Formalizing End-to-End Context-Aware Trust Relationships in Collaborative Activities

Formalizing End-to-End Context-Aware Trust Relationships in Collaborative Activities

Dr Ioanna Dionysiou Department of Computer ScienceSchool of SciencesUniversity of Nicosia, Cyprus

International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July 26 - 29, 2008, Porto, Portugal

Dr Dave BakkenDr Carl HauserDepartment of Computer ScienceWashington State UniversityPullman, WA, USA

Dr Deborah FrinckeCyberSecurity Group Pacific Northwest National Laboratory Richland, WA, USA

Talk OutlineMotivationActivity-Oriented Trust RelationshipsTrust Model OntologyTrust Model Functionality ExampleConclusions


2

Motivating ScenarioConsider the North American electric power grid Operations in a geographical region controlled by a

single entity Electric Market Deregulation Competition! Choose among electricity providers, open bidding

Impact on stability and security of the grid itself 3500 utility organizations (public, private, federal),

many points of interaction, share data Trustworthy Data exchange among these

organizations and end-users Producer of information, consumer of information

3


Motivating Scenario (2)4


U1 is the consumer of State Estimation dataPMU Aggregation is the producer of State Estimation dataWhat U1 can say about the quality of the data?

Motivating Scenario (3)How can we answer the question? Security mechanisms are not adequate Encrypted digitally signed message Guarantee that not tampered with and no

unauthorized person read it What about the content itself? Reliable producer,

unsecure medium OR unreliable producer, secure medium?

Trust and its management Abstraction of beliefs that an entity has for specific

situations and interactions Not static but change over time Need to make decisions based on current beliefs

5


Generalized Scenario 6


Contributions of our work…A notation for specifying trust relationships tied

to a narrow context and a broad activity

An intuitive and practical way to manage trust assessment for an activity multiple trust relationships must be examined and

composed Expectations, violations, etc

7




8

Activity-Oriented Trust Relationships

9


Activity-Oriented Trust Relationships (2)

10




11

Trust Relationship Attributes1

2


Trust Relationship

τ(γ, δ, c, λ, ι, ε, id , s)

Trustor γ

Trustee δ

Context cTrust Level

λInterval ι

Expectations ε

Interaction identifier id

Status s

Trust is…13


Trustor γ, based on its current trusting attitude,believes that the extent that trustee δ

will act as expected for context c during time interval ι is λ , and this belief

is subject to the satisfaction of expectation set ε .

This relationship is valid for a specific interaction id and its status is indicated by s.

Trust Level Attribute λ Trust is subjective

Trustee trustworthinessTrustee trustworthiness Trustor’s requirements are not met

by trustees at the same degree Extent to which trustee honors trust,

if trust is placed Trustor trustfulness Trustor trustfulness

Trustor’s willingness to trust Trusting attitude

How do we capture this subjectivity? Trust level, value, degree

Continuous values Discrete values

14


Expectation Attribute εExpectation Requirement and its allowed values that a trustor has

for a particular interaction with the trustee

Expectation tuple π is a trust requirement o is a standard relational operator νo is the observed/actual value for the requirement νa is the allowed value for the requirement ev are the evaluation criteria for the specific

requirement Covering algorithm, triggering algorithm,

aggregating algorithm

15


ε(π,o,νo,νa,ev)

Expectation Attribute (2)16


Trust requirement : facet (coarse-grained), properties (fine-grained)

Observed values: evidence (either internal or external)

Expectation Attribute (3)Observed value When? Triggering method: at fixed intervals, on arrival?

How? Aggregating method: average, weighted

average? For what? Allowed value vs. Observed value VIOLATIONS!!! Covering method: strict, relaxed

17


Expectation Attribute (4)Expectation set describes all the requirements a trustor

has for a trustee in a particular relationship Not interesting by itself BUT, operations on the set ARE interesting! Define primitive comparison relationships between

elements Equal expectations Relaxed expectations

Define comparison relationships between expectation sets Strictly equal expectation sets Relaxed equal expectation sets

Define operation on sets Merging

18


Expectation Attribute (5)19


Equal Expectations (=) Expectation (π1 , o1 , νo1, νa1, ev1 ) is equal with expectation (π2 ,

o2 , νo2 , νa2 , ev2 ) if and only if (π1 = π2) (o∧ 1 = o2) (ν∧ o1 = νo2) (ν∧ a1 = νa2 ) (covering∧ 1 ev∈ 1 = covering2 ev∈ 2)

Relaxed Equal Expectations (≈) Expectation (π1 , o1 , νo1, νa1, ev1 ) is relaxed equal with

expectation (π2 , o2 , νo2 , νa2 , ev2 ) if and only if ( (π1 = π2) ∧(o1 = o2) (ν∧ o1 ≠ νo2) (ν∧ a1 ≠ νa2 ) (covering∧ 1 ev∈ 1 = covering2 ev∈ 2) ) or if ( (π1 = π2) (o∧ 1 = o2) (ν∧ o1 ≠ νo2) (ν∧ a1 = νa2 ) (covering∧ 1 ev∈ 1 = covering2 ev∈ 2) )

Expectation Attribute (6)What is the expectation set for a path as a single

entity?Merging of expectation sets!

20


fπ function for aggregating values

1. Initialize εmerge ←

2. If ε1 = ε2 then εmerge ← ε1

3. If ε1 ≈ ε2 then

∀ i:(π1 , o1 , νo1, νa1, ev1 ) ε∈ 1 , j:(π2 , o2 , νo2 , νa2 , ev2 ) ε∈ 2 such that i ≈ j do

εmerge ← εmerge {((π∪ 1 , o1 , f π (νo1 , νo2 ), f π (νa1 , νa2 ), ev1 ) )}.

€

∅

Trust Relation Properties and OperationsTrust relation is a set of trust relationships Properties Standard properties of any n-ary relation do not

hold due to the non-absolute characteristics of trust

Dynamic and composable nature Operations Changing the state of the trust relation Using the current state of the trust relation

21


Operations changing the trust relation state

22


Expiration of valid timeA trust relationship (γ, δ, c, λ, ι, ε, id , s) does not hold in relation τ if its valid interval time expires. Thus, a trust relationship τ(γ, δ, c, λ, ι, ε, id , s) is not valid in τ if the current time t1 > te, te ι∈

Arrival of New EvidenceSuppose that new evidence arrives at trustor γ for trustee δ regarding context c. The new evidence includes the trust requirement πr and the recommended value νr . All trust relationships (γ , δ , c , λi , ιi , εi , idi , si ) are updated to reflect the application of the new evidence on observed value νo

Expectation ViolationWhenever new evidence arrives, the observed value changes according to the aggregation scheme for the specific requirement. An update in the observed value may lead into expectation violation. In this case, the respective trust relationship’s status is set to ALERT

Operations using the trust relation state

23


Trust Assessment for context c in interaction idTrustor γ1 may synthesize the two tuples to derive an aggregated trust assessment for context c during interval ιi (the intersection of ι1 and ι2 ) by applying expectation set operations on the expectation sets ε1 and ε2 to derive the aggregated expectation set εi . Expectation set εi has to be checked against the various trust level specifications in order to assign the trustworthiness level λi for the new tuple (γ, δ1,2, c, λi, ιi, εi, id, s) .

End-to-end Trust Assessment for interaction idSuppose there are aggregated trust assessments for contexts c1 and c2 , which are the only contexts belonging to interaction id1 : these are tuples (γ1 , δ1 , c1 , λ1 , ι1 , ε1 , id1 , s1 ) and (γ1 , δ2 , c2 , λ1 , ι2 , ε2 , id1 , s1 ) . Trustor γ1 may compose the two tuples to derive an end-to-end trust assessment for interaction id during interval ιi (the intersection of ι1 and ι2 ) by applying expectation set operations on the expectation sets ε1 and ε2 to derive the aggregated expectation set εi . Expectation set εi has to be checked against the various level specifications in order to assign the trustworthiness level λi for the new tuple (γ, δ1,2, c, λi, ιi, εi, id, s) .



24

Revisit Original Scenario25


Trust Relation GraphTrust Relation Graph

NetworkNetwork

Revisit Original Scenario (2)

26


Trust Assessment for context c1 in interaction idτ(γC , δS1, c1 , λ1 , ι1 , ε1 , id , s ) and τ(γC , δS2, c1 , λ1 , ι2 , ε2 , id , s )

τ(γC , δS1,S2 , c1 , λ1 , ιk , εk , id , s )

εk={(authentication, =, certificate, certificate, ev1), (reliability,>=,average(0.97,0.95), average(0.95,0.95), ev2)}

ιk = [1,10]

Revisit Original Scenario (3)

27


Trust Relation GraphTrust Relation Graph

End-to-end Trust Assessment for interaction idτ(γC , δS1,S2 , c1 , λ1 , ιk , εk , id , s ) and τ(γC , δP , c2 , λ1 , ι3 , ε3 , id , s )

τ(γC , δP,S1,S2 , c1,2 , λ1 , ιm , εm , id , s )

εm= {(authentication, =,certificate, certificate, ev1), (reliability, >=, average(0.90,0.96), average(0.80,0.95), ev2)}

ιm = [1,8]



28

ConclusionsA intuitive notation to specify trust

relationships tied to an activity Allows dynamic and composable trust operations Allows a rich set of attributes to capture the trust

semantics

Current and future work,….

29


30


Thanks for your attention!! Questions?

31


Σας ευχαριστω!!!

Documents

Formalizing End-to-End Context-Aware Trust Relationships in Collaborative Activities