Method and apparatus for safe ontology reasoning

Abstract

The present invention is a method and apparatus for safe ontology reasoning. In one embodiment, a method for building safe sub-ontology that includes one or more elements of a given ontology includes designating at least one the elements as a sensitive element, where a sensitive element is an element not to be revealed. The method then designates a safe sub-ontology such that the safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with one or more given inference rules. In another embodiment, a method for building a potential sub-ontology includes designating at least one of the elements as a sensitive element and including a maximal number of the elements in the potential sub-ontology, wherein the maximal number includes the greatest number of elements that can be revealed, cumulatively, without allowing inference of a sensitive element, in accordance with one or more given inference rules.

Description

BACKGROUND

[0001] The invention relates generally to ontology processing, and relates more particularly to ontology security.

[0002] A central issue under consideration by the World Wide Web Consortium is ontology security and privacy. In particular, as ontologies proliferate and automatic reasoners become more powerful, it becomes more difficult to protect sensitive information. That is, as facts can be inferred from other facts, it becomes increasingly likely that information included in an ontology, while not sensitive itself, may nevertheless enable inference of information that is deemed sensitive.

[0003] A competing concern, on the other hand, is the ability to provide an adequate or useful amount of information for ontology processing applications such as querying, navigating and reasoning. This concern is often at odds with the desire to limit or prevent access to information that may contribute to the inference of sensitive information.

[0004] Thus, there is a need for a method and apparatus for safe ontology reasoning.

SUMMARY OF THE INVENTION

[0005] The present invention is a method and apparatus for safe ontology reasoning, where the "safety" of an ontology encompasses both privacy concerns and security concerns. In one embodiment, a method for building safe sub-ontology that includes one or more elements of a given ontology includes designating at least one the elements as a sensitive element, where a sensitive element is an element not to be revealed. The method then designates a safe sub-ontology such that the safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with one or more given inference rules. In another embodiment, a method for building a potential sub-ontology includes designating at least one of the elements as a sensitive element and including a maximal number of the elements in the potential sub-ontology, wherein the maximal number includes the greatest number of elements that can be revealed, cumulatively, without allowing inference of a sensitive element, in accordance with one or more given inference rules.

BRIEF DESCRIPTION OF THE DRAWINGS

[0006] So that the manner in which the above recited embodiments of the invention are attained and can be understood in detail, a more particular description of the invention, briefly summarized above, may be obtained by reference to the embodiments thereof which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered limiting of its scope, for the invention may admit to other equally effective embodiments.

[0007] FIG. 1 is a flow diagram illustrating one embodiment of a method for testing a subset of an ontology for "safeness", according to the present invention;

[0008] FIG. 2 is a flow diagram illustrating one embodiment of a method for determining a "best" safe ontology, according to the present invention;

[0009] FIG. 3 is a flow diagram illustrating one embodiment of a method for reducing a multi-matroid problem to a three-matroid problem; and

[0010] FIG. 4 is a high level block diagram of the present ontology testing method that is implemented using a general purpose computing device.

[0011] To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the figures.

DETAILED DESCRIPTION

[0012] In one embodiment, the present invention is method and apparatus for safe ontology reasoning. Within the context of the present invention, the "safety" of an ontology refers to the ontology's ability to address both privacy concerns and security concerns. Embodiments of the present invention preserve the integrity of sensitive information in an ontology framework by verifying the safety of a sub-ontology made available for querying, navigating, reasoning and other ontology processing applications. In particular, the present invention verifies not only that sensitive information is not included in the sub-ontologies, but also that information from which the sensitive information can be inferred is not included in the sub-ontologies. This substantially reduces the likelihood of sensitive information being even inadvertently revealed. Moreover, the present invention maximizes the amount of information that is provided in the safe ontology, so that the ontology can provide as much useful information as possible while still remaining "safe" with respect to the sensitive information.

[0013] Within the context of the present invention, a "safe" or "secure" ontology (or sub-ontology) is defined as one that does not contain any information that may be used to derive sensitive facts, given a collection of inference rules.

[0014] Embodiments of the present invention define an ontology, O, as a tuple {I, R, M} comprising a finite set of concepts, where I is a finite set of individuals, R is a finite set of relationships and M is a finite set of metadata (which may include characteristics of relations, such as symmetry or transitivity, or constraints on relationships, such as restrictions of the number of relationships of a given type that can exist between individuals).

[0015] A relationship, r, in the set R is expressed as a set of triples in the form: [0016] (subject, property, object) where "subject" is an individual (e.g., i in the set I), "property" is a specific type of relationship, and "object" is an expression composed of individuals and the logical operators AND, OR and NOT. For example, the relationships (Jim isMemberOf man), (man isEquivalentTo (person AND male)) and (American is SubsetOf person) are all expressed as sets of triples.

[0017] Pieces, m, of metadata in M are also expressed as triples. Specifically, a piece, m, of metadata is expressed as: [0018] (property, constraint, value) where "property" corresponds to the specific type of relationship (e.g., the middle member of a relationship triple, such as isMemberOf or isEquivalentTo), "value" is a property or constant, and "constraint" is a member of {<=>inverseOf subPropertyOf disjointFrom is}. For example, the pieces of metadata (isSubsetOf is transitive), (name=1), (spouse<2) and (parentOf inverseOf childOf) are all expressed as sets of triples.

[0019] Types of metadata give rise to inference rules. For instance, the piece of metadata (ancestorOf is transitive)--i.e., the property "ancestorOf" is transitive--allows one to infer that if (Adam ancestorOf Bob) and (Bob ancestorOf Carl), then (Adam ancestorOf Carl).

[0020] In one embodiment, the present invention extends the definition of an ontology to include restricted relations of the form FOR_ALL individuals, i, in class c, there exists an individual, j, in class D such that (i property j) and FOR_ALL individuals, i, in class C, there exists an individual, j, such that (i property j), then j is a member of class D.

[0021] The closure, F(R), of a set of relations, R, is defined as the total set of relations or facts that can be inferred from the given set of relations, R, and the inference rules implied by the set of metadata, M. If the set of metadata, M, is relatively simple, the closure, F(R), of the set of relations, R, is also simple to determine. For example, if the set of metadata, M, only contains: (isSubsetOf is transitive), (isEquivalentTo is transitive) and (isEquivalentTo is symmetric), then, given a set of relations, R of the form: (x isSubsetOf y), (w isEquivalentTo z) and (i isA C), the closure, F(R), of the set of relations, R, can be computed by considering a graph, G, with edge set R (i.e., the sets of triples in the set of relations, R, define the set of edges of the graph, G, and the endpoints of the edges define the set of nodes). That is, where the only available inference mechanism is transitivity, facts may be inferred from other individual facts. In this case, the only inferences that can be made are membership inferences (i.e., one can infer whether a set is equivalent to or is a subset of another set, or whether an individual is a member of a set). The problem of determining the closure, F(R), of the set of relations, R, thus involves simply identifying the "reachability" set of each node, n, in the graph, G (i.e., determining for which set of nodes, s, a path exists from n to s). This can be easily computed, for example, by using breadth first search.

[0022] In a more general case, other transitive relations may exist, such as "isPartOf". For example: (USA isPartOf NorthAmerica), (State Pennsylvania isPartOf USA) or (City Philadelphia isPartOf State Pennsylvania). Membership, in this case, can still be determined using a simple search algorithm; however, the search must be sensitive to the fact that paths must comprise properties of the same type. This can also be extended to the case where different types of properties interact to form paths by declaring all such groups of properties as sub-properties of a single transitive property.

[0023] FIG. 1 is a flow diagram illustrating one embodiment of a method 100 for testing a subset of an ontology, O (where O={I, R, M}), for "safeness", according to the present invention.

[0024] The method 100 is initialized at step 102 and proceeds to step 104, where the method 100 defines a first subset, R.sub.s, of the set of relationships, R, in the given ontology, O. Specifically, the first subset, R.sub.s, contains all sensitive relationships (facts) in the set of relationships R. For example, the first subset, R.sub.s, may contain the triple: T.sub.1=(A is subSetOf E). In one embodiment, the first subset, R.sub.s, may be defined for the method 100 by an external source (e.g., a human operator).

[0025] In step 106, the method 100 defines a second subset, Q, of the set of relationships, R. The second subset, Q, contains a test subset of relationships from the set of relationships, R, That is, the second subset, Q, is to be tested to determine its safety. For example, the second subset, Q, may contain the triples: T.sub.2=(A isEquivalentTo (B AND C)), T.sub.3=(A is subSetOf D), and T.sub.4=(E isEquivalentTo (B AND (C AND D))). In one embodiment, the second subset, Q, may be defined for the method 100 by an external source (e.g., a human operator).

[0026] In step 108, the method 100 builds the closure, F(Q) of the second subset, Q, e.g., as described above. In step 110, the method 100 determines whether the closure, F(Q), of the second subset, Q, intersects with the first subset, R.sub.s. In general, given one or more sets of relations, M.sub.si.sup.k, for each r.sub.si in the first subset, R.sub.s, where r.sub.si can be inferred from M.sub.si.sup.k, but cannot be inferred from any subset of the set of relations M.sub.sk.sup.k a sub-ontology containing all of the relationships in M.sub.si.sup.k is not considered safe with respect to the first subset, R.sub.s. However, a safe sub-ontology with respect to the first subset, R.sub.s, may be defined as any set of relations that does not contain all of the members of M.sub.si.sup.k. In one embodiment, M.sub.si.sup.k is provided or derived in accordance with an ontology defined by Horn clauses.

[0027] Accordingly, if the method 100 determines in step 110 that the closure, F(Q), of the second subset, Q, intersects with the first subset, R.sub.s, the method 100 proceeds to step 112 and concludes that the second subset, Q, is not safe (i.e., that information contained in the first subset, R.sub.s, can be inferred from the information contained in the second subset, Q). Alternatively, if the method 100 determines in step 110 that the closure, F(Q), of the second subset, Q, does not intersect with the first subset, R.sub.s, the method 100 proceeds to step 114 and concludes that the second subset, Q, is safe (i.e., that information contained in the first subset, R.sub.s, cannot be inferred from the information contained in the second subset, Q).

[0028] Thus, for example, based on the triples T.sub.1 through T.sub.4 discussed above, the second subset, Q, would not be considered safe with respect to the first subset, R.sub.s, because the triple T.sub.4 can be inferred from the sub-ontology (T.sub.1, T.sub.2, T.sub.3). However, if the second subset, Q, contained only (T.sub.1, T.sub.2), only (T.sub.1, T.sub.3) or only (T.sub.2, T.sub.3), then the second subset, Q, would be considered safe with respect to the first subset, R.sub.s. Once a conclusion has been reached as to the safety of the second subset, Q, the method 100 terminates in step 116.

[0029] The present invention therefore preserves the integrity of sensitive information in an ontology framework by verifying the safety of a sub-ontology made available for querying, navigating, reasoning and other ontology processing applications. That is, the present invention verifies not only that sensitive information is not included in the sub-ontologies, but also that information from which the sensitive information can be inferred is not included in the sub-ontologies. This substantially reduces the likelihood of sensitive information being even inadvertently revealed.

[0030] FIG. 2 is a flow diagram illustrating one embodiment of a method 200 for determining a "best" safe ontology, e.g., for use in querying, navigating, reasoning and other ontology processing applications, according to the present invention. In particular, the method 200 optimizes the safe ontology, with respect to some function of the safe ontology. In the instance of the method 200, the function is a counting function. That is, the method 200 builds a safe ontology that retains as many relationships as possible (without revealing or allowing the inference of any information deemed sensitive).

[0031] The method 200 is initialized at step 202 and proceeds to step 204, where the method 200 defines a first subset, R.sub.s, of the set of relationships, R, in the given ontology, O. Specifically, the first subset, R.sub.s, contains all sensitive relationships (facts) in the set of relationships R. In one embodiment, the first subset, R.sub.s, is defined for the method 200 by an external source (e.g., a human operator).

[0032] In step 206, the method 200 defines, for each relationship, r.sub.si, in the first subset, R.sub.s, the minimal set of relationships, M.sub.si.sup.k, required to infer the given relationship, r.sub.si. In one embodiment, the minimal set of relationships, M.sub.si.sup.k, is defined for the method 200 by an external source (e.g., a human operator or another application). The goal of the method 200 thus becomes to find a maximum cardinality set of relationships, R*, such that R* does not include all of the relationships in any of the minimal sets of relationships, M.sub.si.sup.k.

[0033] Thus, in step 208, the method 200 associates a matroid with each of the minimal sets of relationships, M.sub.si.sup.k. A matroid M(E, F) is defined by a set of elements, E, and a family, F, of independent sets, F', of the elements, E, where the independent sets, F', have the following properties: (1) every subset of an independent set, F', is also independent; (2) if there are two independent sets F.sub.k' and F.sub.k+1', of cardinalities k and k+1, respectively, then there exists an element, e.sub.i, in the set of elements, E, that is a member of F.sub.k+1', but not a member of F.sub.k', and such that F.sub.k'.orgate.e.sub.i is an independent set. In one embodiment, the set of elements, E, is finite. The set of elements, E, may contain concepts, relationships, and/or individuals in the given ontology, O. Having established the matroids, the goal is to find a single set of relationships that are simultaneously independent in all of the minimal sets of relationships, M.sub.si.sup.k (i.e., an independent set in an intersection of the matroids defined in step 208).

[0034] In step 210, the method 200 defines the intersection of the matroids. Formally, given k matroids (i.e., M.sub.1, M.sub.2, . . . , M.sub.k), all defined over the same set of elements, E, the intersection of the matroids is defined as M.sub.1=(E, F.sub.1), where a subset, F, of the set of elements, E, is a member of F.sub.1 if and only if the subset, F, is independent in all of the individual matroids.

[0035] In step 212, the method 200 reduces the intersection problem to a fewer-matroid problem. In one embodiment, the intersection problem is reduced to a three-matroid problem (i.e., first matroid M.sub.1**, second matroid M.sub.2** and third matroid M.sub.3**). One embodiment of a method for reducing a multi-matroid problem to a three-matroid problem is described with reference to FIG. 3. For the purposes of simplicity, the remainder of the discussion of the method 200 will assume that the intersection has been reduced to a three-matroid problem.

[0036] As described above, having reduced the number of matroids (e.g., to first matroid M.sub.1**, second matroid M.sub.2** and third matroid M.sub.3**), the goal becomes to identify an independent set in an intersection of the matroids in the reduced set. In one embodiment, a polynomial-bounded algorithm to find an independent set of maximum cardinality in the intersection of two matroids relies on the concept of an alternating chain and is an extension of an algorithm for finding maximum cardinality independent sets in a single matroid (i.e., find elements that are independent of already selected elements, with the assurance that no element, once selected, will prevent the finding of an independent set of higher cardinality). The algorithm for finding an independent set of maximum cardinality in the intersection of two matroids first selects elements one at a time, maintaining independence in both matroids, until no further elements can be selected. However, it is not necessarily guaranteed that one can find a maximum cardinality intersection in this manner, and even though the algorithm may be adapted by means of an augmenting path, this process becomes complicated for problems involving the intersection of large numbers of matroids. Accordingly, an alternate embodiment of a method for finding the independent set in the intersection of the reduced set of matroids is described below with respect to steps 214-224.

[0037] Once the number of matroids for which an intersection must be found has been reduced (e.g., in step 208), the method 200 proceeds to step 214 and initializes an intersection, X.sub.k, where k=0. Thus, the intersection, X.sub.k, is currently an empty intersection.

[0038] In step 216, the method 200 forms a border graph, B, based on the current intersection, X.sub.k. The border graph, B, is a bipartite graph whose node set is the base set of elements, E, for the reduced set of matroids (e.g., the first, second and third matroids, M.sub.1**, M.sub.2** and M.sub.3**).

[0039] In step 218, the method 200 determines whether an augmenting tree, T.sub.k, exists in the border graph, B. An augmenting tree is a sequence of elements, e.sub.j, which can be added and/or removed from a set of elements that are independent in a given number of matroids, in order to create a larger set of elements that are independent in the matroids. The augmenting tree, T.sub.k, is rooted at a starting element (node), e.sub.1, that has no incoming paths; is terminated at an ending element (node), e.sub.x, that has no outgoing paths; and is comprised of additional intermediate elements (nodes), e.sub.j, having, at most, one path leading therein. In one embodiment, the elements, e.sub.j, in the border graph, B, have multiple labels that are each defined as a tuple: (S, W), where S is the set of elements, e.sub.j, in the path from the starting element, e.sub.1, and W is the total weight of all elements, e.sub.j, in the path (if the "best" subset of elements is defined as a subset of maximum weight, where each potential element in the subset is associated with an individual weight). An augmenting tree, T.sub.k, rooted at the starting element, e.sub.1, is thus found by labeling elements, e.sub.j, from previously labeled elements, e.sub.k. All paths in the augmenting tree must terminate in elements e.sub.k with degree zero. This resolves all cycles formed while performing augmentation.

[0040] In one embodiment, one or more paths in the border graph, B, corresponds to an augmenting tree or sequence from a first intersection, X.sub.p, to a second intersection, X.sub.p+1. The nodes of the border graph, B, are partitioned into the sets X.sub.p and E-X.sub.p. For e.sub.i X.sub.p and e.sub.j E-X.sub.p, there exists a directed edge (e.sub.j, e.sub.i) in the border graph, B, if e.sub.i, when added to I.sub.p, forms a cycle C.sub.j.sup.(1) in the first matroid M.sub.1** and if e.sub.i is in C.sub.j.sup.(1). A cycle, such as the cycle C.sub.j.sup.(1), is a set that becomes independent with respect to given inference rules by removing an element from the set. Similarly, there exists a directed edge (e.sub.i, e.sub.j) in the border graph, B, if e.sub.i, when added to X.sub.p, forms a cycle C.sub.j.sup.(2) in the second matroid M.sub.2** and if e.sub.j is in C.sub.i.sup.(2), or if e.sub.i, when added to X.sub.p, forms a cycle C.sub.j.sup.(3) in the third matroid M.sub.3** and if e.sub.j is in C.sub.i.sup.(3). Edges of the border graph, B, that are based on a cycle in the first matroid, M.sub.1**, are referred to as type-1 edges, while edges generally based on cycles in a matroid, M.sub.k**, are referred to as type-k edges.

[0041] In the simplest case, the starting element, e.sub.1, has neither incoming nor outgoing edges, in which case the starting element, e.sub.1, forms no cycles with X.sub.p in any of the matroids in the reduced set (e.g., first, second and third matroids M.sub.1**, M.sub.2** and M.sub.3**). In this case, the starting element, el, is an augmenting tree by itself (i.e., it can be added to X.sub.p to form X.sub.p+1).

[0042] The next most simple case would be where the starting element, e.sub.1, has no incoming edges (i.e., does not form a cycle in the first matroid, M.sub.1**, added to X.sub.p), but does form a cycle in the second matroid M.sub.2**. In this case, if the starting element e.sub.1 is added to X.sub.p, some other element, e.sub.j (where e.sub.j is connected to the starting element, e.sub.1, via a type-2 edge in the border graph, B), must be removed from the cycle that the starting element, e.sub.1, forms in the second matroid M.sub.2**. Thus, an edge must be found from e.sub.j to some node e.sub.k in X.sub.p, where e.sub.j is part of the cycle formed by e.sub.k in the first matroid, M.sub.1**. It is also possible that the starting element, e.sub.1, has no incoming edges, but forms cycles in both the first and second matroids, M.sub.2** and M.sub.3**. If there is a single element, e.sub.j, that is present in both of these cycles, the starting element, e.sub.1, can be added; e.sub.j can be removed; and a third node, e.sub.k, which includes e.sub.j in the cycle e.sub.k forms with X.sub.p in the first matroid, M.sub.1**, can be added. It should be noted that these cases are only exemplary, and an augmenting path may contain more or less than three elements.

[0043] If the method 200 determines in step 218 that an augmenting tree, T.sub.k, does not exist in the border graph, B, then the method 200 concludes in step 220 that the current intersection, X.sub.k, is of maximum cardinality before terminating in step 224. This maximum cardinality intersection, X.sub.k, of the first, second and third matroids M.sub.1**, M.sub.2** and M.sub.3**, represents the "optimal" sub-ontology (i.e., the sub-ontology that retains the most relationships out of all of the available safe sub-ontologies).

[0044] Alternatively, if the method 200 determines in step 218 that an augmenting tree, T.sub.k, does exist in the border graph, B, then the method 200 proceeds to step 222 and augments the current intersection, X.sub.k, in accordance with the augmenting tree, T.sub.k. That is, the method 200 adds to the current intersection, X.sub.k, all e.sub.j X.sub.k. The method 200 then returns to step 216 and proceeds as described above, first by forming a new border graph, B, based on the current intersection, X.sub.k, which has been newly augmented.

[0045] FIG. 3 is a flow diagram illustrating one embodiment of a method 300 for reducing a multi-matroid problem to a three-matroid problem. That is, the method 300 reduces a set of k matroids to a set of three matroids. The method 300 may be implemented, for example, in accordance with step 212 of the method 200.

[0046] The method 300 is initialized at step 302 and proceeds to step 304, where the method 300 makes one copy of each element, e, in the given set of elements, E, for each minimal set of relationships, M.sub.si.sup.k.

[0047] In step 306, the method 300 finds independent sets in each of the matroids separately. In step 308, the method 300 determines whether a copy, j, of an element, e.sub.i, was used in the independent set from a given matroid, M.sub.j. If the method 300 concludes in step 308 that a copy of the element, e.sub.i, was used in the independent set from the given matroid, M.sub.j, then the method 300 proceeds to step 310 and uses e.sub.i in the independent sets for all other matroids. This transforms the k-intersection problem in a matroid, M, with m elements into a problem of finding a maximum cardinality independent set in a new matroid M* with km elements, but also with an additional condition (a "parity condition") that all copies of a given element, e, be included in any solution.

[0048] In step 312, the method 300 removes the parity condition. Notably, if the method 300 concludes in step 308 that a copy of the element, e.sub.i, was not used in the independent set from the given matroid, M.sub.j, then the method 300 proceeds directly to step 312 without applying the copy of the element, e.sub.i, in the independent sets for all other matroids.

[0049] In one embodiment, the parity condition is removed by defining three additional matroids on the elements of the new matroid M*. This is done by first defining a new element, a.sub.ij, corresponding to each element, e.sub.ij, in the new matroid, M*. This creates a first matroid, M.sub.1**, where M.sub.1**=(E**, F.sub.1**), E**={e.sub.ij}.orgate.{a.sub.ij} and F is in F** if all elements, e, in F.sup.Ej (the jth copies of the set of elements, E) are independent in M.sub.j. Thus, M.sub.1 enforces the constraints in the original matroids.

[0050] Secondly, to enforce the parity rule, one defines second and third matroids, respectively: M.sub.2**=(E**, F.sub.2**) M.sub.3**=(E**, F.sub.3**) where F is in F.sub.2** if, for all i and j (j=1, 2, . . . , k), F does not include both e.sub.ij and a.sub.ij; and F is in F.sub.3** if, for all i and j, F does not include both e.sub.ij and a.sub.ij+1 for j<k and also does not include both e.sub.ik and a.sub.i, 1.

[0051] The goal of the constraints in F.sub.2** and F.sub.3** is to allow a full set of e.sub.ij's for a given intersection or a full set of a.sub.ij's for that given intersection, but not both. Now, one only has to solve the problem of finding the maximum intersection over the intersection of three matroids.

[0052] Once the three new matroids have been defined, the method 300 terminates in step 314.

[0053] FIG. 4 is a high level block diagram of the present ontology testing method that is implemented using a general purpose computing device 400. In one embodiment, a general purpose computing device 400 comprises a processor 402, a memory 404, an ontology testing module 405 and various input/output (I/O) devices 406 such as a display, a keyboard, a mouse, a modem, and the like. In one embodiment, at least one 1/O device is a storage device (e.g., a disk drive, an optical disk drive, a floppy disk drive). It should be understood that the ontology testing module 405 can be implemented as a physical device or subsystem that is coupled to a processor through a communication channel.

[0054] Alternatively, the ontology testing module 405 can be represented by one or more software applications (or even a combination of software and hardware, e.g., using Application Specific Integrated Circuits (ASIC)), where the software is loaded from a storage medium (e.g., I/O devices 406) and operated by the processor 402 in the memory 404 of the general purpose computing device 400. Thus, in one embodiment, the ontology testing module 405 testing ontologies for safeness described herein with reference to the preceding Figures can be stored on a computer readable medium or carrier (e.g., RAM, magnetic or optical drive or diskette, and the like).

[0055] Thus, the present invention represents a significant advancement in the field of ontology processing. A method is provided that preserves the integrity of sensitive information in an ontology framework by verifying the safety of a sub-ontology made available for querying, navigating, reasoning and other ontology processing applications. That is, the present invention verifies not only that sensitive information is not included in the sub-ontologies, but also that information from which the sensitive information can be inferred is not included in the sub-ontologies. This substantially reduces the likelihood of sensitive information being even inadvertently revealed. Moreover, the present invention maximizes the amount of information that is provided in the safe ontology, so that the ontology can provide as much useful information as possible while still remaining "safe" with respect to the sensitive information.

[0056] While foregoing is directed to the preferred embodiment of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.

Claims

1. A method for building a safe sub-ontology comprising one or more elements of a given ontology, the elements comprising one or more individuals, one or more relationships defined between the one or more individuals and one or more pieces of metadata relating to the one or more individuals and the one or more relationships, the method comprising: designating at least one of said one or more elements as a sensitive element, where a sensitive element is an element not to be revealed; designating at least one of said one or more elements as a potential safe sub-ontology such that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with one or more given inference rules; verifying that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules; and storing said potential safe sub-ontology as the safe sub-ontology, if said verifying concludes that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules.

2. (canceled)

3. The method of claim 1, wherein said verifying comprises: defining a first subset of said one or more elements, said first subset comprising said least one of said one or more elements that Is designated as a sensitive element; defining a second subset of said one or more elements, where said second subset comprises a set of elements to be tested as said potential safe sub-ontology; building a closure of said second subset; and determining whether said closure intersects with said first subset.

4. The method of claim 3, further comprising: concluding that said potential safe sub-ontology is safe if said closure does not intersect with said first subset; and concluding that said potential safe sub-ontology is not safe if said closure intersects with said first subset.

5. The method of claim 1, wherein said ontology comprises: a finite set of concepts; a finite set of individuals; a finite set of relationships; and a finite set of metadata.

6. The method of claim 1, further comprising the step of: optimizing said potential safe sub-ontology with respect to a function of said potential safe sub-ontology, while maintaining said safe status.

7. The method of claim 6, wherein said function is a counting function.

8. The method of claim 6, wherein said including comprises: defining, for each sensitive element, a minimal set of said one or more elements that is necessary to infer said sensitive element in accordance with said one or more given inference rules; associating each minimal set with a matroid; and identifying a single subset of said one or more elements, where each element in said single subset is independent in each minimal set.

9. The method of claim 8, wherein said identifying comprises: defining a first intersection of all of said matroids associated with a minimal set; reducing said first intersection to a second Intersection of a subset of said matroids; initiating a third intersection, said third intersection being an empty intersection; building a border graph in accordance with said third intersection; and selecting said maximal number in accordance with said border graph.

10. The method of claim 9, wherein said selecting comprises: determining whether an augmenting tree exists in said border graph; augmenting said third intersection with said augmenting tree, if said augmenting tree is determined to exist in said border graph; and selecting said third intersection as said maximal number, if no augmenting tree is determined to exist in said border graph.

11. The method of claim 9, wherein said second intersection is an intersection of three matroids.

12. A computer readable medium containing an executable program for building a safe sub-ontology comprising one or more elements of a given ontology, the elements comprising one or more individuals, one or more relationships defined between the one or more individuals and one or more pieces of metadata relating to the one or more individuals and the one or more relationships, where the program performs the steps of: designating at least one of said one or more elements as a sensitive element, where a sensitive element Is an element not to be revealed; designating at least one of said one or more elements as a potential safe sub-ontology such that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with one or more given inference rules; verifying that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules; and storing said potential safe sub-ontology as the safe sub-ontology, if said verifying concludes that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules.

13. (canceled)

14. The computer readable medium of claim 12, wherein said verifying comprises: defining a first subset of said one or more elements, said first subset comprising said least one of said one or more elements that is designated as a sensitive element; defining a second subset of said one or more elements, where said second subset comprises a set of elements to be tested as said potential safe sub-ontology; building a closure of said second subset; and determining whether said closure intersects with said first subset.

15. Apparatus for building a safe sub-ontology comprising one or more elements of a given ontology, the elements comprising one or more individuals, one or more relationships defined between the one or more individuals and one or more pieces of metadata relating to the one or more individuals and the one or more relationships, said apparatus comprising: means for designating at least one of said one or more elements as a sensitive element, where a sensitive element is an element not to be revealed; means for designating at least one of said one or more elements as a potential safe sub-ontology such that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with one or more given inference rules; means for verifying that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules; and means for storing said potential safe sub-ontology as the safe sub-ontology, if said verifying concludes that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules.

16. A method for building a potential sub-ontology comprising one or more elements of a given ontology, the elements comprising one or more individuals, one or more relationships defined between the one or more individuals and one or more pieces of metadata relating to the one or more individuals and the one or more relationships, the method comprising designating at least one of said one or more elements as a sensitive element, where a sensitive element is an element not to revealed; including a maximal number of said one or more elements in said potential sub-ontology, wherein said maximal number is a greatest number of elements that can be revealed, cumulatively, without allowing inference of a sensitive element, in accordance with one or more given inference rules; verifying that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules: and storing said potential safe sub-ontology as a safe subontology, if said verifying concludes that said potential safe sub-ontology does not include any elements that, alone or in combination, allow inference of a sensitive element, in accordance with said one or more given inference rules.

17. The method of claim 16, wherein said including comprises: defining, for each sensitive element, a minimal set of said one or more elements that is necessary to infer said sensitive element in accordance with said one or more given inference rules; associating each minimal set with a matroid; and identifying a single subset of said one or more elements, where each element in said single subset is independent in each minimal set.

18. The method of claim 17, wherein said identifying comprises: defining a first intersection of all of said matroids associated with a minimal set; reducing said first intersection to a second intersection of a subset of said matroids; initiating a third intersection, said third intersection being an empty intersection; building a border graph in accordance with said third intersection; and selecting said maximal number in accordance with said border graph.

19. The method of claim 18, wherein said selecting comprises: determining whether an augmenting tree exists in said border graph; augmenting said third intersection with said augmenting tree, if said augmenting tree is determined to exist in said border graph; and selecting said third intersection as said maximal number, if no augmenting tree is determined to exist in said border graph.

20. The method of claim 18, wherein, said second intersection is an intersection of three matroids.