Abstract
The application of automated reasoning approaches to Description Logic (DL) ontologies may produce certain consequences that either are deemed to be wrong or should be hidden for privacy reasons. The question is then how to repair the ontology such that the unwanted consequences can no longer be deduced. An optimal repair is one where the least amount of other consequences is removed. Most of the previous approaches to ontology repair are of a syntactic nature in that they remove or weaken the axioms explicitly present in the ontology, and thus cannot achieve semantic optimality. In previous work, we have addressed the problem of computing optimal repairs of (quantified) ABoxes, where the unwanted consequences are described by concept assertions of the lightweight DL \(\mathcal {EL}\). In the present paper, we improve on the results achieved so far in two ways. First, we allow for the presence of terminological knowledge in the form of an \(\mathcal {EL}\) TBox. This TBox is assumed to be static in the sense that it cannot be changed in the repair process. Second, the construction of optimal repairs described in our previous work is best case exponential. We introduce an optimized construction that is exponential only in the worst case. First experimental results indicate that this reduces the size of the computed optimal repairs considerably.
Keywords
 Compliance
 Safety
 Privacypreserving ontology publishing
 Description logic
funded by DFG in project number 430150274 and TRR 248 (cpec, grant 389792660).
Download conference paper PDF
1 Introduction
Description Logics [3] are a wellinvestigated family of logicbased knowledge representation languages, which are frequently used to formalize ontologies for application domains such as biology and medicine [17]. As the size of ontologies grows, the likelihood of them containing errors increases as well. This is particularly problematic if the data, stored in the ABox, are automatically extracted from text or other sources using natural language processing or machine learning. The reasoning services of DL systems [12, 15, 22, 33], which derive implicit consequences from the explicitly represented knowledge, are not only useful once an ontology is deployed, but can also be employed for debugging purposes by exhibiting consequences that are not supposed to hold in the application domain. Another reason why one might want to remove a consequence is that it reveals private information that is supposed to be hidden [5, 14]. Once such an unwanted consequence is detected, it is often not easy to see how to repair the ontology in order to get rid of this consequence. Classical repair approaches based on axiom pinpointing [8, 21, 27, 29, 31, 32] compute maximal subsets of the ontology that do not have the consequence. The obtained result thus strongly depends on the syntactic form of the axioms. For example, it is wellknown that, for expressive DLs, a finite set of terminological axioms can be expressed by a single axiom. If the given terminology (TBox) is of this shape, then the only possible classical repair is the empty TBox. To alleviate this problem, repair approaches have been developed that replace certain axioms by weaker ones (in the sense that they have less consequences) instead of removing them completely [6, 18, 24, 34]. However, these approaches usually do not produce optimal repairs. In fact, it was shown in [6] that, even for the inexpressive DL \(\mathcal {EL}\), optimal repairs need not exist. The abstract example given there can be rephrased as follows. Assume that the TBox defines humans to be exactly those individuals that have a human parent, and that the ABox says that Sam is a human. After we find out that Sam is in fact not human [9], we want to get rid of the latter assertion, but keep the (correct) consequences saying that Sam has an unbounded chain of ancestors (of undetermined species). If the TBox is assumed to be fixed, then there is no optimal repair of the ABox since we can add only a finite number of parent assertions.
To avoid such problems, our previous work on computing optimal repairs (formulated in the guise of achieving compliance with privacy policies) restricted the attention to the case without TBox. In [5] the ABox was additionally restricted to be a socalled instance store [19], i.e., an ABox without role assertions. The privacy policy (specifying which consequences are to be removed) was given as \(\mathcal {EL}\) instance queries. In this setting, optimal repairs always exist and can be computed in exponential time, which is optimal since there may be exponentially many optimal repairs of exponential size.
In [7] these results were extended to ABoxes with role assertions. More precisely, we considered quantified ABoxes in which some individuals are anonymized by viewing them as existentially quantified variables. For example, assume that the ABox contains the information that Ben has a parent, Jerry, that is both rich and famous, and we want to remove the consequence . Classical repairs can be obtained by removing one of the assertions \( Rich ( JERRY )\), \( Famous ( JERRY )\), and \( parent ( BEN , JERRY )\). If instead we replace the first assertion with \( Rich (x)\) and \( parent ( BEN ,x)\) for an existentially quantified variable x, then we retain more consequences. Note that we could not have used an individual name (i.e., constant) \( ANNE \) instead of x since information like \( Rich ( ANNE )\) about Anne does not follow from the original ABox. We show in [7] that in this setting all optimal repairs can be computed by an exponentialtime algorithm with access to an NPoracle. The oracle is needed since our algorithm first computes a superset of the set of optimal repairs, from which nonoptimal ones need to be removed using the (NPcomplete) entailment test between (potentially exponentially large) quantified ABoxes. We also consider a modified version of entailment (called IQentailment) in [7], where quantified ABoxes are compared w.r.t. which \(\mathcal {EL}\) instance relationships they imply. Using this notion, no NPoracle is needed for computing the set of all IQoptimal repairs since IQentailment can be decided in polynomial time.
In the present paper, we improve on these results in two respects. On the one hand, we allow for the presence of terminological knowledge in the form of an \(\mathcal {EL}\) TBox, which is assumed to be correct, and thus is not changed by the repair. To deal with a TBox, the approach from [7] for computing optimal repairs must be extended in two ways. First, the ABox needs to be saturated w.r.t. the TBox before applying our repair approach. The saturated ABox has the same consequences as the original one has together with the TBox. In our Ben and Jerry example, assume that the assertion \( Rich ( JERRY )\) does not belong to the original ABox, but the TBox contains the axiom \( Famous \sqsubseteq Rich \). Then the ABox on its own does not have the unwanted consequence , but together with the TBox it does. Saturation adds the assertion \( Rich ( JERRY )\) to the ABox. For arbitrary TBoxes, saturation need not terminate. We consider two ways to remedy this problem: either allow for arbitrary TBoxes, but consider IQentailment, or use classical entailment, but consider cyclerestricted TBoxes [1]. In both cases, saturation always terminates; in the former in polynomial and in the latter in exponential time. One might be tempted to assume that, after saturation, one can simply apply the repair approach of [7] unchanged. This is not true, however, since the TBox may readd assertions that have been removed or replaced by the repair. In our example, where \( Rich ( JERRY )\) is replaced, but \( Famous ( JERRY )\) is left untouched in the repair, the repaired ABox together with the TBox would still have the unwanted consequence. Thus, the repair approach needs to be changed to take this possibility into account.
On the other hand, the construction of optimal repairs described in our previous work [5, 7], and extended in this paper such that it can deal with TBoxes, is best case exponential. The second contribution of this paper is the design of a new construction, both for classical and IQentailment, that is exponential only in the worst case. We also report on first experimental results, which indicate that this reduces the size of the computed optimal repairs considerably.
Detailed proofs of our results can be found in [4].
2 Preliminaries
Throughout this paper, we assume that \(\varSigma \) is a signature, which is a disjoint union of sets \(\varSigma _{\mathsf {O}}\), \(\varSigma _{\mathsf {C}}\), and \(\varSigma _{\mathsf {R}}\) of object names, concept names, and role names. We use symbols t, u, v, w to denote object names, A, B to denote concept names, and r, s to denote role names, all of them possibly with sub or superscripts.
As in [7], a quantified ABox (qABox) over \(\varSigma \) consists of a finite subset X of \(\varSigma _{\mathsf {O}} \), the elements of which are called variables, and a matrix , which is a finite set of concept assertions A(u) where \(u\in \varSigma _{\mathsf {O}} \) and \(A\in \varSigma _{\mathsf {C}} \), and of role assertions r(u, v) where \(u,v\in \varSigma _{\mathsf {O}} \) and \(r\in \varSigma _{\mathsf {R}} \). An nonvariable object name in is called an individual name, and the set of all these names is denoted as . We further set . Traditional DL ABoxes are qABoxes where \(X=\emptyset \); we then write instead of . The matrix of a qABox is such a traditional ABox.
An interpretation of \(\varSigma \) is a pair , where the domain is a nonempty set and the interpretation function maps each \(u\in \varSigma _{\mathsf {O}} \) to an element of , each \(A\in \varSigma _{\mathsf {C}} \) to a set , and each \(r\in \varSigma _{\mathsf {R}} \) to a binary relation over . The interpretation of \(\varSigma \) is a model of a qABox over \(\varSigma \) if there is an interpretation such that , the interpretation functions and coincide on \(\varSigma \setminus X\), and for each as well as for each .
Following [7], we define \(\mathcal {EL}\) atoms and \(\mathcal {EL}\) concept descriptions over \(\varSigma \) by simultaneous induction as follows. An \(\mathcal {EL}\) atom is either a concept name \(A\in \varSigma _{\mathsf {C}} \) or an existential restriction for some role name \(r\in \varSigma _{\mathsf {R}} \) and an \(\mathcal {EL}\) concept description C. An \(\mathcal {EL}\) concept description is a conjunction where is a finite set of \(\mathcal {EL}\) atoms. An \(\mathcal {EL}\) concept inclusion is of the form \(C\sqsubseteq D\) for \(\mathcal {EL}\) concept descriptions C and D, and an \(\mathcal {EL}\) TBox is a finite set of such concept inclusions. An \(\mathcal {EL}\) concept assertion is an expression C(u), where C is an \(\mathcal {EL}\) concept description and \(u\in \varSigma _{\mathsf {O}} \).
For each interpretation of \(\varSigma \), we extend the interpretation function to \(\mathcal {EL}\) atoms and \(\mathcal {EL}\) concept descriptions in the following manner:

,

where .
The interpretation is a model of the concept inclusion \(C\sqsubseteq D\) (the concept assertion C(u)) if (), and of the TBox if it is a model of each concept inclusion in .
To make the syntax introduced above more akin to the one usually employed for \(\mathcal {EL}\), we denote the empty conjunction \(\sqcap \emptyset \) as \(\top \) (top concept), singleton conjunctions \(\sqcap \{C\}\) as C, and conjunctions for as \(C_1\sqcap \ldots \sqcap C_n\), where \(C_1,\ldots ,C_n\) is an enumeration of the elements of in an arbitrary order. Since we do not distinguish between the singleton conjunction \(\sqcap \{C\}\) and the atom C, each atom is also a concept description. The set of subconcepts of an \(\mathcal {EL}\) concept description C is defined as follows: , , and . The set consists of all atoms contained in . These two notions are extended to TBoxes and sets of concept assertions in the obvious way.
Let \(\alpha , \beta \) be qABoxes, concept inclusions, or concept assertions (possibly not both of the same kind), and an \(\mathcal {EL}\) TBox. Then we write if the interpretation is a model of \(\alpha \). We say that \(\alpha \) entails \(\beta \) w.r.t. (written \(\alpha \models ^{\mathcal {T}}\beta )\) if every model of \(\alpha \) and is a model of \(\beta \). Furthermore, \(\alpha \) and \(\beta \) are equivalent w.r.t. (written ), if \(\alpha \models ^{\mathcal {T}}\beta \) and \(\beta \models ^{\mathcal {T}}\alpha \). In case , we will sometimes write \(\models \) instead of \(\models ^\emptyset \). If , then we also write and say that C is subsumed by D w.r.t. ; in case we simply say that C is subsumed by D. Two \(\mathcal {EL}\) concept descriptions are equivalent w.r.t. (written ) if they subsume each other w.r.t. . We write to indicate that , but . If , then a is called an instance of C w.r.t. and . For \(\mathcal {EL}\), the subsumption and the instance problem are decidable in polynomial time [2]. However, entailment between qABoxes is NPcomplete even w.r.t. the empty TBox [7].
We also use the reduced form \(C^r\) of \(\mathcal {EL}\) concept descriptions C [23], which is obtained by removing redundant subdescriptions (see [7] for details).
Adapting the results in [23], one can show that \(C \equiv ^\emptyset C^r\) and that \(C \equiv ^\emptyset D\) implies \(C^r=D^r\).
3 A Tale of Two Entailments
DLbased ontologies are usually accessed through appropriate query languages, where for the purpose of this paper it is sufficient to assume that a query language is given by a fragment of firstorder logic. Instead of comparing ontologies w.r.t. the models they have, it thus makes sense to compare them w.r.t. the answers to queries they entail [25]. Given such a query language QL and an \(\mathcal {EL}\) TBox , we say that the qABox QL entails the qABox w.r.t. (written ) if for each query \(\varphi (x_1,\ldots ,x_k)\in {\textsf {QL}}\) and each tuple of individuals \((a_1,\ldots ,a_k)\) we have that implies , where we view the TBox and the ABox as firstorder formulae and \(\models \) is classical firstorder entailment (see [25] for more details). We say that two qABox are QL equivalent w.r.t. if they QLentail each other w.r.t. , and denote this equivalence relation as .
For \(\mathcal {EL}\) ontologies, one usually considers instance queries (IQ) or conjunctive queries (CQ). The former are given by \(\mathcal {EL}\) concept descriptions, viewed as firstorder formulae with one free variable. The latter are basically qABoxes of the form , but with the elements of viewed as free variables. Replacing these free variables with a tuple of individuals thus yields a qABox in the sense introduced above. In particular, this means that CQentailment corresponds to entailment of the same qABoxes (see [7] for more details regarding the connection between conjunctive queries and qABoxes).
3.1 Classical Entailment and CQEntailment
Due to the close connection between conjunctive queries and qABoxes mentioned above, it is easy to see that the classical entailment relation \(\models ^{\mathcal {T}}\) between qABoxes, as introduced in the previous section, actually coincides with CQentailment \(\models ^{\mathcal {T}}_{\textsf {CQ}}\). To keep the notation more uniform and to distinguish this kind of entailment explicitly from IQentailment, we will usually talk about CQentailment and write \(\models ^{\mathcal {T}}_{\textsf {CQ}}\).
Whenever we compare two qABoxes and , we assume without loss of generality that they are renamed apart, which means that X is disjoint with and Y is disjoint with , and we further assume that the two qABoxes speak about the same set of individual names . For the case of an empty TBox, it was shown in [7] that iff there is a homomorphism from to . A homomorphism from to is a mapping such that \(h(a)=a\) for each \(a\in \varSigma _{\mathsf {I}} \), for each , and for each . In order to obtain a similar characterization of entailment for the case of a nonempty TBox , we need to saturate the given qABox w.r.t. .
Basically, this saturation performs what is called the chase in the database community [10, 20, 26]. Given an \(\mathcal {EL}\) TBox and a qABox , it extends the ABox by new assertions that are implied by the TBox. The rules that realize this are described in Fig. 1. Their rôle is twofold: whereas the \(\sqsubseteq \)rule adds new concept assertions that are implied by the ABox together with the TBox, the other two rules break down the complex concept assertions added by this rule into smaller parts.
In general, applying these rules need not terminate; e.g., if applied to the qABox for the TBox . There are various sufficient conditions that guarantee termination of the chase [13]. Here, we use a condition introduced in [1] in the context of unification in \(\mathcal {EL}\).
Definition 1
The \(\mathcal {EL}\) TBox is cyclerestricted if there is no nonempty sequence of role names \(r_1,\ldots ,r_k\) and \(\mathcal {EL}\) concept description C such that .
As shown in [1], it can be decided in time polynomial whether a given \(\mathcal {EL}\) TBox is cyclerestricted or not. For cyclerestricted TBoxes, CQsaturation always terminates.
Theorem 2
Let be a cyclerestricted \(\mathcal {EL}\) TBox and a qABox. Then exhaustive application of the CQsaturation rules terminates in exponential time in the size of and , and yields a qABox such that the following statements are equivalent for all qABoxes :

,

,

there is a homomorphism from to .
We can show that there are examples where the CQsaturation of a qABox w.r.t. a cyclerestricted TBox is of exponential size, and thus its computation must take exponential time. Nevertheless, the entailment relation \(\models ^{\mathcal {T}}_{\textsf {CQ}}\) can still be decided within NP by adapting results for conjunctive query answering in \(\mathcal {EL}\) [30].
3.2 IQEntailment
Recall that the qABox IQentails the qABox w.r.t. the \(\mathcal {EL}\) TBox if every concept assertion C(a) entailed w.r.t. by the latter is also entailed w.r.t. by the former. In the following we assume again that these two qABoxes are renamed apart. For the case of an empty TBox, it was shown in [7] that iff there is a simulation from to . A simulation from to is a relation such that for each \(a\in \varSigma _{\mathsf {I}} \) and, for each , implies and implies that there exists an object \(v'\in \varSigma _{\mathsf {I}} \cup X\) such that and . Since checking the existence of a simulation can be done in polynomial time [16], we conclude that IQentailment between qABoxes can be decided in polynomial time for the case of an empty TBox.
To extend these results to the case of a nonempty TBox, we again need to saturate the ABox w.r.t. the TBox. But now the saturation rules, given in Fig. 2, are more parsimonious w.r.t. the introduction of new objects. To be more precise, for each existential restriction , we assume that \(x_C\) is a fresh variable not contained in the initial qABox . When applying the rule to an assertion of the form , we always use this variable for the successor object. Due to this restriction, IQsaturation always terminates, i.e., it is not necessary to impose any restrictions on the TBox. Also note that IQsaturation basically generates a qABox representation of what is called the canonical model in [25, Section 5.2].
Theorem 3
Let be an \(\mathcal {EL}\) TBox and a qABox. Then exhaustive application of the IQsaturation rules terminates in polynomial time in the size of and , and yields a qABox such that the following statements are equivalent for all qABoxes :

,

,

there is a simulation from to .
Since can be computed in polynomial time and the existence of a simulation can be decided in polynomial time, this shows that the entailment relation \(\models ^{\mathcal {T}}_{\textsf {IQ}}\) can be decided in polynomial time.
4 Canonical Repairs
We specify what is to be repaired by a finite set of \(\mathcal {EL}\) concept assertions, which we call a repair request. A repair is a qABox that does not have any of these assertions as a consequence. This generalizes previous repair approaches [6] in that more than one consequence specified as unwanted is removed in one step. It also encompasses the notion of a privacy policy, as introduced in [7], which specifies forbidden concepts, with the meaning that one should not be able to derive that any of the individuals occurring in the qABox is an instance of such a concept. We assume that the TBox is static (i.e., may not be changed by the repair) and consider both CQ and IQentailment for comparing qABoxes.
Definition 4
Let be an \(\mathcal {EL}\) TBox and \({\textsf {QL}}\in \{{\textsf {CQ}},{\textsf {IQ}}\}\).

An \(\mathcal {EL}\) repair request is a finite set of \(\mathcal {EL}\) concept assertions.

Given a qABox and an \(\mathcal {EL}\) repair request , a QLrepair of for w.r.t. is a qABox such that and for all .

Such a repair is optimal if there is no QLrepair of for w.r.t. such that and .
Intuitively, a repair is a qABox that has no new consequences of the specified type (instance relationships or answers to conjunctive queries), and no longer has the consequences forbidden by the repair request. In an optimal repair, a minimal amount of consequences of the specified type is lost. Since there are different options for what to change when repairing a qABox, there may exist several nonequivalent optimal repairs.
In the following, let \({\textsf {QL}}\in \{{\textsf {CQ}},{\textsf {IQ}}\}\) and let be a fixed TBox, which is assumed to be cyclerestricted if \({\textsf {QL}}= {\textsf {CQ}}\). In addition, let be a repair request and be the qABox to be QLrepaired for w.r.t. . We assume that does not contain an assertion of the form C(a) such that since the presence of such an assertions would preclude the existence of a repair. If satisfies this restriction, then the empty qABox is always a repair. However, as mentioned in the introduction, this does not imply that there is an optimal repair. We will show that, for the case of IQentailment, optimal repairs always exist. For CQentailment, this is the case if the TBox is cyclerestricted. In both cases, the set of optimal repairs covers all repairs in the sense that each repair is entailed by some optimal repair.
As mentioned in the introduction, to deal with TBoxes, the approach for computing socalled canonical repairs from [7] needs to be adapted in two ways. First, one needs to QLsaturate the given qABox w.r.t. the TBox. Second, when computing canonical repairs from , the construction needs to ensure that the TBox does not reintroduce consequences that have been removed by the repair. The main idea underlying the construction of canonical repairs is to introduce variables as copies of the objects occurring in . Such a variable is of the form , where the first component of the subscript says that this is a copy of the object u. The second component is a set of atoms, with the intuitive meaning that must not be an instance of any element of . To avoid introducing unnecessary copies, certain restrictions were imposed in [7] on the sets . We add a further restriction that takes care of the TBox.
To be more precise, let be the set of subconcepts of concept descriptions occurring in or , and let be the set of atoms occurring in . The set in a variable must be a repair type for u.
Definition 5
Let and let u be an object name occurring in . A repair type for u is a subset of that satisfies the following:

1.
for each atom ,

2.
if C, D are distinct atoms in , then \(C\not \sqsubseteq ^{\emptyset }D\),

3.
is premisesaturated w.r.t. , i.e., for all with and for some , there is such that \(C\sqsubseteq ^{\emptyset }E\).
The first two conditions coincide with the ones in [7]. Basically, 1. says that we only need to remove instance relationships explicitly if they are really there. Condition 2. corresponds to the fact that preventing as a consequence also prevents if D subsumes C, and thus would be redundant if . Condition 3. ensures that instance relationships that are removed due to cannot be reintroduced by the TBox. It is easy to see that the set of repair types for u can be computed in exponential time.
Similarly to the approach in [7], canonical repairs are induced by seed functions. Such a function determines, for each individual, which instance relationships should be prevented in order to obtain a repair.
Definition 6
A repair seed function is a function s that maps each individual name to a repair type s(b) for b that satisfies the following:

if and , then s(b) contains an atom D such that \(C\sqsubseteq ^{\emptyset }D\).
Using our general assumption that the repair request does not contain a concept assertion C(a) with , we can show that there is always at least one repair seed function.
Each repair seed function induces a repair as follows.
Definition 7
Given a repair seed function s, we define the canonical QL repair induced by s as the qABox where

1.
the set Y consists of the variables for all object names u occurring in and all repair types for u, except for the case where u is an individual name and , and

2.
the matrix consists of the following assertions, where we use \(y_{b,s(b)}\) as a synonym for the individual name b:

for each concept assertion A(u) in such that ,

for each role assertion r(u, v) in such that the following holds for each : if the matrix of entails C(v), then the set contains an atom that subsumes C.

Our construction of canonical repairs based on seed functions is sound and complete in the following sense.
Proposition 8
For each repair seed function s, the induced canonical repair is a QLrepair of for w.r.t. . Conversely, if is a QLrepair of for w.r.t. , then there is a repair seed function s such that .
We define the set of all canonical QLrepairs of for w.r.t. as
As an easy consequence of Proposition 8 we obtain that contains all optimal repairs (up to equivalence). However, as in the case without a TBox, it may also contain nonoptimal repairs [7]. To compute the set of optimal repairs, one thus needs to remove such nonoptimal elements from . Since the entailment test required for this is NPcomplete for \({\textsf {QL}}= {\textsf {CQ}}\) and polynomial for \({\textsf {QL}}= {\textsf {IQ}}\), we obtain the following theorem.
Theorem 9
There is a (deterministic) algorithm that computes the set of all optimal QLrepairs of for w.r.t. and runs in exponential time. If \({\textsf {QL}}= {\textsf {CQ}}\), then this algorithm needs access to an NP oracle, whereas no such oracle is required for \({\textsf {QL}}= {\textsf {IQ}}\).
5 Optimized Repairs
The construction of the canonical repair induced by a seed function described in the previous section usually introduces an exponential number of copies for the objects occurring in the saturated qABox. The following example demonstrates that this is not always necessary to obtain an optimal repair.
Example 10
Let and consider the repair request for the qABox . There is only one repair seed function s, which assigns to a. Both for the CQ and the IQ case, the canonical repair induced by s contains \(2^n\) copies of x, namely all the variables for . However, most of these copies are redundant. In fact, we will see below that there are optimal repairs equivalent to the canonical one that contain only linearly many variables in n, both for the CQ and the IQ case.
The idea is now to construct, for a given seed function, a set of variables that is a (hopefully small) subset of the set Y introduced in Definition 7, which is nevertheless sufficient to obtain a repair equivalent to the canonical one. Note, however, that in general an exponential blowup cannot be avoided, as already shown in [5] for the case of \(\mathcal {EL}\) instance stores. Throughout this section, we assume that \({\textsf {QL}}\), , , and satisfy the properties assumed in the previous section. In addition, we assume that the repair request is reduced, i.e., every concept occurring in a concept assertion in is reduced, and if contains C(a) and D(a) for distinct concept descriptions C, D, then \(C\not \sqsubseteq ^{\emptyset }D\), and we further assume that each concept occurring in the TBox is reduced. Before we can describe our construction of the set of relevant variables, we must introduce some notation and show an auxiliary result.
Given two sets of concept descriptions and , we say that covers (written ) if each concept in is subsumed by some concept in .
Now, let s be a repair seed function and set . Recall that, according to Definition 7, a role assertion belongs to the matrix iff the saturation contains the role assertion r(t, u) and the repair type covers the set
If does not satisfy this requirement, there might be another repair type such that the canonical repair contains the assertion , and thus our optimized repair needs to contain an appropriate variable to which can be mapped by a homomorphism or simulation. We generate such variables by looking for repair types that cover both and . The set of all such repair types can effectively be computed, though it might be empty. For our purposes, it is sufficient to use only the ones that are minimal w.r.t. the cover relation \(\le \).
Lemma 11
The set of all \(\le \)minimal repair types for u that cover can be computed in exponential time.
In general, this computation may produce exponentially many repair types, but this is not always the case. For instance, consider \(a = y_{a,s(a)}\) and \(y_{x,\emptyset }\) in Example 10. We have and thus the assertion \(r(a,y_{x,\emptyset })\) is not in since \(\emptyset \) clearly does not cover . The \(\le \)minimal repair types covering are exactly the sets \(\{A_i\}\) for \(i=1,\ldots ,n\).
In the following, we construct a sequence \(Y_0,Y_1,\dots ,Y_m\) of subsets \(Y_i\) of Y such that is QLequivalent to its subqABox where contains only those assertions in involving object names in \(\varSigma _{\mathsf {I}} \cup Y_m\). Recall that we use \(y_{a,s(a)}\) as synonyms for the individuals \(a\in \varSigma _{\mathsf {I}} \).
We start with the set \(Y_0\), which is empty if \({\textsf {QL}}={\textsf {IQ}}\), and equal to the set if \({\textsf {QL}}={\textsf {CQ}}\).
The subsequent sets are obtained by exhaustively applying one of the following rules, depending on whether \({\textsf {QL}}= {\textsf {CQ}}\) or \({\textsf {QL}}= {\textsf {IQ}}\).

CQconstruction rule. If and are elements of \(\varSigma _{\mathsf {I}} \cup Y_i\), the saturation contains the role assertion r(t, u), the repair type does not cover , and is a \(\le \)minimal repair type for u that covers , but is not contained in \(\varSigma _{\mathsf {I}} \cup Y_i\), then set .

IQconstruction rule. If is an element of \(\varSigma _{\mathsf {I}} \cup Y_i\), the saturation contains the role assertion r(t, u), and is a \(\le \)minimal repair type for u that covers , but is not contained in \(\varSigma _{\mathsf {I}} \cup Y_i\), then set .
The sets \(Y_i\) are all subsets of the set Y of variables in the canonical repair. Since each rule application adds a variable, the exhaustive application of rules must terminate after finitely many steps with a set of variables \(Y_m\subseteq Y\).
Let us illustrate this construction using Example 10, first for the IQ case. We have \(a = y_{a,s(a)}\in \varSigma _{\mathsf {I}} \) and the assertion r(a, x) belongs to the saturation, which is equal to the original qABox. As mentioned above, the \(\le \)minimal repair types covering are exactly the sets \(\{A_i\}\) for \(i=1,\ldots ,n\). Thus, repeated applications of the IQconstruction rule add the variables \(y_{x,\{A_i\}}\), and the construction ends with . In the CQ case, the initial set of variables is \(Y_0^{\textsf {CQ}}= \{y_{a,\emptyset },y_{x,\emptyset }\}\). In this example, the CQconstruction rule then generates the same variables as the IQ rule, though this need not be the case in general. We end up with the final set \(Y_m^{\textsf {IQ}}\cup Y_0^{\textsf {CQ}}\).
Definition 12
Let s be a repair seed function and \(Y_m\subseteq Y\) be the set of variables obtained by an exhaustive application of the QLconstruction rule. The optimized \({\textsf {QL}}\)repair of for w.r.t. induced by s, denoted by , is the qABox where the matrix contains all assertions in involving only object names in \(\varSigma _{\mathsf {I}} \cup Y_m\).
Note that, to compute , we need not compute the larger matrix first. Instead, we just apply the definition of the matrix in Definition 7 to the object names in \(\varSigma _{\mathsf {I}} \cup Y_m\).
In our example, the optimized \({\textsf {IQ}}\)repair is the qABox with
In the optimized CQrepair, the quantifier prefix additionally contains the variables \(y_{a,\emptyset }\) and \(y_{x,\emptyset }\), and the matrix additionally contains the assertions \(r(y_{a,\emptyset },y_{x,\emptyset })\) and \(A_i(y_{x,\emptyset })\) for \(i=1,\ldots ,n\). Note that, without these assertions, the positive answer to the Boolean conjunctive query would be lost.
Coming back to the general case, we first observe that the canonical QLrepair induced by s QLentails the optimized QLrepair induced by s due to the inclusion relationship between these two qABoxes. The entailment in the other direction also holds, but this is harder to show, in particular for \({\textsf {QL}}= {\textsf {CQ}}\).
Proposition 13
For each repair seed function s, the optimized \({\textsf {QL}}\)repair induced by s \({\textsf {QL}}\)entails the canonical \({\textsf {QL}}\)repair induced by s.
Proof sketch. For \({\textsf {QL}}= {\textsf {IQ}}\), the proposition can be proved by showing that the following relation is a simulation from to :
For \({\textsf {QL}}= {\textsf {CQ}}\), we introduce a sequence of mappings , starting with if \(t\in \varSigma _{\mathsf {I}} \) and and otherwise. The initial mapping \(h_0\) need not be a homomorphism since role assertions may not be preserved. In the stepwise construction of the mappings \(h_i\) such defects are corrected, one by one. We can show that this construction always terminates after finitely many steps, yielding a homomorphism \(h_n\) from to . \(\square \)
Summing up, we have thus shown the following theorem, which implies that the optimized repairs also satisfy the properties stated in Proposition 8.
Theorem 14
For each repair seed function s, the canonical \({\textsf {QL}}\)repair induced by s and the optimized \({\textsf {QL}}\)repair induced by s are \({\textsf {QL}}\)equivalent.
6 Evaluation
To find out whether the repair approaches introduced in this paper are in principle viable for nontrivial ontologies, we made experiments for both IQ and CQrepairs with a first, rather unoptimized implementation. In addition to checking how often the implementation was able to compute a repair within a certain timeout, we also compared the sizes of optimized repairs with those of canonical repairs. We considered two different repair scenarios: repairing a single unwanted consequence for a single individual (S1), and repairing a single unwanted consequence for 10% of the individuals occurring in the ABox (S2). We report here the main results—more details and discussions can be found in [4].
As corpus for our evaluation, we chose the ontologies used in the 2015 OWL Reasoner Competition for the track OWL EL Realisation [28], since they contain a substantial amount of ABox assertions. These 109 ontologies were converted into pure \(\mathcal {EL}\) by applying standard transformations and afterwards filtering out unsupported axioms. From these ontologies, we kept those that had at most 100,000 axioms in total. The resulting corpus contained 80 ontologies.
We implemented our methods in Java, using the OWLAPI^{Footnote 1} for parsing OWL ontologies, and ELK [22] for precomputing any subsumption relationships entailed with and without the TBox potentially relevant for our repair approach. The code is available online.^{Footnote 2} All experiments were performed on an Intel(R) Core(TM) i54590 CPU with 4 cores and 32 GB RAM, of which we assigned 16 GB as maximal heap space to the Java VM.
Since it is a precondition of our repair approach, we first saturated the ontologies using the IQsaturation rules of Figure 2, and the CQsaturation rules of Figure 1. The CQsaturation rules were implemented using the rule engine VLog [11] through the Java facade Rulewerk.^{Footnote 3} As CQsaturation only terminates for cyclerestricted TBoxes, we only considered those ontologies for the CQsaturation whose IQsaturation did not introduce cycles between introduced variables. We used a timeout of 60 minutes for every saturation. This way, we successfully computed IQsaturations of every ontology, and 62 CQsaturations.
The size of the saturated ABox was usually not much larger than that of the original one, and always less than two orders of magnitude larger. Interestingly, the successful CQsaturations were rarely larger than the IQsaturations, and often even of the same size, because no variables were added.
Scenario S1 was about repairing a single faulty entailment . Since we did not have information about whether any entailments from the considered ontologies are faulty, we generated such assertions randomly. For this, we looked at entailments of the form , where . To make the repair requests more interesting, we furthermore required that C is not of the form A or , where A is a concept name. This requirement already ruled out 54 of the IQsaturated ontologies, and 44 of the CQsaturated ontologies, as they did not have any complex entailments of the required form. For Scenario S2, we randomly selected some concept which had at least one instance (surprisingly, although C was not required to be complex, this ruled out 12 ontologies, including 4 of the CQsaturated ones), together with a random selection of 10% of the individuals in , and built the repair request consisting of all assertions C(a) where a ranges over the selected individuals. For both scenarios, we selected a random seed function for the obtained repair request.
For each ontology, scenario, and \({\textsf {QL}}\in \{{\textsf {IQ}},{\textsf {CQ}}\}\), we attempted to compute optimised QLrepairs for 50 different repair requests. We also tried to compute the set of objects that would be included in the canonical repairs, to get an idea of the impact of our optimisation. For each such repair computation, we used a timeout of 10 minutes. Since all repair requests used only concept descriptions that were already in the input ontology, the number of objects in the canonical repair was independent of the repair request. We thus performed the latter computation only once for each ontology. The success rates were as follows:

The objects included in the canonical IQ and CQrepair could be computed within the timeout and without memory exceptions for respectively only 52.9 % and 62.1 % of the ontologies.

For S1, we could compute the optimized IQrepair in 99.9 %, and the optimised CQrepair in 100.0 % of all attempts.

For S2, 98.9 % of IQrepairs and 99.9 % of CQrepairs were successful.
This shows that the optimizations introduced in Section 5 have a very positive impact on the viability of our repair approach.
Fig. 3 gives more information on the number of objects and assertions in the computed repairs. On the left, we consider canonical and optimised IQrepairs for scenario S2: specifically, we look at the difference in numbers of individuals occurring in the repair compared to the input ABox.
In the middle and on the right, we visualise the difference between the number of assertions in the optimized IQ and CQrepairs, compared to the input ABoxes, for the scenarios S1 and S2, respectively. By construction, CQrepairs cannot contain less assertions than the input ontologies. Sometimes the CQrepairs were smaller than the corresponding IQrepairs, which is due to the different saturation methods: variables introduced by the IQsaturation could be connected to more individuals than for the CQsaturation.
7 Conclusion
This paper presents approaches for repairing DLbased ontologies, in the sense that they allow to get rid of unwanted consequences. In contrast to most of the other work on ontology repair, our goal is to compute optimal repairs, i.e., ones that lose the least amount of other consequences. As relevant consequences to be preserved, we consider both answers to conjunctive queries (CQ) and answers to \(\mathcal {EL}\) instance queries (IQ). The presented results improve on our previous work in this direction in two respects. First, we allow for the presence of a TBox, which is assumed to be static (i.e., cannot be changed by the repair), whereas before we assumed that the TBox is empty. Second, we develop a more efficient construction of optimal repairs, which is exponential only in the worst case. Our experimental results show that this optimization makes our repair approach viable also for fairly large ontologies, at least for the IQ case.
One question for future research is how to lift the restriction to cyclerestricted TBoxes in the CQ case. Since optimal repairs need not longer exist then, one can ask whether the existence question is decidable, and how to compute optimal repairs if they exist. We have already noticed in our first attempts to tackle this problem that optimal repairs may then become larger than singleexponential.
In this and in our previous work, we have assumed that unwanted consequences are specified as \(\mathcal {EL}\) instance relationships. Another interesting open question is whether our results can be generalized to a setting where unwanted consequences are specified as answers to conjunctive queries, as e.g. in [14].^{Footnote 4}
Notes
 1.
 2.
 3.
 4.
References
Baader, F., Borgwardt, S., Morawska, B.: Extending unification in \(\cal{EL}\) towards general TBoxes. In: Proc. of the 13th Int. Conf. on Principles of Knowledge Representation and Reasoning (KR 2012). pp. 568–572. AAAI Press/The MIT Press (2012)
Baader, F., Brandt, S., Lutz, C.: Pushing the \(\cal{EL}\) envelope. In: Kaelbling, L.P., Saffiotti, A. (eds.) IJCAI05, Proceedings of the Nineteenth International Joint Conference on Artificial Intelligence, Edinburgh, Scotland, UK, July 30  August 5, 2005. pp. 364–369. Professional Book Center (2005)
Baader, F., Horrocks, I., Lutz, C., Sattler, U.: An Introduction to Description Logic. Cambridge University Press (2017)
Baader, F., Koopmann, P., Kriegel, F., Nuradiansyah, A.: Computing optimal repairs of quantified ABoxes w.r.t. static \(\cal{EL}\) TBoxes (extended version). LTCSReport 2101, Chair of Automata Theory, Institute of Theoretical Computer Science, Technische Universität Dresden, Dresden, Germany (2021), https://lat.inf.tudresden.de/research/reports/2021/BaKoKrNuLTCS2101.pdf
Baader, F., Kriegel, F., Nuradiansyah, A.: Privacypreserving ontology publishing for \(\cal{EL}\) instance stores. In: Calimeri, F., Leone, N., Manna, M. (eds.) Logics in Artificial Intelligence  16th European Conference, JELIA 2019, Rende, Italy, May 7–11, 2019, Proceedings. Lecture Notes in Computer Science, vol. 11468, pp. 323–338. Springer (2019)
Baader, F., Kriegel, F., Nuradiansyah, A., Peñaloza, R.: Making repairs in description logics more gentle. In: Thielscher, M., Toni, F., Wolter, F. (eds.) Principles of Knowledge Representation and Reasoning: Proceedings of the Sixteenth International Conference, KR 2018, Tempe, Arizona, 30 October  2 November 2018. pp. 319–328. AAAI Press (2018)
Baader, F., Kriegel, F., Nuradiansyah, A., Peñaloza, R.: Computing compliant anonymisations of quantified aboxes w.r.t. \(\cal{EL}\) policies. In: Pan, J.Z., Tamma, V.A.M., d’Amato, C., Janowicz, K., Fu, B., Polleres, A., Seneviratne, O., Kagal, L. (eds.) The Semantic Web  ISWC 2020  19th International Semantic Web Conference, Athens, Greece, November 2–6, 2020, Proceedings, Part I. Lecture Notes in Computer Science, vol. 12506, pp. 3–20. Springer (2020)
Baader, F., Suntisrivaraporn, B.: Debugging SNOMED CT using axiom pinpointing in the description logic \(\cal{EL}^+\). In: Proceedings of the International Conference on Representing and Sharing Knowledge Using SNOMED (KRMED’08). Phoenix, Arizona (2008)
Boyle, T.C.: Talk to Me. Bloomsbury Publishing (2021), To appear
Calì, A., Lembo, D., Rosati, R.: On the decidability and complexity of query answering over inconsistent and incomplete databases. In: Neven, F., Beeri, C., Milo, T. (eds.) Proceedings of the TwentySecond ACM SIGACTSIGMODSIGART Symposium on Principles of Database Systems, June 9–12, 2003, San Diego, CA, USA. pp. 260–271. ACM (2003)
Carral, D., Dragoste, I., González, L., Jacobs, C.J.H., Krötzsch, M., Urbani, J.: Vlog: A rule engine for knowledge graphs. In: Ghidini, C., Hartig, O., Maleshkova, M., Svátek, V., Cruz, I.F., Hogan, A., Song, J., Lefrançois, M., Gandon, F. (eds.) The Semantic Web  ISWC 2019–18th International Semantic Web Conference. Lecture Notes in Computer Science, vol. 11779, pp. 19–35. Springer (2019)
Glimm, B., Horrocks, I., Motik, B., Stoilos, G., Wang, Z.: Hermit: An OWL 2 reasoner. J. Autom. Reason. 53(3), 245–269 (2014)
Grau, B.C., Horrocks, I., Krötzsch, M., Kupke, C., Magka, D., Motik, B., Wang, Z.: Acyclicity notions for existential rules and their application to query answering in ontologies. J. Artif. Intell. Res. 47, 741–808 (2013)
Grau, B.C., Kostylev, E.V.: Logical foundations of linked data anonymisation. J. Artif. Intell. Res. 64, 253–314 (2019)
Haarslev, V., Hidde, K., Möller, R., Wessel, M.: The RacerPro knowledge representation and reasoning system. Semantic Web 3(3), 267–277 (2012)
Henzinger, M.R., Henzinger, T.A., Kopke, P.W.: Computing simulations on finite and infinite graphs. In: 36th Annual Symposium on Foundations of Computer Science, Milwaukee, Wisconsin, USA, 23–25 October 1995. pp. 453–462. IEEE Computer Society (1995)
Hoehndorf, R., Schofield, P.N., Gkoutos, G.V.: The role of ontologies in biological and biomedical research: A functional perspective. Brief. Bioinform. 16(6), 1069–1080 (2015)
Horridge, M., Parsia, B., Sattler, U.: Laconic and precise justifications in OWL. In: Sheth, A.P., Staab, S., Dean, M., Paolucci, M., Maynard, D., Finin, T.W., Thirunarayan, K. (eds.) The Semantic Web  ISWC 2008, 7th International Semantic Web Conference, ISWC 2008, Karlsruhe, Germany, October 26–30, 2008. Proceedings. Lecture Notes in Computer Science, vol. 5318, pp. 323–338. Springer (2008)
Horrocks, I., Li, L., Turi, D., Bechhofer, S.: The instance store: DL reasoning with large numbers of individuals. In: Haarslev, V., Möller, R. (eds.) Proceedings of the 2004 International Workshop on Description Logics (DL2004), Whistler, British Columbia, Canada, June 6–8, 2004. CEUR Workshop Proceedings, vol. 104. CEURWS.org (2004)
Johnson, D.S., Klug, A.C.: Testing containment of conjunctive queries under functional and inclusion dependencies. In: Ullman, J.D., Aho, A.V. (eds.) Proceedings of the ACM Symposium on Principles of Database Systems, March 29–31, 1982, Los Angeles, California, USA. pp. 164–169. ACM (1982)
Kalyanpur, A., Parsia, B., Horridge, M., Sirin, E.: Finding all justifications of OWL DL entailments. In: Proc. of ISWC’07. Lecture Notes in Computer Science, vol. 4825, pp. 267–280. SpringerVerlag (2007)
Kazakov, Y., Krötzsch, M., Simancik, F.: The incredible ELK  from polynomial procedures to efficient reasoning with \(\cal{EL}\) ontologies. Journal of Automed Reasoning 53(1), 1–61 (2014)
Küsters, R.: Nonstandard Inferences in Description Logics. Lecture Notes in Artificial Intelligence, vol. 2100. SpringerVerlag (2001)
Lam, J.S.C., Sleeman, D.H., Pan, J.Z., Vasconcelos, W.W.: A finegrained approach to resolving unsatisfiable ontologies. J. Data Semant. 10, 62–95 (2008)
Lutz, C., Wolter, F.: Deciding inseparability and conservative extensions in the description logic \(\cal{EL}\). J. Symb. Comput. 45(2), 194–228 (2010)
Maier, D., Mendelzon, A.O., Sagiv, Y.: Testing implications of data dependencies. ACM Trans. Database Syst. 4(4), 455–469 (1979)
Meyer, T., Lee, K., Booth, R., Pan, J.Z.: Finding maximally satisfiable terminologies for the description logic \(\cal{{ALC}}\). In: Proc. of the 21st Nat. Conf. on Artificial Intelligence (AAAI 2006). AAAI Press/The MIT Press (2006)
Parsia, B., Matentzoglu, N., Gonçalves, R.S., Glimm, B., Steigmiller, A.: The OWL Reasoner Evaluation (ORE) 2015 competition report. Journal of Automed Reasoning 59(4), 455–482 (2017)
Parsia, B., Sirin, E., Kalyanpur, A.: Debugging OWL ontologies. In: Ellis, A., Hagino, T. (eds.) Proc. of the 14th International Conference on World Wide Web (WWW’05). pp. 633–640. ACM (2005)
Rosati, R.: On conjunctive query answering in \(\cal{EL}\). In: Calvanese, D., Franconi, E., Haarslev, V., Lembo, D., Motik, B., Turhan, A., Tessaris, S. (eds.) Proceedings of the 2007 International Workshop on Description Logics (DL2007), BrixenBressanone, near BozenBolzano, Italy, 8–10 June, 2007. CEUR Workshop Proceedings, vol. 250. CEURWS.org (2007)
Schlobach, S., Cornet, R.: Nonstandard reasoning services for the debugging of description logic terminologies. In: Gottlob, G., Walsh, T. (eds.) Proc. of the 18th Int. Joint Conf. on Artificial Intelligence (IJCAI 2003). pp. 355–362. Morgan Kaufmann, Los Altos, Acapulco, Mexico (2003)
Schlobach, S., Huang, Z., Cornet, R., Harmelen, F.: Debugging incoherent terminologies. J. Automated Reasoning 39(3), 317–349 (2007)
Steigmiller, A., Liebig, T., Glimm, B.: Konclude: System description. J. Web Semant. 27–28, 78–85 (2014)
Troquard, N., Confalonieri, R., Galliani, P., Peñaloza, R., Porello, D., Kutz, O.: Repairing ontologies via axiom weakening. In: McIlraith, S.A., Weinberger, K.Q. (eds.) Proceedings of the ThirtySecond AAAI Conference on Artificial Intelligence, (AAAI18), the 30th innovative Applications of Artificial Intelligence (IAAI18), and the 8th AAAI Symposium on Educational Advances in Artificial Intelligence (EAAI18), New Orleans, Louisiana, USA, February 2–7, 2018. pp. 1981–1988. AAAI Press (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this paper
Cite this paper
Baader, F., Koopmann, P., Kriegel, F., Nuradiansyah, A. (2021). Computing Optimal Repairs of Quantified ABoxes w.r.t. Static \(\mathcal {EL}\) TBoxes. In: Platzer, A., Sutcliffe, G. (eds) Automated Deduction – CADE 28. CADE 2021. Lecture Notes in Computer Science(), vol 12699. Springer, Cham. https://doi.org/10.1007/9783030798765_18
Download citation
DOI: https://doi.org/10.1007/9783030798765_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030798758
Online ISBN: 9783030798765
eBook Packages: Computer ScienceComputer Science (R0)