[Use Cases] REWERSE contribution from Paula-Lavinia Patranjan on 2005-12-06 (public-rif-wg@w3.org from December 2005)

From: Paula-Lavinia Patranjan <patranja@pms.informatik.uni-muenchen.de>
Date: Tue, 06 Dec 2005 10:58:14 +0000
To: public-rif-wg@w3.org
Message-ID: <35a8a9d551eeb372.51eeb37235a8a9d5@tcs.informatik.uni-muenchen.de>
A CONTRIBUTION OF REWERSE: USE CASES FOR THE W3C RIF WG WORK


The use cases presented here bear evidence of the necessity of having
different types of rules within a rule language. 

1. Differences between three kinds of rules


Rule-based systems refer to three different kinds of rules: normative
rules (or structural rules, or integrity constraints), deductive rules
(or deduction rules or database views or constructive rules), and
active or reactive rules. How they differ from each other can be
explained on an example:

The rule R1 "every student with major in Computer Science must have a
minor in Mathematics or in Physics" is normative because it says
whatmust be fulfilled, but not how to fulfil it. Rules with indefinte
conclusions, i.e rules with either disjunctive conclusions as R1 or
existential conclusions as for example R2: "every student with major
in Computer Science must have some minor" must in general be normative
(exceptions are the rare applications where non-deterministic choices
by the system are acceptable). Rules with definite conclusions such as
R3 "every student with major in Computer Science must have a minor in
Mathematics" can, but must not, be normative (they can also be
deductive, cf. below).  The rule R3 can be deductive, because its
conclusion is definite: It says both what must be fulfiled and how to
fulfil it. Note that rules with indefinite conclusions in general
cannot be deductive (for otherwise the system would have to choose in
a disjunct making disjunction true or a value making an existential
statement true, what is rarely acceptable).  The rule R4 "cancel the
enrollment in the lecture CS123 of every student enrolling in the
lecture CS456" is reactive because it specifies a deletion as a
reaction to an event.  Special kinds of reactive rules are called
active rules, ie specifyig an action without reacting to an event, eg
"remove my name from the list".

2. The rules of the three kinds relate to each other

The three kinds of rules not only differ, they also relate to each
other in subtile manners.

First, a normative rule stating A can be expressed as a special deduction
rule, called denial, of the form "if not A then false".

Second, deductive rules can, and often are, processed as normative
rules if systems without deductive capabilities are used. This way,
rule R3 could be used for rejecting student registrations with major
in Computer Science, but no minor in Mathematics.

Third, in some (simple) cases of reactive systems where no actions
might trigger another reactive rule, reactive behaviour can be
expressed and computed relying on deduction rules. This is for example
the case of a reactive system sending a vacation message in French as
an answer to every email with a sending address in the fr national
domain, in Gemran if the sending address is in the de national domain,
and else in English.

Forth, generating data using deduction rules or checking whether
normativce rules are enforced can be implemented using active or
reactive rules.

USE CASES

1. Negotiation I: Automated trust establishment for eCommerce

Description

Alice would like to buy online a new device at an eShop. When she
clicks on "buy it", the server processes the request and sends back to
Alice the relevant policy. When a customer wants to buy such a device,
eShop logs the requests (for marketing and statistics purposes) and
discloses a policy with the following alternatives: 

(r1) A gold card holder is given a 10% discount on any purchase.

(r2) An eShop employee gets 20% discount on devices of this type.

(r3) Any other buyer must provide to the shop credit card information
together with delivery information (address, postal code, city, and
country). 

(r4) Furthermore, the credit cards accepted are VISA and MasterCard.

The policy further states that for buyers providing a valid gold card
or who are eShop employees, no further interactions and verifications
are needed. The policy also states in case credit card information is
disclosed by a buyer, i.e. in the third of the alternatives mentioned
above, still the fullfilement of some other conditions might be
required and/or still the purchase request might be denied. That is
because eShop uses rules such as

(r5) deny purchase request if the client is in the eShop 'client black
list';

(r6) deny purchase request if the client's credit card is revoked.

Once Alice's negotiation system receives the eShop's policy, it checks
Alice's credentials that are available (locally or from third parties)
and whether some subset of these credentials fulfill the policy. Alice
has a credit card but her own policy states that she is not willing to
disclose it to everyone. Since Alice has never bought anything from
eShop in the past, her system asks eShop to provide a proof of its
membership to the Better Business Bureau (BBB), Alice's most trusted
source of information on online shops. (The Better Business Bureau
could be the root authority for a Public Key Infrastructures
hierarchy, which can be used to establish domains of trust. E.g. Visa
International could be the root authority for such a hierarchy devoted
to Visa cards.) eShop has such a credential and its policy is to
release it to any potential purchaser. Hence, it does so to Alice's
negotiation system on its request. Alice's negotiation system is now
ready to disclose her credit card information to eShop but it still
must check whether disclosing all the information does not break
Alice's denial constraints.  Alice has stated two constraints stating

(r7) to never disclose two different credit cards to the same online
shop and 

(r8) for anonymity reasons never to provide both her birth date and
postal code (indeed, they are a quasi-identifier).

For this purchase, anonymity is no issue and only information on one
credit card is requested. Thus, Alice's constraints are
respected. Alice's negotiation system therefore provides Alice's
credit card information to eShop. eShop checks that Alice is not in
its client black list, then confirms the purchase transaction,
generates an email notification to the Alice giving information about
the purchase, and notifies eShops's delivery department (r9).

The decisions taken during the negotiation could be chosen
automatically (policies define which credentials to disclose in which
conditions without user intervention), semi-automatically (user must
confirm), or manually (the user is able to decide in each step which
conditions apply). In case Alice have had a gold card, she could
automate negotiations if she had specified that the sensitivity of her
gold card is lower than the one of her credit card.

Automated trust establishment is possible when policies for every
credential and every service can be codified; so as to minimise user
intervention, the codified policies should be checked automatically
whenever possible. Note that the notion of policies refers to access
control policies, privacy policies, business rules, etc. Alice's and
eShop's policies describe who they trust and for what purposes. For
negotiation, it should be able to export the policies in a format that
can be understood by the other parties engaged in the negotiation.


Requirements:
- normative rules (r3,r4,r7,r8)
- deductive rules (r1,r2)
- reactive rules (r5,r6,r9)



------------------------------------------------------------------------------

2. Negotiation II: Automated trust establishment for accessing medical
records

Description

Alice is at the hospital Web site and tries to retrieve the medical
record of her brother Bob. A negotiation between Alice's system and
the hospital's system begins with Alice's read request over the
Web. Alice receives a policy stating that

(r1) she must be a medical employee at the hospital for reading
medical records;

(r2) if she is employed at the general medicine department she can
retrieve all data of the hospital's medical records;

(r3) if she belongs to other department, she is
allowed to retrieve only a subset of the data according to her
discipline. For determining this data subset, the hospital's system
uses deductive rules (r4).

(r5) anyone can retrieve his or her own records after disclosure of an
id to prove identity.

There exist two more policies at the hospital which are not released
to Alice but which apply to her request:

(r6) because Bob has been under psychiatric treatment at another
hospital for some years, his psychiatric consultant at that hospital
can also access his current records. Since this information would
already tell any requester (e.g. Alice) that Bob is under psychiatric
treatment, the policy is kept private and only disclosed to medical
employees of the hospital (after disclosure of the appropriate
credential);

(r7) stated by law, the hospital includes a policy stating that
patient records can be accessed by police officers with a request
signed by a judge.

In case Alice has credentials stating that she is a police officer
having such a signed request, upon her read request a notification is
sent to the manager of the hospital (r8). If the hospital manager
accepts the request, then access is granted.

It is important to note that the two above policies are applicable
even if they are not publicly advertised. That means that Bob's
psychiatric consultant can send his employee credential together with
the request and receive the data without problem.

Finally, apart of the above hospital's policies, there exist a
monitoring constraint which states that information about VIP patients
(e.g., the president of the government) is never provided online (r9).


Requirements:
- normative rules (r1,r5,r6,r7,r9)
- deductive rules (r2,r3,r4)
- reactive rules (r8)


------------------------------------------------------------------------------

3. Rule-based personalisation: Organising a vacation with friends

A couple of friends living now in different European countries want to
spend their vacation together. They use a Web-based travel service for
recommending restaurants and out of ordinary places and for making the
neccessary travel arrangements. The service combines a couple of
specific services, for example hotel reservation services and
transportation services.

Each friend has its own (personalised) profile, that is a set of rules
defining the person's likes and dislikes, interests, constraints (such
as time and finances), etc. and data about previuosly made trips,
hotels' rating, etc. Profiles are the result of monitoring activities
(e.g. visiting online museums or buying books online), filling in
online registration forms, dialogue with travel office employees, or
combinations of these. Of course, the group of friends authorised the
travel service to use and share their profiles.

So as to arrange a trip and make recommendations that suit (most of)
friends' expectations and constraints, the travel service needs to
'combine' the profiles of the persons taking part at the trip. Rules
regarding particular issues (such as dietary requirements or
activities of interest) are to be interchanged between services making
the corresponding booking of and/or recommendations for the
trip. Moreover, each such service has its own rules for determining
suitable proposals and recommendations for the planned travel.



Elaboration of rules

The following rules and data exemplify part of George's profile that
is used by the travel service:

(1) George prefers cheap restaurants, but no indian ones.

(2) George prefers to travel away from expensive, over-developed resort
areas.

(3) George prefers locations full of history.

(4) George visited the following places: ... .

The travel service uses deductive rules for inferring data
on-demand. For example statement (3) could be inferred based on the
places George has visited before by using a rule such as

(5)
IF Person visited at least three locations full of history
THEN Person prefers locations full of history

For determining the locations full of history, views (specified by
deductive rules) over a city and region database are used. For
example, such a view could contain Rome and Athen as locations full of
history.

Normative rules (or intergrity constraints) are used for example for
posing constraints regarding dietary requirements or finances:

(6)
IF restaurant R is recommended for person P
THEN R has vegetable dishes OR R has fish dishes

Reactive rules are used for monitoring activities (e.g. visiting
online museums or buying books online) and updating profiles:

(7)
IF person P orders online a tennis racket
THEN add tennis to P's activities of interest


Requirements: normative (or integrity constraints), deductive, and
reactive rules as exemplified above.


-----------------------------------------------------------------------------

4. Rule-Based Intelligent Guiding

Alice is travelling by plane to a conference in Boston via Paris.
Since she has enough time at her stopover, she decides to do some
shopping, have a coffee and call a colleague while she is changing
planes.

On arrival in Paris, she uses her Personal Digital Assistant (PDA) to
connect to the airport's information system, which provides a number
of services, including automated guiding, directory services and
other.  From the directory she chooses what stores to visit and which
cafe to go to, while the guiding service generates the shortest route
in order to connect these different locations on her way from the
arrival gate to the departure gate.  At the same time, the guiding
service calculates the approximate time necessary for the planned
route and gives a warning message if the remaining time before
boarding is too short.

During Alice's stay at the airport the PDA as well as the airport's
systems make sure that she receives updates about her journey (such as
changes of the departure gate or delays).  Likewise, if she is held up
at any point along her route through the airport or whenever she
deviates too far from the recommended route, she receives a message on
her PDA (which provides positioning by means of Wireless LAN,
IndoorGPS or similar mechanisms).  In such cases she has several
alternatives, which include calculating a new route or changing
intermediate destinations.  If for example her duty-free shopping took
too much time, she has the possibility to skip having coffee and
instead requesting new guiding information which lead directly to the
departure gate.


Elaboration of rules

Both Alice's personal organiser and the airport's guiding system use
different types fo rules for implementing their services; these rule
types are exemplified next.

The airport's guiding system uses normative rules for excluding
airport areas such as closed ones from the possible route parts to
recommend. E.g.

IF route R is recommended
THEN R passes through transit areas OR R passes through open areas

The possible transit areas and the current open areas can be
determined by means of deductive rules defining views over one or more
airport's areas databases.

Reactive rules are employed for reacting to situations such as
deviations from the recommended route that trigger the sending of
warning messages to Alice's personal organiser.

ON deviation greater than a threshold value
DO send warning message


Requirements: normative (integrity constraints), deductive, and
reactive rules as exemplified above.




-------------------------------------------------------------------------------

5. Rule-based email manipulation

Description

In many email client/server systems, a user can define her own rules
so as to automatically process incoming and outgoing messages. When a
user switches to another email system it would be desirable to be able
to interchange the rules between these systems using a rule
interchange format.

In Microsoft Outlook, for example, rules are used for automated
message processing. The rule module is called 'Rule Wizard'. A
Microsoft Outlook rule can be specified for incoming or for outgoing
messages. It consists of a set of conditions referring to the message
and its parameters, and of a set of actions. The specified conditions
determine the messages the rule applies to. Negative conditions are
called "exceptions".

The specified actions may do something with a qualifying message, such
as moving it to a specific folder or deleting or printing it, or they
may do things like playing a specific sound, starting a specific
application or sending a reply message.

So, there are two basic event types, i.e. incoming message (InMsg) and
outgoing message (OutMsg) and many action types.

A condition is a conjunction of atomic and negated ('except') atomic
conditions, where an atomic condition is a substring relation or a
string equality involving string constants and the parameters of a
message (such as ?To, ?From, ?Cc, ?Body). Thus, Outlook rules are
reactive (or Event-Condition-Action) rules, having one of the following
forms:

r1:
ON InMsg(?To, ?From, ?Cc, ?MsgBody)
IF some condition involving ?To, ?From, ?Cc, ?MsgBody holds
DO some action

r2:
ON OutMsg(?To, ?Cc, ?MsgBody)
IF some condition involving ?To, ?Cc, ?MsgBody holds
DO some action

To ease the use of rules, Microsoft Outlook provides a natural
language template interface for specifying rules.


Requirements

- reactive rules (r1,r2)

Functionalities that go beyond Microsoft Outlook are desirable:

- user-defined functions for conditions, e.g. for deleting emails which
are recognised as spam (by some user-defined, external function) with
a probability; an important role would play procedural
attachements for e.g. information retrieval services.

- user-defined actions that need to be interchanged between systems

- conflict resolution, e.g. one rule matching for sender containing
 string 'Michael' and another matching domain '@pms.ifi.lmu.de', each
 with different actions; how to react to an incoming message from
'Michael.Eckert@pms.ifi.lmu.de'?

- access to persistent data, e.g. vacation calendars.


Observations

- Is the chaining of reactive rules in this context useful?





-------------------------------------------------------------------------------


6. Rule-based reactive organiser

Description

Ken is on a business trip attending a conference in Seattle. He uses a
personal organiser for planning his trips: the organiser is notified
about changes affecting his itinerary (told by the airline, bus, or
railway companies) and has rules to automatically react
appropriately. While packing, Ken's organiser receives a notification
stating that his fight back home is cancelled due to rain and he is
instead booked for the next day. Fortunately Ken's organiser has
(reactive) rules in place to react to this event.

Ken's organiser automatically tries to extend Ken's stay in the
hotel. Since for the next night no single rooms are available, Ken is
being placed in a more expensive double room. Before the booking is
made, the new price is checked against the rules for business trip
expenses of Ken's company.

Further the organiser recognises that Ken's coming home one day late
affects its business and private plans. The organiser requests
rescheduling of Ken's business meetings on the next day by notifying
his business associates. Finally, the organiser reminds Ken to call
his girlfriend, Barbie, to postpone their date.


Elaboration of rules

Ken's organiser has several reactive rules in place to automatically
react to
events affecting his itinerary. For example in the event of a
rescheduling of Ken's flight, the following rule extends
his overnight stay. Note that the rule requires access to data
contained both in events (e.g., flight number, duration of delay) and
stored persistently (e.g., the name of the hotel where Ken is staying).

r1: 
ON rescheduling of flight by X days
IF on business trip
DO extend overnight stay by X nights


The decision that Ken can stay in a double room is governed by several
deductive and normative rules. These rules state restrictions on
business trip
expenses of Ken's company.

r2:
IF travelling alone AND single room available
THEN take single room

r3:
IF NOT single room available
THEN take double room

r4:
IF business trip in city C
THEN hotel price less then limit for C OR hotel provided by conference


The price limit for hotel expenses is determined by deductive rules,
such as the following ones. Note that the price table may be
represented as an XML document or a table in a relational database.

r5:
IF city C in Germany 
THEN hotel price limit = 10 * log10(population(C)) + 50 Euro

r6:
IF city C in country L and L != Germany
THEN hotel price limit = entry for C and L in price table


Further reactive rules take care of rescheduling Ken's business
meetings and remind him of calling his girlfriend, Barbie:

r7:
ON delay
DO request rescheduling of business meetings

r8:
ON delay
DO remind Ken to call Barbie

Note that the above reactive rules react to any kind of delay
events. Hence deductive  rules for events such as the following are needed:

r9:
ON flight delay OR flight rescheduling OR train delay
DO delay


Requirements

- normative rules or integrity constraints (r4)
- deductive rules (r2, r3, r5, r6, r9)
- reactive rules (r1, r7, r8)
Received on Tuesday, 6 December 2005 12:32:17 UTC