U.S. patent application number 11/361293 was filed with the patent office on 2007-08-23 for method and apparatus for safe ontology reasoning.
Invention is credited to Achille Fokoue-Nkoutche, Genady Grabarnik, Nagui Halim, Aaron Kershenbaum, Edith Schonberg, Larisa Shwartz, Kavitha Srinivas.
Application Number | 20070198449 11/361293 |
Document ID | / |
Family ID | 38429538 |
Filed Date | 2007-08-23 |
United States Patent
Application |
20070198449 |
Kind Code |
A1 |
Fokoue-Nkoutche; Achille ;
et al. |
August 23, 2007 |
Method and apparatus for safe ontology reasoning
Abstract
The present invention is a method and apparatus for safe
ontology reasoning. In one embodiment, a method for building safe
sub-ontology that includes one or more elements of a given ontology
includes designating at least one the elements as a sensitive
element, where a sensitive element is an element not to be
revealed. The method then designates a safe sub-ontology such that
the safe sub-ontology does not include any elements that, alone or
in combination, allow inference of a sensitive element, in
accordance with one or more given inference rules. In another
embodiment, a method for building a potential sub-ontology includes
designating at least one of the elements as a sensitive element and
including a maximal number of the elements in the potential
sub-ontology, wherein the maximal number includes the greatest
number of elements that can be revealed, cumulatively, without
allowing inference of a sensitive element, in accordance with one
or more given inference rules.
Inventors: |
Fokoue-Nkoutche; Achille;
(White Plains, NY) ; Grabarnik; Genady;
(Scarsdale, NY) ; Halim; Nagui; (Yorktown Heights,
NY) ; Kershenbaum; Aaron; (New City, NY) ;
Schonberg; Edith; (New York, NY) ; Shwartz;
Larisa; (Scarsdale, NY) ; Srinivas; Kavitha;
(Rye, NY) |
Correspondence
Address: |
PATTERSON & SHERIDAN LLP;IBM CORPORATION
595 SHREWSBURY AVE
SUITE 100
SHREWSBURY
NJ
07702
US
|
Family ID: |
38429538 |
Appl. No.: |
11/361293 |
Filed: |
February 23, 2006 |
Current U.S.
Class: |
706/47 |
Current CPC
Class: |
G06N 5/04 20130101 |
Class at
Publication: |
706/047 |
International
Class: |
G06N 5/02 20060101
G06N005/02 |
Claims
1. A method for building a safe sub-ontology comprising one or more
elements of a given ontology, the elements comprising one or more
individuals, one or more relationships defined between the one or
more individuals and one or more pieces of metadata relating to the
one or more individuals and the one or more relationships, the
method comprising: designating at least one of said one or more
elements as a sensitive element, where a sensitive element is an
element not to be revealed; designating at least one of said one or
more elements as a potential safe sub-ontology such that said
potential safe sub-ontology does not include any elements that,
alone or in combination, allow inference of a sensitive element, in
accordance with one or more given inference rules; verifying that
said potential safe sub-ontology does not include any elements
that, alone or in combination, allow inference of a sensitive
element, in accordance with said one or more given inference rules;
and storing said potential safe sub-ontology as the safe
sub-ontology, if said verifying concludes that said potential safe
sub-ontology does not include any elements that, alone or in
combination, allow inference of a sensitive element, in accordance
with said one or more given inference rules.
2. (canceled)
3. The method of claim 1, wherein said verifying comprises:
defining a first subset of said one or more elements, said first
subset comprising said least one of said one or more elements that
Is designated as a sensitive element; defining a second subset of
said one or more elements, where said second subset comprises a set
of elements to be tested as said potential safe sub-ontology;
building a closure of said second subset; and determining whether
said closure intersects with said first subset.
4. The method of claim 3, further comprising: concluding that said
potential safe sub-ontology is safe if said closure does not
intersect with said first subset; and concluding that said
potential safe sub-ontology is not safe if said closure intersects
with said first subset.
5. The method of claim 1, wherein said ontology comprises: a finite
set of concepts; a finite set of individuals; a finite set of
relationships; and a finite set of metadata.
6. The method of claim 1, further comprising the step of:
optimizing said potential safe sub-ontology with respect to a
function of said potential safe sub-ontology, while maintaining
said safe status.
7. The method of claim 6, wherein said function is a counting
function.
8. The method of claim 6, wherein said including comprises:
defining, for each sensitive element, a minimal set of said one or
more elements that is necessary to infer said sensitive element in
accordance with said one or more given inference rules; associating
each minimal set with a matroid; and identifying a single subset of
said one or more elements, where each element in said single subset
is independent in each minimal set.
9. The method of claim 8, wherein said identifying comprises:
defining a first intersection of all of said matroids associated
with a minimal set; reducing said first intersection to a second
Intersection of a subset of said matroids; initiating a third
intersection, said third intersection being an empty intersection;
building a border graph in accordance with said third intersection;
and selecting said maximal number in accordance with said border
graph.
10. The method of claim 9, wherein said selecting comprises:
determining whether an augmenting tree exists in said border graph;
augmenting said third intersection with said augmenting tree, if
said augmenting tree is determined to exist in said border graph;
and selecting said third intersection as said maximal number, if no
augmenting tree is determined to exist in said border graph.
11. The method of claim 9, wherein said second intersection is an
intersection of three matroids.
12. A computer readable medium containing an executable program for
building a safe sub-ontology comprising one or more elements of a
given ontology, the elements comprising one or more individuals,
one or more relationships defined between the one or more
individuals and one or more pieces of metadata relating to the one
or more individuals and the one or more relationships, where the
program performs the steps of: designating at least one of said one
or more elements as a sensitive element, where a sensitive element
Is an element not to be revealed; designating at least one of said
one or more elements as a potential safe sub-ontology such that
said potential safe sub-ontology does not include any elements
that, alone or in combination, allow inference of a sensitive
element, in accordance with one or more given inference rules;
verifying that said potential safe sub-ontology does not include
any elements that, alone or in combination, allow inference of a
sensitive element, in accordance with said one or more given
inference rules; and storing said potential safe sub-ontology as
the safe sub-ontology, if said verifying concludes that said
potential safe sub-ontology does not include any elements that,
alone or in combination, allow inference of a sensitive element, in
accordance with said one or more given inference rules.
13. (canceled)
14. The computer readable medium of claim 12, wherein said
verifying comprises: defining a first subset of said one or more
elements, said first subset comprising said least one of said one
or more elements that is designated as a sensitive element;
defining a second subset of said one or more elements, where said
second subset comprises a set of elements to be tested as said
potential safe sub-ontology; building a closure of said second
subset; and determining whether said closure intersects with said
first subset.
15. Apparatus for building a safe sub-ontology comprising one or
more elements of a given ontology, the elements comprising one or
more individuals, one or more relationships defined between the one
or more individuals and one or more pieces of metadata relating to
the one or more individuals and the one or more relationships, said
apparatus comprising: means for designating at least one of said
one or more elements as a sensitive element, where a sensitive
element is an element not to be revealed; means for designating at
least one of said one or more elements as a potential safe
sub-ontology such that said potential safe sub-ontology does not
include any elements that, alone or in combination, allow inference
of a sensitive element, in accordance with one or more given
inference rules; means for verifying that said potential safe
sub-ontology does not include any elements that, alone or in
combination, allow inference of a sensitive element, in accordance
with said one or more given inference rules; and means for storing
said potential safe sub-ontology as the safe sub-ontology, if said
verifying concludes that said potential safe sub-ontology does not
include any elements that, alone or in combination, allow inference
of a sensitive element, in accordance with said one or more given
inference rules.
16. A method for building a potential sub-ontology comprising one
or more elements of a given ontology, the elements comprising one
or more individuals, one or more relationships defined between the
one or more individuals and one or more pieces of metadata relating
to the one or more individuals and the one or more relationships,
the method comprising designating at least one of said one or more
elements as a sensitive element, where a sensitive element is an
element not to revealed; including a maximal number of said one or
more elements in said potential sub-ontology, wherein said maximal
number is a greatest number of elements that can be revealed,
cumulatively, without allowing inference of a sensitive element, in
accordance with one or more given inference rules; verifying that
said potential safe sub-ontology does not include any elements
that, alone or in combination, allow inference of a sensitive
element, in accordance with said one or more given inference rules:
and storing said potential safe sub-ontology as a safe subontology,
if said verifying concludes that said potential safe sub-ontology
does not include any elements that, alone or in combination, allow
inference of a sensitive element, in accordance with said one or
more given inference rules.
17. The method of claim 16, wherein said including comprises:
defining, for each sensitive element, a minimal set of said one or
more elements that is necessary to infer said sensitive element in
accordance with said one or more given inference rules; associating
each minimal set with a matroid; and identifying a single subset of
said one or more elements, where each element in said single subset
is independent in each minimal set.
18. The method of claim 17, wherein said identifying comprises:
defining a first intersection of all of said matroids associated
with a minimal set; reducing said first intersection to a second
intersection of a subset of said matroids; initiating a third
intersection, said third intersection being an empty intersection;
building a border graph in accordance with said third intersection;
and selecting said maximal number in accordance with said border
graph.
19. The method of claim 18, wherein said selecting comprises:
determining whether an augmenting tree exists in said border graph;
augmenting said third intersection with said augmenting tree, if
said augmenting tree is determined to exist in said border graph;
and selecting said third intersection as said maximal number, if no
augmenting tree is determined to exist in said border graph.
20. The method of claim 18, wherein, said second intersection is an
intersection of three matroids.
Description
BACKGROUND
[0001] The invention relates generally to ontology processing, and
relates more particularly to ontology security.
[0002] A central issue under consideration by the World Wide Web
Consortium is ontology security and privacy. In particular, as
ontologies proliferate and automatic reasoners become more
powerful, it becomes more difficult to protect sensitive
information. That is, as facts can be inferred from other facts, it
becomes increasingly likely that information included in an
ontology, while not sensitive itself, may nevertheless enable
inference of information that is deemed sensitive.
[0003] A competing concern, on the other hand, is the ability to
provide an adequate or useful amount of information for ontology
processing applications such as querying, navigating and reasoning.
This concern is often at odds with the desire to limit or prevent
access to information that may contribute to the inference of
sensitive information.
[0004] Thus, there is a need for a method and apparatus for safe
ontology reasoning.
SUMMARY OF THE INVENTION
[0005] The present invention is a method and apparatus for safe
ontology reasoning, where the "safety" of an ontology encompasses
both privacy concerns and security concerns. In one embodiment, a
method for building safe sub-ontology that includes one or more
elements of a given ontology includes designating at least one the
elements as a sensitive element, where a sensitive element is an
element not to be revealed. The method then designates a safe
sub-ontology such that the safe sub-ontology does not include any
elements that, alone or in combination, allow inference of a
sensitive element, in accordance with one or more given inference
rules. In another embodiment, a method for building a potential
sub-ontology includes designating at least one of the elements as a
sensitive element and including a maximal number of the elements in
the potential sub-ontology, wherein the maximal number includes the
greatest number of elements that can be revealed, cumulatively,
without allowing inference of a sensitive element, in accordance
with one or more given inference rules.
BRIEF DESCRIPTION OF THE DRAWINGS
[0006] So that the manner in which the above recited embodiments of
the invention are attained and can be understood in detail, a more
particular description of the invention, briefly summarized above,
may be obtained by reference to the embodiments thereof which are
illustrated in the appended drawings. It is to be noted, however,
that the appended drawings illustrate only typical embodiments of
this invention and are therefore not to be considered limiting of
its scope, for the invention may admit to other equally effective
embodiments.
[0007] FIG. 1 is a flow diagram illustrating one embodiment of a
method for testing a subset of an ontology for "safeness",
according to the present invention;
[0008] FIG. 2 is a flow diagram illustrating one embodiment of a
method for determining a "best" safe ontology, according to the
present invention;
[0009] FIG. 3 is a flow diagram illustrating one embodiment of a
method for reducing a multi-matroid problem to a three-matroid
problem; and
[0010] FIG. 4 is a high level block diagram of the present ontology
testing method that is implemented using a general purpose
computing device.
[0011] To facilitate understanding, identical reference numerals
have been used, where possible, to designate identical elements
that are common to the figures.
DETAILED DESCRIPTION
[0012] In one embodiment, the present invention is method and
apparatus for safe ontology reasoning. Within the context of the
present invention, the "safety" of an ontology refers to the
ontology's ability to address both privacy concerns and security
concerns. Embodiments of the present invention preserve the
integrity of sensitive information in an ontology framework by
verifying the safety of a sub-ontology made available for querying,
navigating, reasoning and other ontology processing applications.
In particular, the present invention verifies not only that
sensitive information is not included in the sub-ontologies, but
also that information from which the sensitive information can be
inferred is not included in the sub-ontologies. This substantially
reduces the likelihood of sensitive information being even
inadvertently revealed. Moreover, the present invention maximizes
the amount of information that is provided in the safe ontology, so
that the ontology can provide as much useful information as
possible while still remaining "safe" with respect to the sensitive
information.
[0013] Within the context of the present invention, a "safe" or
"secure" ontology (or sub-ontology) is defined as one that does not
contain any information that may be used to derive sensitive facts,
given a collection of inference rules.
[0014] Embodiments of the present invention define an ontology, O,
as a tuple {I, R, M} comprising a finite set of concepts, where I
is a finite set of individuals, R is a finite set of relationships
and M is a finite set of metadata (which may include
characteristics of relations, such as symmetry or transitivity, or
constraints on relationships, such as restrictions of the number of
relationships of a given type that can exist between
individuals).
[0015] A relationship, r, in the set R is expressed as a set of
triples in the form: [0016] (subject, property, object) where
"subject" is an individual (e.g., i in the set I), "property" is a
specific type of relationship, and "object" is an expression
composed of individuals and the logical operators AND, OR and NOT.
For example, the relationships (Jim isMemberOf man), (man
isEquivalentTo (person AND male)) and (American is SubsetOf person)
are all expressed as sets of triples.
[0017] Pieces, m, of metadata in M are also expressed as triples.
Specifically, a piece, m, of metadata is expressed as: [0018]
(property, constraint, value) where "property" corresponds to the
specific type of relationship (e.g., the middle member of a
relationship triple, such as isMemberOf or isEquivalentTo), "value"
is a property or constant, and "constraint" is a member of
{<=>inverseOf subPropertyOf disjointFrom is}. For example,
the pieces of metadata (isSubsetOf is transitive), (name=1),
(spouse<2) and (parentOf inverseOf childOf) are all expressed as
sets of triples.
[0019] Types of metadata give rise to inference rules. For
instance, the piece of metadata (ancestorOf is transitive)--i.e.,
the property "ancestorOf" is transitive--allows one to infer that
if (Adam ancestorOf Bob) and (Bob ancestorOf Carl), then (Adam
ancestorOf Carl).
[0020] In one embodiment, the present invention extends the
definition of an ontology to include restricted relations of the
form FOR_ALL individuals, i, in class c, there exists an
individual, j, in class D such that (i property j) and FOR_ALL
individuals, i, in class C, there exists an individual, j, such
that (i property j), then j is a member of class D.
[0021] The closure, F(R), of a set of relations, R, is defined as
the total set of relations or facts that can be inferred from the
given set of relations, R, and the inference rules implied by the
set of metadata, M. If the set of metadata, M, is relatively
simple, the closure, F(R), of the set of relations, R, is also
simple to determine. For example, if the set of metadata, M, only
contains: (isSubsetOf is transitive), (isEquivalentTo is
transitive) and (isEquivalentTo is symmetric), then, given a set of
relations, R of the form: (x isSubsetOf y), (w isEquivalentTo z)
and (i isA C), the closure, F(R), of the set of relations, R, can
be computed by considering a graph, G, with edge set R (i.e., the
sets of triples in the set of relations, R, define the set of edges
of the graph, G, and the endpoints of the edges define the set of
nodes). That is, where the only available inference mechanism is
transitivity, facts may be inferred from other individual facts. In
this case, the only inferences that can be made are membership
inferences (i.e., one can infer whether a set is equivalent to or
is a subset of another set, or whether an individual is a member of
a set). The problem of determining the closure, F(R), of the set of
relations, R, thus involves simply identifying the "reachability"
set of each node, n, in the graph, G (i.e., determining for which
set of nodes, s, a path exists from n to s). This can be easily
computed, for example, by using breadth first search.
[0022] In a more general case, other transitive relations may
exist, such as "isPartOf". For example: (USA isPartOf
NorthAmerica), (State Pennsylvania isPartOf USA) or (City
Philadelphia isPartOf State Pennsylvania). Membership, in this
case, can still be determined using a simple search algorithm;
however, the search must be sensitive to the fact that paths must
comprise properties of the same type. This can also be extended to
the case where different types of properties interact to form paths
by declaring all such groups of properties as sub-properties of a
single transitive property.
[0023] FIG. 1 is a flow diagram illustrating one embodiment of a
method 100 for testing a subset of an ontology, O (where O={I, R,
M}), for "safeness", according to the present invention.
[0024] The method 100 is initialized at step 102 and proceeds to
step 104, where the method 100 defines a first subset, R.sub.s, of
the set of relationships, R, in the given ontology, O.
Specifically, the first subset, R.sub.s, contains all sensitive
relationships (facts) in the set of relationships R. For example,
the first subset, R.sub.s, may contain the triple: T.sub.1=(A is
subSetOf E). In one embodiment, the first subset, R.sub.s, may be
defined for the method 100 by an external source (e.g., a human
operator).
[0025] In step 106, the method 100 defines a second subset, Q, of
the set of relationships, R. The second subset, Q, contains a test
subset of relationships from the set of relationships, R, That is,
the second subset, Q, is to be tested to determine its safety. For
example, the second subset, Q, may contain the triples: T.sub.2=(A
isEquivalentTo (B AND C)), T.sub.3=(A is subSetOf D), and
T.sub.4=(E isEquivalentTo (B AND (C AND D))). In one embodiment,
the second subset, Q, may be defined for the method 100 by an
external source (e.g., a human operator).
[0026] In step 108, the method 100 builds the closure, F(Q) of the
second subset, Q, e.g., as described above. In step 110, the method
100 determines whether the closure, F(Q), of the second subset, Q,
intersects with the first subset, R.sub.s. In general, given one or
more sets of relations, M.sub.si.sup.k, for each r.sub.si in the
first subset, R.sub.s, where r.sub.si can be inferred from
M.sub.si.sup.k, but cannot be inferred from any subset of the set
of relations M.sub.sk.sup.k a sub-ontology containing all of the
relationships in M.sub.si.sup.k is not considered safe with respect
to the first subset, R.sub.s. However, a safe sub-ontology with
respect to the first subset, R.sub.s, may be defined as any set of
relations that does not contain all of the members of
M.sub.si.sup.k. In one embodiment, M.sub.si.sup.k is provided or
derived in accordance with an ontology defined by Horn clauses.
[0027] Accordingly, if the method 100 determines in step 110 that
the closure, F(Q), of the second subset, Q, intersects with the
first subset, R.sub.s, the method 100 proceeds to step 112 and
concludes that the second subset, Q, is not safe (i.e., that
information contained in the first subset, R.sub.s, can be inferred
from the information contained in the second subset, Q).
Alternatively, if the method 100 determines in step 110 that the
closure, F(Q), of the second subset, Q, does not intersect with the
first subset, R.sub.s, the method 100 proceeds to step 114 and
concludes that the second subset, Q, is safe (i.e., that
information contained in the first subset, R.sub.s, cannot be
inferred from the information contained in the second subset,
Q).
[0028] Thus, for example, based on the triples T.sub.1 through
T.sub.4 discussed above, the second subset, Q, would not be
considered safe with respect to the first subset, R.sub.s, because
the triple T.sub.4 can be inferred from the sub-ontology (T.sub.1,
T.sub.2, T.sub.3). However, if the second subset, Q, contained only
(T.sub.1, T.sub.2), only (T.sub.1, T.sub.3) or only (T.sub.2,
T.sub.3), then the second subset, Q, would be considered safe with
respect to the first subset, R.sub.s. Once a conclusion has been
reached as to the safety of the second subset, Q, the method 100
terminates in step 116.
[0029] The present invention therefore preserves the integrity of
sensitive information in an ontology framework by verifying the
safety of a sub-ontology made available for querying, navigating,
reasoning and other ontology processing applications. That is, the
present invention verifies not only that sensitive information is
not included in the sub-ontologies, but also that information from
which the sensitive information can be inferred is not included in
the sub-ontologies. This substantially reduces the likelihood of
sensitive information being even inadvertently revealed.
[0030] FIG. 2 is a flow diagram illustrating one embodiment of a
method 200 for determining a "best" safe ontology, e.g., for use in
querying, navigating, reasoning and other ontology processing
applications, according to the present invention. In particular,
the method 200 optimizes the safe ontology, with respect to some
function of the safe ontology. In the instance of the method 200,
the function is a counting function. That is, the method 200 builds
a safe ontology that retains as many relationships as possible
(without revealing or allowing the inference of any information
deemed sensitive).
[0031] The method 200 is initialized at step 202 and proceeds to
step 204, where the method 200 defines a first subset, R.sub.s, of
the set of relationships, R, in the given ontology, O.
Specifically, the first subset, R.sub.s, contains all sensitive
relationships (facts) in the set of relationships R. In one
embodiment, the first subset, R.sub.s, is defined for the method
200 by an external source (e.g., a human operator).
[0032] In step 206, the method 200 defines, for each relationship,
r.sub.si, in the first subset, R.sub.s, the minimal set of
relationships, M.sub.si.sup.k, required to infer the given
relationship, r.sub.si. In one embodiment, the minimal set of
relationships, M.sub.si.sup.k, is defined for the method 200 by an
external source (e.g., a human operator or another application).
The goal of the method 200 thus becomes to find a maximum
cardinality set of relationships, R*, such that R* does not include
all of the relationships in any of the minimal sets of
relationships, M.sub.si.sup.k.
[0033] Thus, in step 208, the method 200 associates a matroid with
each of the minimal sets of relationships, M.sub.si.sup.k. A
matroid M(E, F) is defined by a set of elements, E, and a family,
F, of independent sets, F', of the elements, E, where the
independent sets, F', have the following properties: (1) every
subset of an independent set, F', is also independent; (2) if there
are two independent sets F.sub.k' and F.sub.k+1', of cardinalities
k and k+1, respectively, then there exists an element, e.sub.i, in
the set of elements, E, that is a member of F.sub.k+1', but not a
member of F.sub.k', and such that F.sub.k'.orgate.e.sub.i is an
independent set. In one embodiment, the set of elements, E, is
finite. The set of elements, E, may contain concepts,
relationships, and/or individuals in the given ontology, O. Having
established the matroids, the goal is to find a single set of
relationships that are simultaneously independent in all of the
minimal sets of relationships, M.sub.si.sup.k (i.e., an independent
set in an intersection of the matroids defined in step 208).
[0034] In step 210, the method 200 defines the intersection of the
matroids. Formally, given k matroids (i.e., M.sub.1, M.sub.2, . . .
, M.sub.k), all defined over the same set of elements, E, the
intersection of the matroids is defined as M.sub.1=(E, F.sub.1),
where a subset, F, of the set of elements, E, is a member of
F.sub.1 if and only if the subset, F, is independent in all of the
individual matroids.
[0035] In step 212, the method 200 reduces the intersection problem
to a fewer-matroid problem. In one embodiment, the intersection
problem is reduced to a three-matroid problem (i.e., first matroid
M.sub.1**, second matroid M.sub.2** and third matroid M.sub.3**).
One embodiment of a method for reducing a multi-matroid problem to
a three-matroid problem is described with reference to FIG. 3. For
the purposes of simplicity, the remainder of the discussion of the
method 200 will assume that the intersection has been reduced to a
three-matroid problem.
[0036] As described above, having reduced the number of matroids
(e.g., to first matroid M.sub.1**, second matroid M.sub.2** and
third matroid M.sub.3**), the goal becomes to identify an
independent set in an intersection of the matroids in the reduced
set. In one embodiment, a polynomial-bounded algorithm to find an
independent set of maximum cardinality in the intersection of two
matroids relies on the concept of an alternating chain and is an
extension of an algorithm for finding maximum cardinality
independent sets in a single matroid (i.e., find elements that are
independent of already selected elements, with the assurance that
no element, once selected, will prevent the finding of an
independent set of higher cardinality). The algorithm for finding
an independent set of maximum cardinality in the intersection of
two matroids first selects elements one at a time, maintaining
independence in both matroids, until no further elements can be
selected. However, it is not necessarily guaranteed that one can
find a maximum cardinality intersection in this manner, and even
though the algorithm may be adapted by means of an augmenting path,
this process becomes complicated for problems involving the
intersection of large numbers of matroids. Accordingly, an
alternate embodiment of a method for finding the independent set in
the intersection of the reduced set of matroids is described below
with respect to steps 214-224.
[0037] Once the number of matroids for which an intersection must
be found has been reduced (e.g., in step 208), the method 200
proceeds to step 214 and initializes an intersection, X.sub.k,
where k=0. Thus, the intersection, X.sub.k, is currently an empty
intersection.
[0038] In step 216, the method 200 forms a border graph, B, based
on the current intersection, X.sub.k. The border graph, B, is a
bipartite graph whose node set is the base set of elements, E, for
the reduced set of matroids (e.g., the first, second and third
matroids, M.sub.1**, M.sub.2** and M.sub.3**).
[0039] In step 218, the method 200 determines whether an augmenting
tree, T.sub.k, exists in the border graph, B. An augmenting tree is
a sequence of elements, e.sub.j, which can be added and/or removed
from a set of elements that are independent in a given number of
matroids, in order to create a larger set of elements that are
independent in the matroids. The augmenting tree, T.sub.k, is
rooted at a starting element (node), e.sub.1, that has no incoming
paths; is terminated at an ending element (node), e.sub.x, that has
no outgoing paths; and is comprised of additional intermediate
elements (nodes), e.sub.j, having, at most, one path leading
therein. In one embodiment, the elements, e.sub.j, in the border
graph, B, have multiple labels that are each defined as a tuple:
(S, W), where S is the set of elements, e.sub.j, in the path from
the starting element, e.sub.1, and W is the total weight of all
elements, e.sub.j, in the path (if the "best" subset of elements is
defined as a subset of maximum weight, where each potential element
in the subset is associated with an individual weight). An
augmenting tree, T.sub.k, rooted at the starting element, e.sub.1,
is thus found by labeling elements, e.sub.j, from previously
labeled elements, e.sub.k. All paths in the augmenting tree must
terminate in elements e.sub.k with degree zero. This resolves all
cycles formed while performing augmentation.
[0040] In one embodiment, one or more paths in the border graph, B,
corresponds to an augmenting tree or sequence from a first
intersection, X.sub.p, to a second intersection, X.sub.p+1. The
nodes of the border graph, B, are partitioned into the sets X.sub.p
and E-X.sub.p. For e.sub.i X.sub.p and e.sub.j E-X.sub.p, there
exists a directed edge (e.sub.j, e.sub.i) in the border graph, B,
if e.sub.i, when added to I.sub.p, forms a cycle C.sub.j.sup.(1) in
the first matroid M.sub.1** and if e.sub.i is in C.sub.j.sup.(1). A
cycle, such as the cycle C.sub.j.sup.(1), is a set that becomes
independent with respect to given inference rules by removing an
element from the set. Similarly, there exists a directed edge
(e.sub.i, e.sub.j) in the border graph, B, if e.sub.i, when added
to X.sub.p, forms a cycle C.sub.j.sup.(2) in the second matroid
M.sub.2** and if e.sub.j is in C.sub.i.sup.(2), or if e.sub.i, when
added to X.sub.p, forms a cycle C.sub.j.sup.(3) in the third
matroid M.sub.3** and if e.sub.j is in C.sub.i.sup.(3). Edges of
the border graph, B, that are based on a cycle in the first
matroid, M.sub.1**, are referred to as type-1 edges, while edges
generally based on cycles in a matroid, M.sub.k**, are referred to
as type-k edges.
[0041] In the simplest case, the starting element, e.sub.1, has
neither incoming nor outgoing edges, in which case the starting
element, e.sub.1, forms no cycles with X.sub.p in any of the
matroids in the reduced set (e.g., first, second and third matroids
M.sub.1**, M.sub.2** and M.sub.3**). In this case, the starting
element, el, is an augmenting tree by itself (i.e., it can be added
to X.sub.p to form X.sub.p+1).
[0042] The next most simple case would be where the starting
element, e.sub.1, has no incoming edges (i.e., does not form a
cycle in the first matroid, M.sub.1**, added to X.sub.p), but does
form a cycle in the second matroid M.sub.2**. In this case, if the
starting element e.sub.1 is added to X.sub.p, some other element,
e.sub.j (where e.sub.j is connected to the starting element,
e.sub.1, via a type-2 edge in the border graph, B), must be removed
from the cycle that the starting element, e.sub.1, forms in the
second matroid M.sub.2**. Thus, an edge must be found from e.sub.j
to some node e.sub.k in X.sub.p, where e.sub.j is part of the cycle
formed by e.sub.k in the first matroid, M.sub.1**. It is also
possible that the starting element, e.sub.1, has no incoming edges,
but forms cycles in both the first and second matroids, M.sub.2**
and M.sub.3**. If there is a single element, e.sub.j, that is
present in both of these cycles, the starting element, e.sub.1, can
be added; e.sub.j can be removed; and a third node, e.sub.k, which
includes e.sub.j in the cycle e.sub.k forms with X.sub.p in the
first matroid, M.sub.1**, can be added. It should be noted that
these cases are only exemplary, and an augmenting path may contain
more or less than three elements.
[0043] If the method 200 determines in step 218 that an augmenting
tree, T.sub.k, does not exist in the border graph, B, then the
method 200 concludes in step 220 that the current intersection,
X.sub.k, is of maximum cardinality before terminating in step 224.
This maximum cardinality intersection, X.sub.k, of the first,
second and third matroids M.sub.1**, M.sub.2** and M.sub.3**,
represents the "optimal" sub-ontology (i.e., the sub-ontology that
retains the most relationships out of all of the available safe
sub-ontologies).
[0044] Alternatively, if the method 200 determines in step 218 that
an augmenting tree, T.sub.k, does exist in the border graph, B,
then the method 200 proceeds to step 222 and augments the current
intersection, X.sub.k, in accordance with the augmenting tree,
T.sub.k. That is, the method 200 adds to the current intersection,
X.sub.k, all e.sub.j X.sub.k. The method 200 then returns to step
216 and proceeds as described above, first by forming a new border
graph, B, based on the current intersection, X.sub.k, which has
been newly augmented.
[0045] FIG. 3 is a flow diagram illustrating one embodiment of a
method 300 for reducing a multi-matroid problem to a three-matroid
problem. That is, the method 300 reduces a set of k matroids to a
set of three matroids. The method 300 may be implemented, for
example, in accordance with step 212 of the method 200.
[0046] The method 300 is initialized at step 302 and proceeds to
step 304, where the method 300 makes one copy of each element, e,
in the given set of elements, E, for each minimal set of
relationships, M.sub.si.sup.k.
[0047] In step 306, the method 300 finds independent sets in each
of the matroids separately. In step 308, the method 300 determines
whether a copy, j, of an element, e.sub.i, was used in the
independent set from a given matroid, M.sub.j. If the method 300
concludes in step 308 that a copy of the element, e.sub.i, was used
in the independent set from the given matroid, M.sub.j, then the
method 300 proceeds to step 310 and uses e.sub.i in the independent
sets for all other matroids. This transforms the k-intersection
problem in a matroid, M, with m elements into a problem of finding
a maximum cardinality independent set in a new matroid M* with km
elements, but also with an additional condition (a "parity
condition") that all copies of a given element, e, be included in
any solution.
[0048] In step 312, the method 300 removes the parity condition.
Notably, if the method 300 concludes in step 308 that a copy of the
element, e.sub.i, was not used in the independent set from the
given matroid, M.sub.j, then the method 300 proceeds directly to
step 312 without applying the copy of the element, e.sub.i, in the
independent sets for all other matroids.
[0049] In one embodiment, the parity condition is removed by
defining three additional matroids on the elements of the new
matroid M*. This is done by first defining a new element, a.sub.ij,
corresponding to each element, e.sub.ij, in the new matroid, M*.
This creates a first matroid, M.sub.1**, where M.sub.1**=(E**,
F.sub.1**), E**={e.sub.ij}.orgate.{a.sub.ij} and F is in F** if all
elements, e, in F.sup.Ej (the jth copies of the set of elements, E)
are independent in M.sub.j. Thus, M.sub.1 enforces the constraints
in the original matroids.
[0050] Secondly, to enforce the parity rule, one defines second and
third matroids, respectively: M.sub.2**=(E**, F.sub.2**)
M.sub.3**=(E**, F.sub.3**) where F is in F.sub.2** if, for all i
and j (j=1, 2, . . . , k), F does not include both e.sub.ij and
a.sub.ij; and F is in F.sub.3** if, for all i and j, F does not
include both e.sub.ij and a.sub.ij+1 for j<k and also does not
include both e.sub.ik and a.sub.i, 1.
[0051] The goal of the constraints in F.sub.2** and F.sub.3** is to
allow a full set of e.sub.ij's for a given intersection or a full
set of a.sub.ij's for that given intersection, but not both. Now,
one only has to solve the problem of finding the maximum
intersection over the intersection of three matroids.
[0052] Once the three new matroids have been defined, the method
300 terminates in step 314.
[0053] FIG. 4 is a high level block diagram of the present ontology
testing method that is implemented using a general purpose
computing device 400. In one embodiment, a general purpose
computing device 400 comprises a processor 402, a memory 404, an
ontology testing module 405 and various input/output (I/O) devices
406 such as a display, a keyboard, a mouse, a modem, and the like.
In one embodiment, at least one 1/O device is a storage device
(e.g., a disk drive, an optical disk drive, a floppy disk drive).
It should be understood that the ontology testing module 405 can be
implemented as a physical device or subsystem that is coupled to a
processor through a communication channel.
[0054] Alternatively, the ontology testing module 405 can be
represented by one or more software applications (or even a
combination of software and hardware, e.g., using Application
Specific Integrated Circuits (ASIC)), where the software is loaded
from a storage medium (e.g., I/O devices 406) and operated by the
processor 402 in the memory 404 of the general purpose computing
device 400. Thus, in one embodiment, the ontology testing module
405 testing ontologies for safeness described herein with reference
to the preceding Figures can be stored on a computer readable
medium or carrier (e.g., RAM, magnetic or optical drive or
diskette, and the like).
[0055] Thus, the present invention represents a significant
advancement in the field of ontology processing. A method is
provided that preserves the integrity of sensitive information in
an ontology framework by verifying the safety of a sub-ontology
made available for querying, navigating, reasoning and other
ontology processing applications. That is, the present invention
verifies not only that sensitive information is not included in the
sub-ontologies, but also that information from which the sensitive
information can be inferred is not included in the sub-ontologies.
This substantially reduces the likelihood of sensitive information
being even inadvertently revealed. Moreover, the present invention
maximizes the amount of information that is provided in the safe
ontology, so that the ontology can provide as much useful
information as possible while still remaining "safe" with respect
to the sensitive information.
[0056] While foregoing is directed to the preferred embodiment of
the present invention, other and further embodiments of the
invention may be devised without departing from the basic scope
thereof, and the scope thereof is determined by the claims that
follow.
* * * * *