Trust and Security Third Workshop Yonatan Zetuny, Gabor Terstyanszky, Stephen Winter, Peter Kacsuk Centre for Parallel Computing Cavendish School of Informatics

Trust and Security Third WorkshopYonatan Zetuny, Gabor Terstyanszky, Stephen Winter, Peter Kacsuk

Centre for Parallel ComputingCavendish School of Informatics

University of Westminster08 July, 2008

Key words: Grid Security, Reputation, Policy, Trust Model, Resource Selection

http://www.cpc.wmin.ac.uk

Research BackgroundToward Reputation-Policy Based Trust

in Grid computingReputation-Policy Trust ModelGrid Reputation-Policy Trust

Management Service ArchitectureTest bed deployment, simulation &

experimentsSummary

Yonatan Zetuny - Trust and Security Third Workshop 2

Two common approaches for managing trust: Policy based: Web services, E-Commerce Reputation based: P2P, Ad-hoc networks

Traditional Grids use CA security measurements to enable trust between parties Current research efforts focus on integrating one

of the two approaches for managing trust. Identified needs for:

Establishing dynamic evaluation of resources to manage risk of workflow execution failure

Autonomic trust decision making based on reputation evaluation strategy

Expressing reputation using policy assertions in order to promote semantic interoperability.


Provided argument that: Reputation-policy based approach should be considered in order to provide a

complete resolution for dynamic trust establishment between Grid resources. Reputation provides trust evaluation measurements in dynamic scenarios

where parties are not known to each other. Policy provides strong ties to standards and interoperability.

Suggested synergistic approach where: Grid clients (e.g. brokers, monitoring toolkits) are able to encapsulate

reputation evaluation requirements inside a policy file. These requirements constitute as a complete blueprint for a trust metrics

algorithm. Novelty points:

Synergistic model - combining policy framework with a reputation algorithm (not used in Grid computing so far)

modelling reputation as policy assertions – Trust model integrates an evaluation model as well as a decision model. Exoteric and extensible trust metrics algorithm. Use of fuzzy logic to model uncertainties and subjective opinions on trust.


Traditional Grid security research addressed trust through security mechanisms.

The need for reputation evaluation of Grid resources as Grid shifts to ubiquitous and pervasive computing models.

Few attempts to apply Reputation based TMS (GridEigenTrust, PathTrust, PeerTrust, etc)

Limitations of current solutions – single, deterministic, community based reputation algorithm disallowing user participation in the trust evaluation process.

Grid clients are not able to calculate the trust value of a Grid resource by specifying their own trust evaluation criteria and as a result, they are obliged to rely on a community reputation algorithm to compute trust values.


Allowing Grid clients to carry out an active involvement in the trust and reputation evaluation process.

Enabling Grid clients to augment their existing reputation queries with a set of reputation policy statements.

Encapsulating both evaluation decision models, therefore providing complete trust metrics for the reputation algorithm and allowing decision support based on supplied criteria.

Three properties: Synergistic, Exoteric, Heuristic.


Distributed data model: trust data is divided between Grid client and reputation algorithm.

Model contains three artefacts:◦Trust Decision Strategy (TDS) > Heuristics

Trust Evaluation Model > Subjective view Trust Decision Model > Opportunistic view

◦Opinion Matrices (OM) Store and manipulate historical execution data

◦Correlation Process (CP) Correlates each opinion element in the TDS with its

historical ratings in the OM. Computes trust values using an Opinion Summary Table

(OST).Yonatan Zetuny - Trust and Security Third Workshop 7

Represented by Fuzzy Tree Model (FTM) expressing reputation-policy statements which are defined by trusting agents.

Ramified into two branches: Trust Evaluation Model (TEM)

▪ Permutation of opinions representing subjective trust building blocks (e.g. availability, reliability, cost, etc).

Trust Decision Model (TDM)▪ Potential trust value calculation outcomes and

opportunistic correspondent courses of actions. Provides complete trust metrics for the

reputation algorithm.



Trust value Trust level

INPUT OUTPUT

IF trust_value IS poor THEN trust_level IS noneIF trust_value IS good THEN trust_level IS limitedIF trust_value IS excellent THEN trust_level IS full

RULES

Trust valueIs interpreted as

{poor, good, excellent}

INPUT TERM

Trust levelIs assigned to be

{none, limited, full}

OUTPUT TERM

Provides subjective view on trust. A Client defines a finite set of opinions where each opinion

represents a building block of trust (e.g. availability, data accuracy, cost, etc)

Client opinions must be a subset of opinions applicable for the VO (Defined by MP).

Each opinion is dependent on one or more sources of references for historical trust data.

A source can have one of the following values: experience, reputation or combination of experience and reputation.

A weight rule is a special constraint which indicates the importance of one set item over another (decisions, opinions, sources).

Each weight rule uses a fuzzy value [0…1] to indicate a degree of importance.


Provides opportunistic view on trust A client defines a finite set of decision rules

to indicate potential trust value calculation outcomes and potential courses of action.

Trust values are fuzzified using membership functions defined by the client.

Rules are modelled as fuzzy logic sets where each trust level calculation is coupled with it’s membership function to indicate a degree of belonging to each set.



TDS = {TEM; (TDR1;TDR2; … ;TDRn)}

Tabular data structures which store the historical evaluation feedback values reported by trusting agents.

For each opinion defined in the MP universe there is one and only one correspondent matrix, storing evaluation feedback data regarding that opinion.

When an execution is completed, a trusting agent is required to rate the quality of the transaction using an evaluation feedback mechanism. This mechanism gathers a score value for each opinion originally defined by the trusting agent using the trust decision strategy.



M(O) Matrix M for an Opinion O

Calculation of matrix value V(i,j)

Values are based on time series distribution, trust decay function, cut off time and weighted mean

Involves matching each opinion defined in TDS with its historical references in the OMs and calculating the trust value for that opinion.

Each TDS opinion type is routed via the MP in order to return a correspondent OM.

The CP examines the opinion’s source nodes (experience, reputation) and their weight factors.

The CP generates two vectors: experience vector and reputation vector and calculates the opinion value using a standard mean:




GREPTrust is comprised of three domains:•Client Domain – Grid Client, TDS Data Store•Service Domain – Querying Manager, Feedback Manager and Admin Manager•Data Domain – Reputation-Policy Data Store

There are three major scenarios regarding reputation-policy querying management: The Grid client submits a Reputation-Policy

Query (RPQ) to the GREPTrust resource. The GREPTrust resource processes the RPQ,

generates Reputation-Policy Report (RPR) and delivers it to the Grid client.

The Grid client utilises the RPR in order to make a decision on which resource(s) to submit the job to.



The Grid client contacts the TDS data store using a strategy identifier specified by the user when he submitted the job.

The TDS data store returns the TDS file back to the Grid client. The Grid client assembles a reputation-policy query containing the

following parameters: Identifier of the Grid client. Identifiers of the resources to be evaluated. (This is assumed to

be previously obtained via a Grid Information Service). Cut-off date - the start date of which to gather the feedback data.

Null value assumes to use the earliest date a feedback was ever submitted

Trust decay function identifier – the rate of trust of trust decay. This results in assigning a weight to each submitted feedback given higher precedence of importance to feedbacks submitted recently. The Grid client can submit custom decay functions but for the purpose of the simulation 3 functions are supported: (1/x, 1/x^2 and exp (x)). Null value assumes no trust decay function to be used.

The TDS file to be processed. The Grid client submits the reputation-policy query to the GREPTrust

resource for processing the TDS and returning a reputation-policy report.


Parameter Value Type

ClientID 1 String

Resources 1,2 String[]

CutoffDateTime 20080520 Date

TrustDecayFunction 3 (Exponential) String

TrustDecisionStrategy <XML> String


Grid Client GREPTrust

GREPTrust resource receives a new RPQ: RPQ is dispatched to the Query Manager (QM) The QM validates the RPQ and submits it to

the Reputation Algorithm (RA) for processing:▪ Step 1: Processing the TDS Evaluation

Model▪ Step 2: Processing the TDS Decision Model▪ Step 3: Generating Reputation-Policy

Report




STEP1: Process TDS Evaluation Model

STEP2: Process TDS Decision Model

STEP3: Generate Reputation-Policy Report




<TrustEvaluationModel> <Opinions> <Opinion Type="1" Weight="0.1"> <Sources> <Source Type="Experience" Weight="0.9"/> <Source Type="Reputation" Weight="0.1"/> </Sources> </Opinion> <Opinion Type="2" Weight="0.9"> <Sources> <Source Type="Experience" Weight="0.9"/> <Source Type="Reputation" Weight="0.1"/> </Sources> </Opinion> </Opinions></TrustEvaluationModel>


Permutation of opinions

Permutation of opinions

Permutation of Sources

Permutation of Sources

<Fuzzifier Name="trust_value"><Terms>

<Term Name="poor"><Points>

<Point X="0.0" Y="1.0" /><Point X="0.5" Y="0.0" />

</Points> </Term> <Term Name="good">

<Points><Point X="0.0" Y="0.0" /><Point X="0.5" Y="1.0" /><Point X="1.0" Y="0.0" />

</Points> </Term> <Term Name="excellent">

<Points><Point X="0.5" Y="0.0" /><Point X="1.0" Y="1.0" />

</Points> </Term>

</Terms></Fuzzifier>


Term namesTerm names

The value of the trust_value variable has to be converted into degrees of membership for themembership functions defined on the variable.

Input variableInput variable

Membership functions



Trust Value: 0.11

Good: 0.22

Poor: 0.78

Excl: 0.00


IF trust_value IS poor THEN trust_level IS noneIF trust_value IS good THEN trust_level IS limitedIF trust_value IS excellent THEN trust_level IS full

trust level: 0.32

Accumulation Method: MAX

Defuziffication Method: COG

Implication Method: MINtrust value: 0.11

<Defuzzifier Name="trust_level" AccumulationMethod="MAX" DefuzzificationMethod="COG" DefaultValue="0"><Terms>

<Term Name="none"><Points>

<Point X="0.0" Y="0.0" /><Point X="0.1" Y="1.0" /><Point X="0.2" Y="0.0" />

</Points> </Term> <Term Name="limited">


</Points> </Term> <Term Name="full">


</Points> </Term>

</Terms></Defuzzifier>


Output variableOutput variable

A linguistic variable – trust_level for an output variable has to be converted into a value.



<Rules><Rule Id="1" Expression="IF trust_value IS poor THEN trust_level IS none" /><Rule Id="2" Expression="IF trust_value IS good THEN trust_level IS limited" /><Rule Id="3" Expression="IF trust_value IS excellent THEN trust_level IS full" />

</Rules>


•The inference of the fuzzy algorithm is defined in one or more rule blocks.•Each rule block defines a predicate based on de Morgan’s Law.•Each rule block has a unique name defining a distinct set.

M = {(x1,μM(x1)), (x2,μM(x2)),,..,(xn,μM(xn))}, xi mem G, i=1,2,..n (A.1)

ConclusionConditionRule block/ID

Output variableOutput variable

<GREPTrust:Report> <Resources> <Resource Id="2" Value="0.11" Level="0.32"> <Rules> <Rule Id="3" Degree="0.0"/> <Rule Id="2" Degree="0.22"/> <Rule Id="1" Degree="0.78"/> </Rules> </Resource> <Resource Id="1" Value="0.41" Level="0.46"> <Rules> <Rule Id="3" Degree="0.0"/> <Rule Id="2" Degree="0.82"/> <Rule Id="1" Degree="0.18"/> </Rules> </Resource> </Resources></GREPTrust:Report>


TDM: Trust Level

TDM: Trust Level

TDM: Degree membershipTDM: Degree membershipQuantitative methodologies for modelling

Subjective & Opportunistic perception on trust…Quantitative methodologies for modelling Subjective & Opportunistic perception on trust…


Decoupling the model’s logic from the actual domain using IQueryManager interface

GridSIM simulation environmentProviding both scheduled and manual based approaches

Historical Data

Historical Data

Strategy SelectionStrategy Selection

Reputation-Policy QueryReputation-Policy Query

Reputation Analytics – Evaluations and decisions based on existing and preselected data

Reports

Performance studies – Does this model really allow prudent resource selection? Behaviour – How does this model behaves under various conditions? How will different strategies effect the recommended resources? What are the limitations? Time series analysis Correlation analysis

Epistemology studies– How does the knowledge provided manage execution risk? How can Grid client applications make use of the model? Analytics - statistical analysis in order to discover and understand historical patterns

Cognitive studies - can we use this model to develop patterns for resource selection? Machine learning? Knowledge management?

Repercussions and merits of the model on Grid computing


Reputation-Policy Trust Model behaviour - experiment with different test case scenarios.

Deployment on simulation environment.

Scalability and performance of the GREPTrust architecture.


Novel paradigm for managing trust in Grid computing. Adaptable Reputation-policy trust model vs. current

Grid reputation models which offer single, community-based deterministic reputation algorithm.

Reputation-policy trust model allows fine-grained resource selection based on a trust decision strategy defined by a trusting agent as opposed to the reputation algorithm.

Synergistic TDS - trust decision strategy definition using opinions, sources and rules.

Internal artefacts of the model TDS, OM and CMP were proposed in order to support trust data.

Questions/Comments/Suggestions?


Documents

Trust and Security Third Workshop Yonatan Zetuny, Gabor Terstyanszky, Stephen Winter, Peter Kacsuk Centre for Parallel Computing Cavendish School of Informatics