C. con(C) covers con(D) iff for all F ∈ con(D), there is E ∈ con(C) such that E ⊑ F ⇒ Characterizing C ⊑ D.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 7 / 1

slide-17
SLIDE 17

Characterizing Compliant

Let con(C) be the set of all atoms A or ∃r.E occurring in the top-level conjunction of C. con(C) covers con(D) iff for all F ∈ con(D), there is E ∈ con(C) such that E ⊑ F ⇒ Characterizing C ⊑ D.

Compliance

C is compliant with P iff con(C) does not cover con(Di) for any i ∈ {1, . . . , p}.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 7 / 1

slide-18
SLIDE 18

Characterizing Compliant

Let con(C) be the set of all atoms A or ∃r.E occurring in the top-level conjunction of C. con(C) covers con(D) iff for all F ∈ con(D), there is E ∈ con(C) such that E ⊑ F ⇒ Characterizing C ⊑ D.

Compliance

C is compliant with P iff con(C) does not cover con(Di) for any i ∈ {1, . . . , p}.

Complexity for Compliance

Deciding whether C ′ is compliant w.r.t. P is in PTime.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 7 / 1

slide-19
SLIDE 19

Characterizing Compliant

Let con(C) be the set of all atoms A or ∃r.E occurring in the top-level conjunction of C. con(C) covers con(D) iff for all F ∈ con(D), there is E ∈ con(C) such that E ⊑ F ⇒ Characterizing C ⊑ D.

Compliance

C is compliant with P iff con(C) does not cover con(Di) for any i ∈ {1, . . . , p}.

Complexity for Compliance

Deciding whether C ′ is compliant w.r.t. P is in PTime. One optimal P-compliant generalization can be computed in ExpTime. The set of all optimal P-compliant generalizations can be computed in ExpTime.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 7 / 1

slide-20
SLIDE 20

Characterizing Safety

Assume P is redundant-free: every Di, Dj ∈ P are incomparable w.r.t. subsumption.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 8 / 1

slide-21
SLIDE 21

Characterizing Safety

Assume P is redundant-free: every Di, Dj ∈ P are incomparable w.r.t. subsumption.

Safety

C ′ is safe for P iff there is no pair of atoms (E, F) such that E ∈ con(C ′), F ∈ con(D1) ∪ . . . ∪ con(Dp) and E ⊑ F Deciding whether C ′ is safe for P is in PTime.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 8 / 1

slide-22
SLIDE 22

Characterizing Safety

Assume P is redundant-free: every Di, Dj ∈ P are incomparable w.r.t. subsumption.

Safety

C ′ is safe for P iff there is no pair of atoms (E, F) such that E ∈ con(C ′), F ∈ con(D1) ∪ . . . ∪ con(Dp) and E ⊑ F Deciding whether C ′ is safe for P is in PTime.

The Optimal P-Safe Generalization

If C ′

1, C ′ 2 are P-safe generalizations of C, then C ′ 1 ⊓ C ′ 2 is also a P-safe

generalization of C. ⇒ Optimal P-safe generalization is unique up to equivalence.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 8 / 1

slide-23
SLIDE 23

Characterizing Safety

Assume P is redundant-free: every Di, Dj ∈ P are incomparable w.r.t. subsumption.

Safety

C ′ is safe for P iff there is no pair of atoms (E, F) such that E ∈ con(C ′), F ∈ con(D1) ∪ . . . ∪ con(Dp) and E ⊑ F Deciding whether C ′ is safe for P is in PTime.

The Optimal P-Safe Generalization

If C ′

1, C ′ 2 are P-safe generalizations of C, then C ′ 1 ⊓ C ′ 2 is also a P-safe

generalization of C. ⇒ Optimal P-safe generalization is unique up to equivalence. The P-optimal safe generalization of C can be computed in ExpTime. ⇒ Requiring the computation of optimal P-compliant generalizations.

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 8 / 1

slide-24
SLIDE 24

Future Work

Decision problem for optimality Considering PPOP with EL concepts w.r.t. (Acylic) TBoxes Considering a setting where A contains concept and role assertions Considering ELO concepts

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 9 / 1

slide-25
SLIDE 25

Thank You

  • F. Baader & A. Nuradiansyah

DL 2018 October 27, 2018 10 / 1