Sphinx: a Colluder-Resistant Trust Mechanism for ......own group (to the eyes of everyone else), while worsening the trust of those outside the group, is known as a coalition. We propose

This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/ACCESS.2018.2880297, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.

Digital Object Identifier 10.1109/ACCESS.2017.DOI

Sphinx: a Colluder-Resistant TrustMechanism for Collaborative IntrusionDetectionCARLOS GARCIA CORDERO1, GIULIA TRAVERSO2, MEHRDAD NOJOUMIAN3, SHEIKHMAHBUB HABIB4, MAX MÜHLHÄUSER5, JOHANNES BUCHMANN6 AND EMMANOUILVASILOMANOLAKIS71Technische Universität Darmstadt, Darmstadt, Germany (e-mail: [email protected])2Technische Universität Darmstadt, Darmstadt, Germany (e-mail: [email protected])3Florida Atlantic University (USA) (e-mail: [email protected])4Continental AG, Frankfurt, Germany (e-mail: [email protected])5Technische Universität Darmstadt, Darmstadt, Germany (e-mail: [email protected])6Technische Universität Darmstadt, Darmstadt, Germany (e-mail: [email protected])7Technische Universität Darmstadt, Darmstadt, Germany (e-mail: [email protected])

Corresponding author: Carlos Garcia Cordero.

ABSTRACT The destructive effects of cyber-attacks demand more proactive security approaches. Onesuch promising approach is the idea of Collaborative Intrusion Detection Systems (CIDSs). These systemscombine the knowledge of multiple sensors (e.g., intrusion detection systems, honeypots or firewalls) tocreate a holistic picture of a monitored network. Sensors monitor parts of a network and exchange alert datato learn from each other, improve their detection capabilities and ultimately identify sophisticated attacks.Nevertheless, if one or a group of sensors is unreliable (due to incompetence or malice), the system mightmiss important information needed to detect attacks. In this article, we propose Sphinx, an evidence-basedtrust mechanism capable of detecting unreliable sensors within a CIDS. Sphinx detects, both, single sensorsor coalitions of dishonest sensors that lie about the reliability of others to boost or worsen their trust score.Our evaluation shows that, given an honest majority of sensors, dishonesty is punished in a timely manner.Moreover, if several coalitions exist, even when more than 50% of all sensors are dishonest, dishonesty ispunished.

INDEX TERMS clustering, collaborative intrusion detection, machine learning, mixture models, sensorreliability, trust management

I. INTRODUCTION

Recent cyber-attacks such as the Distributed Denial of Ser-vice (DDoS) attacks of the Internet of Things (IoT)-enabledMirai botnet [1] highlight the need for novel cyber-defensemechanisms. Over the last years a lot of research has beenconducted towards the notion of collaborative defense [2],[3]. The core idea behind this is, as the name implies, toutilize the knowledge of multiple monitoring entities (so-called sensors) to create a holistic picture of a monitorednetwork.

Sensors (e.g., honeypots, intrusion detection systems, fire-walls, etc.) identify attacks on a communication’s network soas to mitigate disruptions. However, isolated sensors cannoteffectively detect coordinated attacks, especially in large-scale networks, unless they collaborate [3]. As a result, Col-

laborative Intrusion Detection Systems (CIDSs) have beenproposed as a line of defense suitable to modern networkcommunications. A CIDS can identify sophisticated andcoordinated attacks as follows. Upon discovering suspiciousbehavior, sensors can raise and share alarms with each other.Afterwards, by aggregating and correlating alert data, theCIDS is able to identify attacks that would otherwise beinvisible to isolated sensors.

A major challenge in the field of CIDSs is dealing with thetrustworthiness of sensors. That is, the overall accuracy of aCIDS can severely degrade when sensors are compromisedand report false data, or when sensors are unreliable andeither submit false data or no data at all. To cope with this,a computational trust mechanism can be utilized inside theCIDS. In this article, we propose a trust mechanism that

VOLUME 4, 2016 1



Garcia et al.: Sphinx: a Colluder-Resistant Trust Mechanism for Collaborative Intrusion Detection

identifies honest and dishonest sensors taking into accounttheir reliability. Honest sensors are sensors with the commongoal of sharing information as accurately as possible withinthe CIDS. Conversely, dishonest sensors may only share in-formation that would advance their personal goals. Dishonestsensors may also tamper the information they share or col-lude with other dishonest sensors in the tampering process. Agroup of coordinated dishonest sensors that collude with thecommon goal of improving the trust of the sensors in theirown group (to the eyes of everyone else), while worseningthe trust of those outside the group, is known as a coalition.

We propose Sphinx1, an evidence-based trust mechanismthat uses the sensing reliability of participating sensors todetect dishonesty2. Beyond detecting one (single) dishonestsensor, we also consider the scenario of detecting coalitions.With Sphinx, we make the following contributions on top ofthe state of the art:• We develop a trust mechanism for CIDSs that takes

into account the reliability of a sensor as part of itstrustworthiness (in addition to an evidence-based trustscore).

• We detect both isolated malicious and incompetent sen-sors as well as groups of malicious sensors that formcoalitions. In addition, we are agnostic with regard to theCIDS architecture. Sphinx works analogously in fullydistributed as well as centralized CIDSs3.

• Contrary to the state of the art, we relax the assumptionthat malicious sensors always behave consistently. Weenable Sphinx to detect dishonest sensors that choose,with some probability, to act as honest sensors.

The reminder of the article is organized as follows. Relatedwork is discussed in Section II. This is followed by Sec-tion III, where our proposal, Sphinx, is detailed. A detailedevaluation is presented in Section IV and conclusions can befound in Section V.

II. RELATED WORKTrust mechanisms are referred to as evidence-based trustmechanisms when they rely on evidence derived from pastinteractions. More precisely, evidence can be derived fromdirect interactions between a trustor and a trustee. Directinteractions, however, may be rare in certain cases, e.g.,newcomers in service marketplaces. Thus, evidence-basedmechanisms also consider evidence derived from indirectinteractions. That is, an entity provides another with evidence

1In ancient Greek mythology Sphinx was a creature that guarded theentrance to the city of Thebes asking travelers a riddle to allow them passage;hence allowing only trustworthy and/or knowledgeable entities to enter. Oursystem is inspired by Sphinx as it requires sensors to reliably and correctlyanswer requests.

2Note that the theoretical basis behind Sphinx is not only applicable withinthe context of CIDSs. In fact, we introduced the basis of the trust mechanism,that Sphinx is using, and demonstrated how it can be applied to the field ofsocial secret sharing in the short paper [4]. The article at hand provides anextended version of the aforesaid work, along with an adaption to the CIDScontext, less unrealistic assumptions, the support for smart attackers and lastbut not least a full fledged evaluation.

3For an introduction to the different CIDS network architectures see [3].

about its past interactions with a third entity. This is usuallyreferred to as exchange of recommendations. In the casethat both direct and indirect interactions are not available,one may rely on evidence derived from virtual cues, e.g.,certifications or stereotypes. In this article, we are interestedin computational trust models that consider the past evidence(via direct or indirect interactions) of a trustees’ behaviorto estimate the future trustworthiness of that trustee. In thisSection, we examine diverse evidence-based trust mecha-nisms based on statistical and machine learning techniques.Furthermore, we highlight key trust mechanisms appliedwithin CIDSs.

A. BAYESIAN TRUST MODELS

Bayesian trust models [5]–[9] leverage Bayesian probabili-ties [10] to estimate the future behavior (i.e., the trust score)of a trustee. The Beta probability density function is used inthis models to estimate the future behavior based on evidencecollected from past interactions. For instance, the reputationsystem proposed in [5] calculates trust scores following theBeta distribution. The system, however, is not able to filterout dishonest evidence, making the system ineffective whenevidence is not honest. A more robust reputation system isintroduced in [6]. This reputation system uses the honestyof the participants to build trust relationships. The main ideais to learn from the observation of others before learningfrom direct interaction. In other words, reputation ratings areincorporated into the view of others.

An extension of the Bayesian probabilistic model is theevent-based trust mechanism proposed in [7], which handlesso called event-structure frameworks [11]. This work pro-vides a formal framework based on information divergenceto measure the quality of probabilistic trust mechanisms. Fur-thermore, the trust-aware model introduced in [8], addressingservice-oriented environments, formalizes a Bayesian serviceselection model focusing on monitoring and exploring ser-vice composition. The work shows how one can reward orpunish services dynamically even with incomplete knowl-edge of the composition.

B. MACHINE LEARNING FOR TRUST MODELS

Nowadays, an increasing amount of evidence (or data) is gen-erated by large-scale web applications, e.g., social media, e-commerce or recommender systems. Machine learning tech-niques are used by researchers to model complex scenariosby answering two fundamental questions in trust research.The first question being: in the absence of past behavior,how can trustworthiness be estimated? And second, how canthe dynamic behavior of a target be estimated from differentinteractions?

To address the first question, stereotyping models,e.g., [12], use the trustor’s past experience with other similarentities. These models harness trust-relevant features usingmachine learning techniques [13] (e.g., Linear DiscriminantAnalysis (LDA), Decision Tree (DT) or M5 model trees) to

2 VOLUME 4, 2016




extract connections between potential interactions and pastinteractions.

To address the second question, Tang et al. [14] address theissue of dynamic behavior. The authors analyze the evolutionof trust by investigating the online dynamics of users inreview sites like Epinions4. It turns out that trust is stronglycorrelated to the similarity of the preference of the users.To capture their preference evolution, or dynamic trust, theauthors use machine learning approaches such as latent factormodels [15]. Moreover, in evidence-based trust mechanisms,evidence is often provided by different sources. Honesty ofthe source of information is key for reliable trust estimationand, thus, it is essential to determine whether the infor-mation source is unbiased or not. Existing evidence-basedtrust models use unsupervised approaches, like statisticaldeviation [16], to identify responses that are very differentfrom others. The assumption here is that biased responses area small subset of all responses. Furthermore, in large-scaleopen systems like social networks, the behavior of an entitywith respect to others may vary so as to maximize profits.Approaches based on Hidden Markov Models [17] havealso proven effective in detecting and correcting dynamicbehavior.

Our article addresses the second question (of how canthe dynamic behavior of a target be estimated from differentinteractions) by using machine learning techniques to designour system. We use unsupervised clustering algorithms toidentify evidence created by dishonest participants. In con-trast to related work, with the techniques of fitting mixtureof Gaussians to clusters, we identify unreliable evidencesubmitted by colluding participants. This confers Sphinx thecapability to downgrade the trustworthiness of groups ofparticipants that have chosen to collude.

C. TRUST MANAGEMENT WITHIN CIDSsIn the early days of CIDS research, it was mostly assumedthat every collaborating sensor was honest; all having thecommon goal of detecting coordinated attacks [3]. Moreimplicitly, but equally important, it was also assumed that thesensing capabilities of collaborating sensors were reliable.That is, collaborating sensors could be trusted to reliablymonitor (i.e., sense) the network point to which they wereassigned. In recent years, the assumption that there wereno insider threats has been taken more seriously, e.g., [18],[19]. The assumption that the sensing capabilities of sensorsmight not be reliable, however, has not been extensivelyaddressed in related work. With Sphinx, we aim at proposingan approach to address this issue when sensing reliabilitycannot be directly obtained. Instead, we assume that thisinformation can only be indirectly obtained by asking othersensors; which enables sensors to collude and provide dis-honest reports.

Fung et al. have worked on many aspects of identify-ing insider threats within CIDSs. In [20], they propose a

4http://epinions.com/

general framework to bestow CIDS sensors the ability toassess the trustworthiness of others from past interactions.Afterwards, in [21], they propose a trust mechanism basedon the Dirichlet distribution that enables sensors to updatetheir trustworthiness from outcomes of mutual interaction.This last work considers the existence of both malicious andincompetent sensors. Finally, in [18], they add the conceptof acquaintances that, along with the previous Dirichlet-based model, can break or establish dynamic relationshipsto improve the performance of a CIDS. It is worth noting thatin many of the contributions of Fung et al., through the usageof a message passing system, collusion cannot occur. In ourwork, instead, we cannot discard the possibility of collusiondue to the fact that their message passing system cannotfunction in our scenario. This is because we assume that itis not possible to directly query all CIDS sensors. Instead,we need to rely on the opinions of others. This is a commoncase when multiple CIDS sensors belong to different groups,when the CIDS employs a fully distributed P2P architecture,or both.

Collusion resistant trust models have been proposed indifferent fields. Dwarakanath et al. proposed a collusionresistant mechanism that detects dishonest IoT devices com-municating false trust scores [22]. Collusion is detected bycomparing trust vectors reported by multiple devices usinga cosine similarity metric. Although this collusion detectionmechanism does not target CIDSs, it could be adapted to suchsystems.

III. SPHINX: A COLLUDER-RESISTANT TRUSTMECHANISMIn this section, our colluder-resistant trust mechanism,namely Sphinx, is presented. First, the general frameworkand main assumptions are shown (Section III-A). Then,Section III-B, Section III-C, and Section III-D describe howSphinx operates. In Table 1 we provide a reference summaryof the most important notations used throughout this paper.

A. FRAMEWORK AND ASSUMPTIONSLet us assume a CIDS having a set S = {S1, . . . , Sn} ofn collaborating sensors. Trust scores τ (t)1 , . . . , τ

(t)n ∈ [0, 1]

are assigned, respectively, to sensors S1, . . . , Sn at time t.These trust scores convey information about how reliable thesensing capabilities of the sensors are. Sensors periodicallyinteract with each other exchanging local knowledge5. Aftereach interaction at time t, sensors evaluate the reliability ofeach other and update trust scores τ (t)1 , . . . , τ

(t)n . To simplify

notation, trust scores τ (t)1 , . . . , τ(t)n at time t are simply de-

noted as τ1, . . . , τn.Trust scores τ1, . . . , τn indirectly measure a sensor’s sens-

ing reliability. In an environment where sensing reliabilityis rewarded, sensors might be interested in maximizing theirtrust scores. To maximize its trust score, a sensor can go

5This work assumes that if sensor Si shares its local knowledge, allsensors Sj ∈ S with j 6= i receive the knowledge unaltered.

VOLUME 4, 2016 3




Si sensor indexed by i

n total number of sensors

τi trust score of Si at time t

τ ′i / τ′′i evidence- / reliability- based trust score of Si at time t

τ(t−1)i reputation of Si at time t− 1

P(i)j Cartesian point related to how Sj rates Si

xP

(i)j

/ yP

(i)j

x− / y-coordinate of P (i)j

σ(i)j evidence submitted by Sj with respect to Si

K total number of cluster centers

C1, . . . , CK clusters or classes of credibility

M1, . . . ,MK center points of clusters C1, . . . , CKyM1

, . . . , yMKy-coordinate of M1, . . . ,MK

ω(i)j weight of data point P (i)

j

π1, . . . , πK mixing coefficients of M1, . . . ,MK

o(j)i trustworthiness gain or loss by Si with respect to Sj

α1 reward and penalty values used to calculate o(j)i

α2 number of possible values o(j)i can have

F (τi) weight balance between high and low trust scores τi

η mixing coefficient of τ ′i and τ ′′i to create τi

TABLE 1: Summary of the notations used in this article.

through the hardships of ensuring high sensing availabilityand accuracy so that others give the sensor good ratings.However, sensors might also consider lying about the reli-ability of others so as to make the others look worse. Fur-thermore, those dishonest sensors might secretly choose toform coalitions to boost the trust scores of their members anddecrease the trust scores of others outside the coalition. Weconsider that each sensor S1, . . . , Sn may be either honestor dishonest, where dishonest sensors might belong or not toa coalition. We make the following three assumptions withrespect to the behavior of honest and dishonest sensors.• Assumption 1: Honest sensors report evidence as accu-

rate as they can but make small mistakes that follow aGaussian distribution6.

• Assumption 2: Dishonest sensors submit tampered evi-dence following a Beta distribution6 and can choose tosubmit accurate evidence to confuse the system follow-ing a Uniform distribution6.

• Assumption 3: When dishonest sensors collude, theyonly belong to one coalition.

Sphinx aims at mitigating the effect of a coalition under thelast three assumptions. To achieve this, Sphinx calculates thetrust score τi using two measurements termed the evidence-based and reliability-based trust scores. The evidence-basedtrust score τ ′i for sensor Si results from the evidence sub-mitted by sensors Sj , for j = 1, . . . , n and j 6= i (seeSection III-B). The calculation of the evidence-based trustscore is somewhat similar (see Section II) to what is done byBayesian models, except that the evidence processed for thecomputation of the evidence-based trust score has different

6For a discussion of why this distribution is used see Section IV-A.

relevance depending on the reputation of the source. Thereliability-based trust score τ ′′i depends on how reliable theevidence submitted by sensor Si is with respect to sensorSj , with j 6= i (see Section III-C). In the calculation of thisreliability-based trust score, unreliable evidence is detectedand the submitter is discouraged to do so by decreasing itstrustworthiness. In Section III-D, we describe how to mergethese two values to obtain the final trust score τi.

B. EVIDENCE-BASED TRUST SCOREThis section describes how the evidence-based trust score τ ′ifor sensor Si is computed, taking into account the evidencesubmitted by all the other sensors. The computation of theevidence-based trust score τ ′i is performed in an Euclideanspace of dimension D = 2. For readability, we divide thiscomputation into the following steps.

a: Collecting the EvidenceEach sensor Sj submits point P (i)

j = (xP

(i)j, yP

(i)j

) with

respect to sensor Si. The first coordinate of point P (i)j is

xP

(i)j

= τ(t−1)j ∈ [0, 1], where τ

(t−1)j is the reputation

of the sensor Sj conducting the evaluation. In fact, beingτ(t−1)j the trust score computed at time t − 1, it can be seen

as the reputation gained by sensor Sj up to that moment.The second coordinate of point P (i)

j is yP

(i)j

= σ(i)j , where

σ(i)j ∈ [0, 1] is the evidence by which sensor Sj evaluates

sensor Si. In other words, σ(i)j is the expectation that sensor

Sj has with respect to the future behavior of Si.

b: Representation of τ ′iSince the evidence relative to the trustworthiness of sensor Siis represented as a value between 0 and 1, the evidence-basedtrust score τ ′i is also a value between 0 and 1. The idea is todefine the data set P(i) = {P (i)

1 , . . . , P(i)i−1, P

(i)i+1, . . . , P

(i)n }

of points submitted by sensor Sj , for j = 1, . . . , n and j 6= i.Afterwards, K-means clustering and Gaussian mixtures areused to extract the evidence-based trust score τ (i)i from thecoordinate y

P(i)j

of each point in the data set P(i).

c: Classes of CredibilityK-classes of evidence are distinguished with respect totheir credibility using the K-means clustering algorithm.The points in the data set P(i) are grouped into K clustersC1, . . . , CK . Each point in the data set P(i) is a tuple corre-sponding to the values “reputation of the rater” and the values“the submitted rate/evidence”. Therefore, the clustering algo-rithm finds classes which take into account both values. Thecenter points M1, . . . ,MK of clusters C1, . . . , CK simplifythese classes of credibility with fewer, yet more informativepoints. An analogous view is that coordinates yM1 , . . . , yMK

of center pointsM1, . . . ,MK represent how trustworthy sen-sor Si is believed to be by the sensors in clusters C1, . . . , CK .The classes of credibility may be shaped in any form of dis-joint sub-intervals. We may consider, for example, dividing

4 VOLUME 4, 2016




the interval [0, 1], representing the reputation τ (t−1)j of sen-sor Sj , into K disjoint sub-intervals [0, 1

K ), . . . , [1 − 1K , 1].

This way, since clustering algorithms group together pointsaround the same area, clusters C1, . . . , CK represent sensorswith a similar reputation rate with sensor Si.

d: Assigning Weight ω(i)j to Point P (i)

j

Each point P (i)j is submitted by sensor Sj , which has a

reputation τ (t−1)j . We wish to use this reputation to weightpoint P (i)

j . We define weight ω(i)j as:

ω(i)j =

F (τ(t−1)j )∑n−1

j=1 F (τ(t−1)j )

,

where F : [0, 1] → R is a positive and increasing functionover the interval [0, 1], which assigns higher scores for largertrust score τ (t−1)j . The purpose of this function is to definehow to balance the influence of low-weighted reputationagainst high-weighted reputation. In other words, functionF (x) determines how many low-weighted reputations areneeded to have enough influence to overcome high-weightedreputation. This is desirable as sensors with a high reputationmight also submit incorrect evidence. If many sensors, evenwith a low reputation, submit different evidence in compar-ison to the highly reputable CIDS, their opinion also has animpact. A possible approach to define function F (x) is tochoose a known increasing function (such as the logarith-mic function) and adjust the eccentricity according to thenumber of low-weighted reputations necessary to balancehigher-weighted reputations. Note that F (x) does not needto be continuous. In fact, another possible approach to definefunction F (x) is to create a step function over disjoint sub-intervals of the interval [0, 1]. Thus, two trust scores withinthe same sub-interval are considered equivalent with respectto the reputation of the sensor they represent.

e: Computation of τ ′iThe evidence-based trust score τ ′i is computed as aweighted combination of coordinates yM1

, . . . , yMKof the

center points M1, . . . , MK , respectively. Center pointsM1, . . . ,MK are not equivalent: together with the classes ofcredibility they distinguish, they depend on the cardinalityof their respective clusters. The idea is to associate valuesπ1, . . . , πK to center points M1, . . . ,MK in quantitative andqualitative manner. Values π1, . . . , πK are regarded as themixing coefficients of a mixture p(P(i)) of K GaussiandistributionsN1(µ1, σ

21), . . . ,NK(µK , σ

2K). More precisely,

the points within each cluster Cl can be seen as followinga Gaussian distribution with µl = Ml, for l = 1, . . . ,K.That is because the mean and the variance of a Gaussiandistribution convey information about where the points aremostly concentrated and how they are spread, which iscomparable to the information conveyed by the clusters.Weights ω(i)

j are used to compute the mixing coefficientsπ1, . . . , πK . In more detail, πl =

∑nl

j=1 ω(i)lj

, where nl is

the cardinality of cluster Cl and ω(i)lj

is the weight assigned to

point P (i)lj∈ Cl, for l = 1, . . . ,K. Note that

∑Kl=1 πl = 1

and thus the mixture p(P(i)) is a probability distribution. Theweighted sum of means µ1, . . . , µK represents the mean µof the closets Gaussian distribution N (µ, σ2) approximatingmixture p(P(i)). And this is what is aimed at: since the meansµ1, . . . , µK are the center points M1, . . . ,MK , we can nowcompute the evidence-based trust score τ ′i as the weightedsum of coordinates yM1 , . . . , yMK

according to the mixingcoefficients π1, . . . , πK . That is,

τ ′i =K∑l=1

πl · yMl∈ [0, 1].

In other words, the evidence-based trust score is computedas coordinate yµ of the mean µ of the fitting Gaussiandistribution N (µ, σ2). One can argue that the evidence-based trust score τ ′i could be computed directly after clustersC1, . . . , CK were distinguished, without passing through thestep of computing the mixture of Gaussians. This is, in fact,what one would practically do when computing τ ′i . However,we highlight that this computation is possible because thecenter points of the clusters model are the means of Gaussiandistributions.

C. RELIABILITY-BASED TRUST SCOREThis section describes how the reliability-based trust score τ ′′ifor sensor Si is computed taking into account the reliabilityof the evidence submitted by sensor Si itself with respectto all the other sensors. We recall that the reliability-basedtrust score is meant to distinguish submitted reliable evidencefrom unreliable evidence and to, respectively, encourage anddiscourage such submissions. Just as with the evidence-basedtrust score τ ′i , the computation of the reliability-based trustscore τ ′′i is performed in an Euclidean space of two dimen-sionsD = 2. For readability, we divide this computation intofour steps.

a: Evidence CollectionThe process begins by collecting all evaluations, known asevidence, issued by each sensor. This evidence is definedas σ(j)

i ∈ [0, 1]; that is, the coordinate yP

(j)i

of point P (j)i

submitted by the evaluator sensor Si with respect to sensorSj , for j = 1, . . . , n and j 6= i, where point P (j)

i =(xP

(j)i, yP

(j)i

) is defined in Section III-B.

b: Representation of τ ′′iSince the evidence relative to the reliability of the submis-sions of sensor Si is represented as a value between 0 and1, the reliability-based trust score τ ′′i is also a value between0 and 1. The reliability of evidence σ(j)

i is measured withthe distance d(τ ′j , σ

(j)i ), where τ ′j is the evidence-based trust

score of sensor Sj . Distance d(τ ′j , σ(j)i ) is at most 1. If

distance d(τ ′j , σ(j)i ) is close to 1, this is an indicator of the

dishonesty of sensor Si when rating sensor Sj ; that is, it is

VOLUME 4, 2016 5




an indicator that σ(j)i is an unreliable piece of evidence. On

the contrary, if distance d(τ ′j , σ(j)i ) is close to 0, this is an

indicator of the honesty of sensor Si when rating sensor Sj ;in other words, it is an indicator that σ(j)

i is a reliable pieceof evidence.

c: Reliability ScoreRanges of reliability are designed to grant trustworthiness tosensor Si when distance d(τ ′j , σ

(j)i ) is small and vice versa.

We aim at designing a mechanism that increases τ ′′i when Siis honest and decreasing τ ′′i , in variable amounts, when Si isdishonest. We achieve this by assigning a reliability score o(j)ito each value d(τ ′j , σ

(j)i ) of Si for j = 1, . . . , n and j 6= i.

The evidence σ(j)i submitted by Si is rated as o(j)i depending

on how close it is to τ ′j . The reliability score o(j)i is a value inthe set

O = {x : x = α1 + (−α1 × n), n ∈ {0, 1, 2, . . . , (α2 − 1)}},

where α1 ∈ {0, 1} specifies, both, a maximum reward anda series of penalty values; and α2 ∈ Z+ specifies the totalnumber of elements, or steps, in O. Intuitively, the first valueof O is α1, the second value is 0 and subsequent values aremultiples of −α1, with a total of α2 elements. The elemento ∈ O is assigned to the distance d(τ ′j , σ

(j)i ) at index

bd(τ ′j , σ(j)i ) · α2c. With such an interpretation, if distance

d(τ ′j , σ(j)i ) is between the range

[0, 1

α2

], the first element of

O, namely α1, is assigned as o(j)i .Because all submitted evidence is rated according to its

reliability, sensors are encouraged to submit reliable evidenceand discouraged to submit unreliable one. If a sensor submitsunreliable evidence time after time, then it will progressivelylose more and more trust. This is a countermeasure thatdiscourages the submission of unreliable evidence, as thetrustworthiness of the submitter decreases.

d: Computation of τ ′′iThe reliability-based trust score τ ′′i is computed from thereputation τ

(t−1)i of sensor Si at time t − 1, taking into

account the average reliability score of the n− 1 scores σ(j)i

it submitted, for j = 1, . . . , n with j 6= i. That is,

τ ′′i = τ(t−1)i +

1

n− 1

n∑j=1,j 6=i

o(j)i .

In this way, the reliability-based trust score τ ′′i is computedby increasing τ (t−1)i if the scores σ(j)

i are on average reliableor by decreasing τ

(t−1)i if the scores σ

(j)i are unreliable

on average. Note that the computation of the reliability-based trust score τ ′′i is recursive. That is, the history of thebehavior of sensor Si in the previous rounds is taken intoaccount by the term τ

(t−1)i . In fact, reputation is built upon

consistent increments over a long period of time and is notgreatly affected, both positively nor negatively, in one singlerecursion.

D. FINAL TRUST SCORETrust score τi is computed as a convex combination of τ ′i(Section III-B) and τ ′′i (Section III-C). That is, the parameterη ∈ [0, 1] is selected such that η+(1−η) = 1 and trust scoreτi is:

τi = η · τ ′i + (1− η) · τ ′′i . (1)

The parameter η holds for the computation of each trust scoreτi, for i = 1, . . . , n. It is chosen based on the requirementsof the specific CIDS. In some situations, it might be moredesirable to assign more weight to a sensor performing wellrather than a sensor rating honestly and vice versa.

IV. EVALUATIONSphinx is capable of identifying coalitions if less than 50% ofall sensors collude in a single coalition. In certain conditions,when multiple and independent coalitions exist, Sphinx canidentify dishonest participants even when more than 50%of all sensors are dishonest. This section gives evidenceto support these claims in the form of different evaluationexperiments.

A. EXPERIMENTAL SETUPExperiments are performed in rounds. Rounds represent thebasic time unit used in all experiments. At each round t,the evidence-based (Section III-B) and reliability-based (Sec-tion III-C) trust scores, τ ′(t) and τ ′′(t), respectively, are cal-culated for each sensors participating in a CIDS. These twotrust scores are combined together, according to Equation (1),to obtain the trust score τ (t) of each server at round t. Theevidence and reliability-based trust scores use the previoustrust score τ (t−1) to perform their calculations; therefore,making the whole process recursive.

All experiments assume that sensors behave in one of twodifferent ways: either they are honest or dishonest. An honestsensor always rates others in accordance to its empiricalobservations. A dishonest sensor, on the other hand, ratesothers better or worse depending on some convenience factor.If a dishonest sensor is acting alone, without the support ofothers, it resorts to rating every other sensor worse than whatit itself empirically observed. In doing so, the suppositionis that his trust score would eventually become the best ifthe score of everyone else worsens. These single dishonestsensors are termed lone colluders.

The experiments take into account all assumptions statedin Section III-A. The following is a summary of these.Dishonest sensors are able to collaborate with others to formcoalitions. Within one single CIDS, more than one coalitionmight be present. A coalition has the goal of increasing thetrust of all its sensors while trying to reduce the trust ofany outsider. All sensors of a coalition act according to thefollowing three rules:

1) When rating other sensors in the same coalition, therating is improved relative to the observed sensingreliability of the other sensor.

6 VOLUME 4, 2016




2) The sensors of a coalition rate others, not belongingto the same coalition, with a worsened rating relativeto the other sensor’s observed sensing reliability. Withsome probability, dishonest sensors can give honestratings to try and fool the system.

3) Dishonest sensors can only belong to one coalition.

All non-deterministic experiments are repeated 50 times.Instead of showing aggregated graphs of all experiments, wechoose to show one descriptive scenario that represents theexperiments well. Once parameters of Sphinx are fixed, thealgorithm is deterministic except for how dishonest sensorsalter ratings. Dishonest sensors use a Beta distribution toselect a value to add or subtract from a trust score beforesubmission (depending on whether they are improving orworsening the score). This stochastic selection of values doesnot modify the trend of the experiments, therefore, makingthe variance of the results small.

1) Parameters of the Rating System

Dishonest sensors improve or worsen ratings according to aBeta distribution. Whenever a dishonest sensor Sj needs tosubmit a rating, or evidence, for Si, it does so using:

x ∼ Beta(a, b) (2)

σ(i)j = τi ± x, (3)

where a and b are chosen parameters for a Beta distributionaccording to one of the combinations shown in Figure 1.In Equation (2), a sample x of the chosen Beta distributionis obtained. This sample is either added or subtracted, inEquation (3), depending on whether the trust score τi isimproved or worsened. We choose the Beta distribution as itmodels dishonest members that alter evidence conservativelymost of the time and aggressively a few times with lowprobability.

0.0 0.1 0.2 0.3 0.4

0

5

10

15

a = 2, b = 50

a = 2, b = 40

a = 2, b = 30

a = 2, b = 20

a = 3, b = 20

a = 4, b = 20

FIGURE 1: Family of Beta distributions that specifies how muchratings are improved or worsen by dishonest participants in a CIDS.

In contrast to a dishonest sensor, honest sensor Sj submitsratings, or evidence, of another sensor Si using a Gaussian

model; that is,

y ∼ N (0, std) (4)

σ(i)j = τi + y. (5)

A sample y from a Gaussian distribution with standard devi-ation std is obtained. This sample is then added to the truetrust score τi to account for the potential inaccuracies in theempirical observations Sj might have had. In all experiments,std is chosen such that std < E[Beta(a, b)]. If this is notthe case, the samples of the Gaussian distribution used byhonest sensors overlaps greatly with the samples of the Betadistribution used by dishonest sensors, making honest anddishonest behaviors almost indistinguishable.

2) Parameters of SphinxThe calculation of trust scores depend on some user-suppliedparameters. The evidence-based trust score τ ′ depends ontwo parameters: a score weight function F (x) and the num-ber of cluster centersK (see Section III-B0c). The reliability-based trust score τ ′′ relies on two parameters: a rewardparameter α1 and the number of penalty subdivisions α2

(see Section III-C0c). The combination of both evidence andreliability-based trust scores into the final trust τ dependson the mixing coefficient η (see Section III-D). In mostexperiments, all these parameters are fixed to a single set todemonstrate how generalizable a single set of parameters canbe.

B. EXPERIMENTSWe conduct a series of experiments that demonstrate how thetrust scores of lone colluders and coalitions are penalized.Unless explicitly indicated, all experiments use the followingparameters:

F (x) =

1 if 0.00 ≤ τ ≤ 0.25

2 if 0.25 < τ < 0.50

3 if 0.50 < τ ≤ 0.75

4 if 0.75 < τ ≤ 1.00

,

K = 2, α1 = 0.20, α2 = 25 and η = 0.30. For thegeneration of ratings by honest and dishonest sensors, wechoose the parameters a = 3, b = 20 for the Beta distributionin Equation (2) and the parameter std = 0.05 for theGaussian distribution in Equation (4). The chosen parametersof the Beta distribution model a distribution with an expectedvalue of E[Beta(3, 20)] = 0.13. This implies that, most ofthe time dishonest sensors increase (or decrease) the rating ofothers by 0.13 points. With this particular Beta distribution,the increase (or decrease) can range from small values closeto 0.0 up to the high value 0.35 (with low probability). Thismodels dishonest sensors that choose to be conservative mosttimes but sporadically aggressive.

1) Experiment 1: Detecting Single Large CoalitionsSphinx can detect single large coalitions as long as thenumber of sensors of that coalition do not exceed the number

VOLUME 4, 2016 7




0 1 2 3 4 5 6 7 8

rounds

0.00

0.25

0.50

0.75

1.00

τCoalition 1 Honest Group

(a) 40 sensors in total, 25% of all sensors are dishonest. The colludingsensors are easily identified; their trust rapidly drops to zero.

0 2 4 6 8 10 12 14 16

rounds

0.00

0.25

0.50

0.75

1.00

τ

Coalition 1 Honest Group

(b) 40 sensors in total, 37.5% of all sensors are dishonest. In the firsttwo rounds, the coalition can negatively affect the honest sensors. Afterthe trust of the coalition drops to zero, the honest sensors only increasetheir trust.

0 2 4 6 8 10 12 14 16

rounds

0.00

0.25

0.50

0.75

1.00

τ


(c) 40 sensors in total, 47.5% of all sensors are dishonest. Same effectas when considering 37.5% of dishonest sensors. With more dishonestsensors, the effect last longer until about round six.

0 2 4 6 8 10 12 14 16

rounds

0.00

0.25

0.50

0.75

1.00

τ


(d) 40 sensors in total, 50% of all sensors are dishonest. The dishonestsensors overwhelm the honest sensors and they easily drop the rating ofthe honest sensors to low values.

FIGURE 2: Change of trust with every new calculation (round) of Sphinx. Four different scenarios are evaluated: when 25%, 37.5%, 47.7%and 50.0% of the collaborating sensors form a dishonest coalition.

of honest sensors. This is illustrated in Figure 2. The x-axis ofeach plot shows the number of rounds or, in other words, thenumber of times our recursive trust mechanism is calculated.Round zero is the case where Sphinx has not yet been run;therefore, it represents the initial bootstrapped trust of eachsensors. All sensors are bootstrapped with an initial trustscore following the Gaussian distribution N (0.50, 0.15). Onthe y-axis, the trust scores τ are shown.

In each of the four plots of Figure 2, setups of differentdishonest and honest participants are tested. Figure 2a showsthat it is easy to detect coalitions with 25.0% of dishonestsensors. Figures 2b and 2c show that, although there is somenegative influence from the coalition for a few rounds, thetrust of the coalition falls to zero. This is taking into accountthe fact that in Figure 2c 47.5% of all sensors (19 out of 40)are dishonest. If 50.0% of all sensors are part of a coalition,however, the trust model fails to punish dishonesty as theresults in Figure 2d show.

2) Experiment 2: Detecting Multiple Coalitions

Sphinx is capable of recognizing and punishing independentcoalitions. With multiple coalitions, even if more than 50.0%of the total sensors are dishonest, honesty is successfullyrewarded while dishonesty is punished. In Figure 3, we canappreciate how our methodology performs when dishonestparticipants are moderately dishonest using a Beta distribu-

tion with parameters a = 3 and b = 20. From a totalof 50 sensors, a varying amount of dishonest sensors indifferent coalitions are shown. In Figure 3a, five coalitionsare tested, each having 5 sensors, amounting to 50% of allsensors. Similarly in Figure 3b, six coalitions with 5 sensorseach, representing 60% of all sensors, are tested. Honesty issuccessfully rewarded while dishonesty is punished in bothscenarios.

When dishonest sensors use the Beta distribution withparameters a = 3 and b = 20, adding more coalitions (of5 sensors) would result in an ecosystem where no individualor coalition can increase its trust score beyond 0.25. Thedishonest ratings effectively deny the possibility of gainingtrust. If the dishonest sensors are less conservative and mod-ify their ratings using a more aggressive Beta distributionwith parameters a = 2 and b = 10, honesty is stillrecognized and rewarded as shown in Figure 4. During theearly rounds of our methodology, the trust score of everyoneis heavily decremented. After the trust scores have settledto low values, honesty can be recognized again. In round12, dishonest sensors no longer have enough trust and theirevidence submissions stop having much weight. It is in thisscenario that honesty can slowly build up trust once again.

8 VOLUME 4, 2016




0 1 2 3 4 5 6 7 8

rounds

0.00

0.25

0.50

0.75

1.00

τ

Coalition 1

Coalition 2

Coalition 3

Coalition 4

Coalition 5

Honest Group

(a) 50 sensors and 5 coalitions of 5 sensors each. 50% of all sensors aredishonest. Although 50.0% of all sensors are dishonest, the fact that nocoalition has more than the total number of honest sensors, dishonestycan still be successfully punished. The trust score of all sensors in allcoalitions rapidly drops to zero. The trust score of the honest sensorsrapidly increases.

0 2 4 6 8 10 12 14 16

rounds

0.00

0.25

0.50

0.75

1.00

τ

Coalition 1

Coalition 2

Coalition 3

Coalition 4

Coalition 5

Coalition 6

Honest Group

(b) 50 sensors and 6 coalitions of 5 sensors each. 60% of all sensors aredishonest. Dishonesty is correctly identified and punished. However,honest sensors are also punished in the beginning and then start tobe rewarded. Notice that double the rounds were needed to detectdishonesty as when 50% of the sensors were dishonest.

FIGURE 3: Change of trust with every new calculation (round) of Sphinx. Four different scenarios are evaluated: when 25%, 37.5%, 47.7%and 50.0% of the collaborating sensors form a dishonest coalition.

0 4 8 12 16 20 24 28 32

rounds

0.00

0.25

0.50

0.75

1.00

τ

Coalition 1

Coalition 2

Coalition 3

Coalition 4

Coalition 5

Coalition 6

Coalition 7

Honest Group

FIGURE 4: 50 sensors and 7 coalitions of 5 sensors each. 70% ofall sensors are dishonest. If the dishonest sensors are less conserva-tive, honest sensors are eventually recognized.

3) Experiment 3: The Effects of Disperesed Intitial TrustScores

The previous experiment assumed that all sensors startedwith a trust score close to 0.5. Initializing the trust scores overthe range [0, 1] has no negative influence on the capabilitiesof Sphinx to detect dishonesty. Taking into account 20 honestsensors and two coalitions of 10 sensors each (for a total of20 dishonest sensors), Figure 5 shows how honest sensorswith a low starting trust score are able to reach high trustscores. Similarly, dishonest sensors starting with high trustscores get their score reduced to zero given enough rounds.Shown in the figure, the honest sensor with the lowest startingtrust score (of 0.08) is able to reach a maximum score ineleven rounds. The dishonest sensor with the highest initialtrust score (of 0.95) is reduced to a score of zero after tenrounds.

0 2 4 6 8 10 12

rounds

0.00

0.25

0.50

0.75

1.00

τ

Coalition 1

Coalition 2

Honest Group

FIGURE 5: Evolution of the trust scores (τ ) of two coalitions, eachwith 10 sensors, and 20 honest sensors when the trust scores areinitially dispersed. The honest sensor with the lowest score (of 0.08)reaches a trust of 1.00 after 11 rounds.

4) Experiment 4: Sensibility of Dishonesty

Starting with the trust score of each server initialized with theGaussian distribution N (0.5, 0.2), we examine how chang-ing the sensibility of dishonesty affects the capability ofidentifying coalitions. In our experiments, we observed thathonesty can be identified when std < E[Beta(a, b)] (seeSection IV-A1). In our setup, we assume that std = 0.05,i.e., honest sensors approximate the real score τi of sensor Siwith τ̂i such that τ̂i = N (τi, 0.05). From the illustrated Betadistributions in Figure 1, it is possible to detect dishonestsensors that act according to a Beta distribution parameter-ized with a = 2 and b = 30 (where E[β(2, 30)] = 0.062)and below. Conversely, if dishonesty is modeled with theBeta distribution β(2, 40) or β(2, 50), dishonesty cannot beidentified as it is easy to confuse with (honest) mistakes.

Figure 6 shows the average trust scores τ with standarddeviations after executing 12 rounds of our trust mechanism.

VOLUME 4, 2016 9




β(2,

20)

β(2,

30)

β(2,

40)

β(2,

50)

0.00

0.25

0.50

0.75

1.00

τ

Colation 1

Coalition 2

Honest Group

FIGURE 6: Average trust score τ of honest and dishonest sensorswhen the sensibility of dishonesty is varied after 12 rounds ofexecuting our trust mechanism. From left to right, more subtle Betadistributions are used by dishonest sensors to improve or worsenthe trust score of others. When using β(2, 30) or β(2, 20), thetrust scores of both coalitions are kept in line. Using more subtleBeta distributions results in the trust scores of the coalitions alsoincreasing (without affecting the honest participants).

When the coalitions are dishonest according to the Betadistribution β(2, 20) and β(2, 30), the average trust score ofthe dishonest participants is kept low. In all repeated exper-iments, the average trust score of all coalitions would tendtowards 0.0. This is, however, not the case when coalitionsact according to the Beta distributions β(2, 40) or β(2, 50).In both cases, the average trust scores cannot be kept lowand have a tendency to increase towards 1.0. This is due tothe fact that with such Beta distributions, it is not possibleto distinguish dishonesty from honest mistakes. Note that thetrust scores of the honest sensors are not negatively affectedthis way.

5) Experiment 5: Dealing with Smarter Dishonest SensorsIn this scenario, we describe the effects on honest and dishon-est sensors when those being dishonest choose to honestlysubmit evidence according to some probability p. In Figure 7,we illustrate four scenarios that take into account 40 sensors,different ratios of dishonest sensors, and different values of p.Figures 7a and 7b duplicate the conditions of the experimentsillustrated in Figure 2a but incorporate p. In Figure 7a, eachsensor of the coalition chooses to be honest with a probabilityof 20% (p = 0.2). In contrast to the results obtained whenp = 0 (cf. Figure 2a), the coalition’s trust scores stay slightlyhigher in round two but almost collapse by round three. Withp = 0.5, as illustrated in Figure 7b, the coalition’s trustscores are more slowly punished. In the last two scenarios,the honest sensors’ trust scores are barely affected.

Figures 7c and 7d duplicate the conditions of the exper-iments shown in Figure 2c but use different values of p.As shown in Figure 7c, with p = 0.2, the coalition is notsuccessful in keeping their trust scores relevant. By round

eight, all trust scores collapse. Surprisingly, the honest sen-sors’ trust scores are positively rewarded by the choices of thecoalition. The honest sensors’ trust scores do not decrease asthey did in Figure 2c and are maximized by round 11. In thelast experiment, shown in Figure 7d, sensors in the coalitionchoose to be honest 50% of the time. In this scenario, thecoalition’s trust scores stay relevant longer but, with enoughrounds, eventually collapse. However, the honest sensors’trust scores are positively affected and reach their maximumby round eight.

Overall, dishonest sensors that choose to act honestlywith some probability p must trade between staying relevantlonger and rewarding honest members to increase their scoreeven faster. In the previously described scenario, we founda turning point when p = 0.65, for which the results areshown in Figure 8. At this turning point, sensors in coalition 1choose to be honest 65% of the time and manage to keep theirtrust scores almost constant for all 32 rounds. If the coalitionwishes to get the trust scores τ of their sensors to rapidlyincrease (and not be left behind by the honest sensors), theywould need to be honest 80% of the time. This would enablethem to give some dishonest ratings without being heavilypunished but would go against the goal of reducing the honestsensors’ trust scores.

V. CONCLUSION AND FUTURE WORK

In this article, Sphinx a colluder-resistant trust mechanism forCIDSs that is capable of identifying and punishing coalitionsof dishonest CIDS sensors is presented. Sphinx uses unsu-pervised machine learning techniques to collect and processthe evidence submitted by sensors. Through these methods,it is possible to establish a trust score for each CIDS sensorbased on its trustworthiness as well as the reputation of itssubmitted evidence. Using this novel approach, it is possibleto detect unreliable evidence and effectively penalize dis-honest sensors by reducing their trust even if they are partof a coalition. In the evaluation section, it was shown howSphinx detects single large coalitions as long as the majorityof the CIDS sensors are honest. When there are multipleindependent coalitions, even when the large majority is dis-honest, Sphinx is still able to identify and punish dishonesty.The only necessary condition is that the largest independentcoalition must be smaller than the number of honest sensors.For instance, in a scenario with two coalitions of 10 sensorseach (a total of 20 dishonest sensors) and 15 honest sensors,dishonesty can still be detected.

As future work, Sphinx can be extended to compute thetrust scores according to additional criteria, such as theamount of past interactions. Also, in this case, clusteringalgorithms can be used to process all this information and de-fine proper credibility classes of evidence. Furthermore, weplan to design a new bootstrapping procedure that improvesupon [12] so as to better address the scenario of trust withinCIDSs.

10 VOLUME 4, 2016




0 1 2 3 4 5 6 7 8

rounds

0.00

0.25

0.50

0.75

1.00

τCoalition 1 Honest Group

(a) 40 sensors, 25% dishonest, 20% probability of dishonest sensorsbeing honest. When colluders are 20% of the times honest, honestsensors increase their trust scores faster. Dishonest sensors are stillidentified.

0 1 2 3 4 5 6 7 8

rounds

0.00

0.25

0.50

0.75

1.00

τ


(b) 40 sensors, 25% dishonest, 50% probability of dishonest beingsensors honest. Colluders are correctly identified, albeit in later rounds.

0 2 4 6 8 10 12 14 16

rounds

0.00

0.25

0.50

0.75

1.00

τ


(c) 40 sensors, 47.5% dishonest, 20% probability of dishonest sensorsbeing honest. When sensors in coalition 1 rate honestly with a 20%probability, instead of harming the honest sensots, the coalition booststhe trust scores of the honest members without gaining enough trust.

0 2 4 6 8 10 12 14 16

rounds

0.00

0.25

0.50

0.75

1.00

τ


(d) 40 sensors, 47.5% dishonest, 50% probability of dishonest sensorsbeing honest. With a 50% probability of rating honestly, coalition 1further boosts the scores of the honest sensors. Their trust scores,however, are more slowly reduced.

FIGURE 7: Sphinx’s performance when dishonest sensors are smarter, i.e., they act honestly with some probability. The top and bottom rowsreplicate the conditions used in the experiments shown in Figures 2a and 2c, respectively, but consider smarter dishonest sensors.

0 4 8 12 16 20 24 28 32

rounds

0.00

0.25

0.50

0.75

1.00

τ


FIGURE 8: 40 sensors, 47.5% dishonest, 65% probability ofdishonest sensors being honest. The coalition’s trust scores almoststay constant throughout 32 rounds of running Sphinx. The coalitioncan be identified by the fact that their trust scores do not increase asthose of the honest sensors.

ACKNOWLEDGMENTS

The authors would like to thank Guido Salvaneschi, MoritzHorsch, Alex Palesandro and Denis Butin for their input andconstructive discussions. This work has been co-funded bythe DFG as part of the projects “Scalable Trust Infrastruc-tures” and “Long-Term Secure Archiving” within the CRC1119 CROSSING and the European Union’s Horizon 2020research and innovation program under Grant AgreementNo 644962. The research leading to these results has also

received funding from the European Union’s Horizon 2020Research and Innovation Program, PROTECTIVE, underGrant Agreement No 700071. We acknowledge support bythe German Research Foundation and the Open Access Pub-lishing Fund of Technische Universität Darmstadt.

REFERENCES[1] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein,

J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsiset al., “Understanding the mirai botnet,” in USENIX Security Symposium,2017, pp. 1092–1110.

[2] G. Meng, Y. Liu, J. Zhang, A. Pokluda, and R. Boutaba, “Collaborativesecurity: A survey and taxonomy,” ACM Computing Surveys (CSUR),vol. 48, no. 1, p. 1, 2015.

[3] E. Vasilomanolakis, S. Karuppayah, M. Muehlhaeuser, and M. Fischer,“Taxonomy and Survey of Collaborative Intrusion Detection,” ACM Com-puting Surveys (CSUR), vol. 47, no. 4, pp. 1–35, 2015.

[4] G. Traverso, C. G. Cordero, M. Nojoumian, R. Azarderakhsh, D. Demirel,S. M. Habib, and J. Buchmann, “Evidence-Based Trust Mechanism UsingClustering Algorithms for Distributed Storage Systems,” in 15th AnnualConference on Privacy, Security and Trust (PST), aug 2017.

[5] A. Josang and R. Ismail, “The beta reputation system,” in Proceedings ofthe 15th bled electronic commerce conference, vol. 5, 2002, pp. 2502–2511.

[6] S. Buchegger and J. Boudec, “A robust reputation system for peer-to-peerand mobile ad-hoc networks,” in Workshop on the Economics of Peer-to-Peer Systems, 2004.

[7] M. Nielsen, K. Krukow, and V. Sassone, “A bayesian model for event-based trust,” Electronic Notes in Theoretical Computer Science, vol. 172,pp. 499–521, 2007.

VOLUME 4, 2016 11




[8] C.-W. Hang and M. P. Singh, “Trustworthy service selection and compo-sition,” ACM Trans. Auton. Adapt. Syst., vol. 6, no. 1, pp. 5:1–5:17, Feb.2011.

[9] S. Ries, “Extending bayesian trust models regarding context-dependenceand user friendly representation,” in Proceedings of the 2009 ACM Sym-posium on Applied Computing (SAC), Honolulu, Hawaii, USA, 2009, pp.1294–1301.

[10] W. M. Bolstad, Introduction to Bayesian Statistics. John Wiley & Sons,Inc, 2004.

[11] M. Nielsen, G. Plotkin, and G. Winskel, “Petri nets, event structures anddomains, part i,” Theoretical Computer Science, vol. 13, no. 1, pp. 85 –108, 1981.

[12] X. Liu, A. Datta, K. Rzadca, and E.-P. Lim, “Stereotrust: A group basedpersonalized trust model,” in Proceedings of the 18th ACM Conference onInformation and Knowledge Management, ser. CIKM ’09. New York,NY, USA: ACM, 2009, pp. 7–16.

[13] X. Liu, G. Tredan, and A. Datta, “A generic trust framework for large-scale open systems using machine learning,” Computational Intelligence,vol. 30, no. 4, pp. 700–721, 2014.

[14] J. Tang, H. Gao, H. Liu, and A. Das Sarma, “etrust: Understanding trustevolution in an online world,” in Proceedings of the 18th ACM SIGKDDInternational Conference on Knowledge Discovery and Data Mining, ser.KDD ’12. New York, NY, USA: ACM, 2012, pp. 253–261.

[15] C. M. Bishop, Pattern recognition and machine learning, 5th Edition, ser.Information science and statistics. Springer, 2007.

[16] H. W. Lauw, E.-P. Lim, and K. Wang, “Bias and controversy: Beyondthe statistical deviation,” in Proceedings of the 12th ACM SIGKDDInternational Conference on Knowledge Discovery and Data Mining, ser.KDD ’06. New York, NY, USA: ACM, 2006, pp. 625–630.

[17] M. Moe, B. Helvik, and S. Knapskog, “Comparison of the beta and the hid-den markov models of trust in dynamic environments,” Trust ManagementIII, pp. 283–297, 2009.

[18] C. J. Fung, J. Zhang, I. Aib, and R. Boutaba, “Dirichlet-based trust man-agement for effective collaborative intrusion detection networks,” IEEETransactions on Network and Service Management, vol. 8, no. 2, pp. 79–91, 2011.

[19] M. Gil Pérez, F. Gómez Mármol, G. Martínez Pérez, and A. F. SkarmetaGómez, “RepCIDN: A reputation-based collaborative intrusion detectionnetwork to lessen the impact of malicious alarms,” Journal of Network andSystems Management, vol. 21, no. 1, pp. 128–167, 2013.

[20] C. J. Fung, O. Baysal, J. Zhang, I. Aib, and R. Boutaba, “Trust man-agement for host-based collaborative intrusion detection,” Lecture Notesin Computer Science (including subseries Lecture Notes in ArtificialIntelligence and Lecture Notes in Bioinformatics), vol. 5273 LNCS, pp.109–122, 2008.

[21] C. J. Fung, J. Zhang, I. Aib, and R. Boutaba, “Robust and scalabletrust management for collaborative intrusion detection,” 2009 IFIP/IEEEInternational Symposium on Integrated Network Management, IM 2009,pp. 33–40, 2009.

[22] R. Dwarakanath, B. Koldehofe, Y. Bharadwaj, T. A. B. Nguyen, D. Ey-ers, and R. Steinmetz, “Trustcep: Adopting a trust-based approach fordistributed complex event processing,” in 2017 18th IEEE InternationalConference on Mobile Data Management (MDM). IEEE, 2017, pp. 30–39.

CARLOS GARCIA CORDERO is a securityresearcher versed in the fields of network se-curity, artificial intelligence, programming lan-guages, compilers, machine learning and com-puter graphics. He is currently pursuing a PhDin network security and machine learning in Ger-many. Besides his academic experience, Carloshas worked in the security, video game and soft-ware development sectors. He further describeshimself as an enthusiastic programmer, mathe-

matician, musician and thinker.

GIULIA TRAVERSO is a Ph.D. candidate incryptography at the Technische Universität Darm-stadt (Germany), under the supervision of Prof.Johannes Buchmann at CDC group. Her researchfocuses on the long-term security of distributedstorage systems. She joined CDC in 2015 afterreceiving her B.SC. and M.Sc. degrees in mathe-matics at the University of Trento (Italy) and afteran internship at IdQuantique in Geneva (Switzer-land), a company producing quantum devices.

PROF. DR. MEHRDAD NOJOUMIAN is an as-sistant professor at the Florida Atlantic University(USA). He received his Ph.D. degree from theCheriton School of Computer Science at Univer-sity of Waterloo and his M.Sc. degree from theSchool of Electrical Engineering and ComputerScience at University of Ottawa. His research in-terests lie on trust management, autonomous sys-tems, applied cryptography, security and privacy,game theory, and any interdisciplinary research on

the intersection of computer science and economics.

PROF. DR. JOHANNES BUCHMANN receiveda PhD from the Universität zu Köln, Germany, in1982. From 1985 to 1986 he was a PostDoc atthe Ohio State University on a Fellowship of theAlexander von Humboldt Foundation. From 1988to 1996 he was a professor of Computer Scienceat the Universität des Saarlandes in Saarbrücken.Since 1996 he has been a professor of ComputerScience and Mathematics at TU Darmstadt. From2001 to 2007 he was Vice President Research of

TU Darmstadt. In 1993, he received the Leibniz-Prize of the German ScienceFoundation (DFG) and in 2017 the Konrad Zuse Medal of the GermanInformatics Society (GI). He is a member of the German Academy ofScience and Engineering acatech and of the German Academy of ScienceLeopoldina.

DR. EMMANOUIL VASILOMANOLAKIS is asenior researcher in the Technische UniversitätDarmstadt in Darmstadt, Germany. His researchinterests include collaborative intrusion detection,honeypots, botnet monitoring and alert data cor-relation. He received a PhD from the TechnischeUniversität Darmstadt in 2016 for his dissertation“On Collaborative Intrusion Detection”. Hereto-fore, he received his diploma (Dipl.-Inform.) andMSc from the University of the Aegean (Greece)

in 2008 and 2011 respectively. Emmanouil has published in major scientificconferences, workshops and journals on topics related to the field of cyber-security (including ACM Computing Surveys, IEEE CNS, IEEE ICC, RAIDand Blackhat). Lastly, he worked as a researcher for AGT International, onthe field of IoT security, from 2014–2015. Emmanouil is a member of IEEEas well as of the Honeynet Project.

12 VOLUME 4, 2016




DR. SHEIKH MAHBUB HABIB holds a positionas Automotive Security & Privacy Specialist un-der the Security and Privacy Competence Center(SCC) of Continental AG Germany. Before join-ing Continental, he was leading the SPIN (SmartProtection in Infrastructures and Networks) areain the Telecooperation (TK) Lab of TechnischeUniversität Darmstadt (TU Darmstadt). He holdsa doctoral degree (Dr. rer. nat.) in Computer Sci-ence focusing on IT Security from TU Darmstadt

Germany. He holds a M. Sc. degree in Computer Science and Engineeringfrom Chalmers University of Technology Sweden and a B.Sc. degree inComputer Science and Engineering from Khulna University of Engineeringand Technology Bangladesh. During his academic duty, he was involved inacquiring several Cybersecurity research projects, namely CROSSING, PAT,and PROTECTIVE, funded by the German Research Foundation (DFG)and European Commission (EC). His research interests are computationaltrust models, trust management, mobile application security & privacy, andvehicular security & privacy. Dr. Habib is serving as a reviewer in severaltop journals like IEEE TIFS, IEEE TCC, ACM TOPS, and ACM CSUR.He is currently appointed as “Publicity Chair” in the IFIP WG 11.11 (TrustManagement).

PROF. DR. MAX MÜHLHÄUSER is head ofthe Telecooperation Lab at Technische UniversitätDarmstadt, Informatics Dept. His Lab conductsresearch on smart ubiquitous computing environ-ments for the “pervasive Future Internet” in threeresearch fields: middleware and large network in-frastructures, novel multimodal interaction con-cepts, and human protection in ubiquitous com-puting (privacy, trust, and civil security). He headsor co-supervises various multilateral projects, e.g.,

on the Internet-of-Services, smart products, ad-hoc and sensor networks, andcivil security; these projects are funded by the National Funding AgencyDFG, the EU, German ministries, and industry. Max is heading the doctoralschool Privacy and Trust for Mobile Users and serves as deputy speakerof the collaborative research center MAKI on the Future Internet and ofthe center for infrastructure-less emergency response NICER. Max has alsoled several university wide programs that fostered E-Learning research andapplication. Max has over 30 years of experience in research and teachingin areas related to Ubiquitous Computing (UC), Networks and DistributedSystems, E-Learning, and Privacy&Trust. He held permanent or visitingprofessorships at the Universities of Kaiserslautern, Karlsruhe, Linz, Darm-stadt, MontrŽal, Sophia Antipolis (Eurecom), and San Diego (UCSD). In1993, he founded the TeCO institute (www.teco.edu) in Karlsruhe, Germany,which became one of the pace-makers for Ubiquitous Computing research inEurope. Max regularly publishes in Ubiquitous and Distributed Computing,HCI, Multimedia, E-Learning, and Privacy&Trust conferences and journalsand authored or co-authored more than 400 publications. He was and isactive in numerous conference program committees, as organizer of severalannual conferences, and as member of editorial boards or guest editor forjournals like Pervasive Computing, ACM Multimedia, Pervasive and MobileComputing, Web Engineering, and Distance Learning Technology.

VOLUME 4, 2016 13

Documents

Sphinx: a Colluder-Resistant Trust Mechanism for ......own group (to the eyes of everyone else), while worsening the trust of those outside the group, is known as a coalition. We propose