July 14July 14thth SAM 2008 Las Vegas, NV SAM 2008 Las Vegas, NV

An Ad Hoc Trust Inference An Ad Hoc Trust Inference Model for Flexible and Model for Flexible and

Controlled Information SharingControlled Information Sharing

Danfeng (Daphne) YaoDanfeng (Daphne) YaoRutgers University, New BrunswickRutgers University, New Brunswick

Motivation: Hurricane Katrina 2005Motivation: Hurricane Katrina 2005

Motivation cont’dMotivation cont’d

Flexible authorization for cross-domain information Flexible authorization for cross-domain information sharingsharing– Traditional access control models are too strict Traditional access control models are too strict – Motivating scenario: inadequate crisis communication among Motivating scenario: inadequate crisis communication among

FEMA & Coast Guard after FEMA & Coast Guard after Hurricane KatrinaHurricane Katrina

Need to efficiently share and utilize data generated in Need to efficiently share and utilize data generated in pervasive computing environments pervasive computing environments – Sensor data, location, etcSensor data, location, etc

Challenge: there is no central authority in this Challenge: there is no central authority in this decentralized environmentdecentralized environment– How does the resource owner adaptively makes access control How does the resource owner adaptively makes access control

decisions in response to decisions in response to emergency situationsemergency situations??

Decentralized trust managementDecentralized trust management

Digital identity and certificateDigital identity and certificate

Most of existing trust management models only work for static Most of existing trust management models only work for static access control policiesaccess control policies– Policies are pre-defined and not adaptive to contextsPolicies are pre-defined and not adaptive to contexts– Models cannot handle crisis and emergency situationsModels cannot handle crisis and emergency situations

Our approach: ad hoc trust inference Our approach: ad hoc trust inference – Allow the requester to specify emergency levelAllow the requester to specify emergency level– Use fuzzy logic to integrate user informationUse fuzzy logic to integrate user information

Request for accessRequest for access

BobBob

Is Bob qualified to access DB?Is Bob qualified to access DB?

PoliciesBob’s credentialBob’s credential

HospitalUniversityUniversity

Broader implication of dynamic Broader implication of dynamic authorizationauthorization

Useful for flexible information sharing in mission-critical Useful for flexible information sharing in mission-critical systems systems

00

DenyDeny

11

AllowAllow

[[JASON Report 04JASON Report 04] studied the need for broader access model] studied the need for broader access model

Our idea: multimodal authorizationOur idea: multimodal authorization

Authorization decisions are made based on multiple Authorization decisions are made based on multiple factors including the identity, history, environment factors including the identity, history, environment associated with a request.associated with a request.

A requester is given multiple chances of proving A requester is given multiple chances of proving trustworthiness, instead of a type of criteria.trustworthiness, instead of a type of criteria.

Our Our ad hocad hoc trust inference model trust inference model

We introduce attribute We introduce attribute urgency levelurgency level that is to be that is to be specified by the requesterspecified by the requester– Urgency level Urgency level defines how urgent a requester needs the

information– This attribute is This attribute is self-claimed self-claimed by the requester, e.g., urgency level by the requester, e.g., urgency level

= very high= very high– Three attribute types: identity type, history type, and Three attribute types: identity type, history type, and

environment typeenvironment type

We develop a mechanism that combines various We develop a mechanism that combines various attribute values and outputs a numeric trustworthiness attribute values and outputs a numeric trustworthiness score for the requesterscore for the requesterOur design integrates Our design integrates an audit component an audit component in trust in trust inferenceinference

Input attributes in our trust modelInput attributes in our trust model

Attribute typeAttribute type Attribute nameAttribute name Authentication Authentication methodmethod

Value range Value range

Identity inputIdentity input Affiliation Affiliation CredentialCredential [0, 1][0, 1]

History inputHistory input Historic Historic performanceperformance

n/an/a [0, 1][0, 1]

Environment Environment inputinput

Urgency levelUrgency level Audit Audit mechanismmechanism

[0, 1][0, 1]

How does the resource owner combine these attribute values and How does the resource owner combine these attribute values and obtain the trustworthiness of a requester? obtain the trustworthiness of a requester?

Inference output Inference output TrustworthinessTrustworthiness n/an/a [0, 1][0, 1]

Access policies are intrinsically flexibleAccess policies are intrinsically flexible– Supports continuous access decisionsSupports continuous access decisions– More flexible than binary access verdictsMore flexible than binary access verdicts

Access rules are intuitive to defineAccess rules are intuitive to define– Rules are individually defined for each attribute Rules are individually defined for each attribute

Can handle incomplete and imprecise inputsCan handle incomplete and imprecise inputs– In decentralized environments, resource owners In decentralized environments, resource owners

usually do not have complete and precise inputsusually do not have complete and precise inputs

Advantages of ad hoc trust Advantages of ad hoc trust inference with fuzzy logicinference with fuzzy logic

An example of membership function and degrees of membership in fuzzy logic

Earliness(time) = { 1, IF time ≤ 1200, (2000−time) / 800, IF 1200 < time ≤ 2000,

0, IF time > 2000 }

Time of the day Degree of earliness

09:0009:00 11

14:0014:00 0.750.75

16:0016:00 0.50.5

22:0022:00 00

Trust inference stepsTrust inference steps

Define attributes from which trustworthiness may be inferredDefine the fuzzy variables associated with each attributeFor each fuzzy variable, define a membership functionDefine the output membership function for the output variable (i.e., degrees of trustworthiness)Define fuzzy rules to specify the logic used to infer the trustworthiness score from attributes

Example Example

Bob from FEMA needs to access US Coast Guard Bob from FEMA needs to access US Coast Guard (USCG) database for a rescue task(USCG) database for a rescue task– Bob has a FEMA credentialBob has a FEMA credential– Urgency level = very highUrgency level = very high

USCG has prior interactions with FEMAUSCG has prior interactions with FEMA– Affiliation score = highAffiliation score = high– History = very highHistory = very high– USCG has also defined fuzzy membership functions and fuzzy USCG has also defined fuzzy membership functions and fuzzy

rulesrules

Ad hoc trust inference computation produces a Ad hoc trust inference computation produces a trustworthiness score for Bob’s requesttrustworthiness score for Bob’s request– E.g., trustworthiness = very highE.g., trustworthiness = very high

Note that the actual inference is done on crisp inputs and outputs a crisp trust score.Note that the actual inference is done on crisp inputs and outputs a crisp trust score.Please refer to the paper for detailed computation.Please refer to the paper for detailed computation.

ArchitectureArchitecture

Audit Audit

Urgency level is self-claimed by the requester Urgency level is self-claimed by the requester and may be inaccurateand may be inaccurateAudit process identifies cheating usersAudit process identifies cheating users– A dishonest user may always claim high urgency level A dishonest user may always claim high urgency level

Audit process selectively examines and verifies Audit process selectively examines and verifies the urgency levels associated past requestersthe urgency levels associated past requestersDishonest user and organization will have lower Dishonest user and organization will have lower trustworthiness in the future transactionstrustworthiness in the future transactions– Lower affiliation scoreLower affiliation score– Lower history scoreLower history score

Conclusions and Future workConclusions and Future work

Conclusions Conclusions – Crisis information sharing requires flexible trust Crisis information sharing requires flexible trust

inference mechanisminference mechanism– We have presented an ad hoc trust inference We have presented an ad hoc trust inference

framework that allows user-specified context inputframework that allows user-specified context input

Future workFuture work– To automate audit mechanism by analyzing public To automate audit mechanism by analyzing public

and sensory information and sensory information – To apply ad hoc trust inference mechanism to To apply ad hoc trust inference mechanism to

manage trust in Web 2.0 applicationsmanage trust in Web 2.0 applications

AcknowledgementsAcknowledgements

Professor James Garnett, Rutgers University Department of Public Policy and Administration

Funding: Rutgers University Computing Funding: Rutgers University Computing Coordination Council (CCC) Pervasive Coordination Council (CCC) Pervasive Computing Initiative GrantComputing Initiative Grant