Upload
ami-martin
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Trust and Security Third WorkshopYonatan Zetuny, Gabor Terstyanszky, Stephen Winter, Peter Kacsuk
Centre for Parallel ComputingCavendish School of Informatics
University of Westminster08 July, 2008
Key words: Grid Security, Reputation, Policy, Trust Model, Resource Selection
http://www.cpc.wmin.ac.uk
Research BackgroundToward Reputation-Policy Based Trust
in Grid computingReputation-Policy Trust ModelGrid Reputation-Policy Trust
Management Service ArchitectureTest bed deployment, simulation &
experimentsSummary
Yonatan Zetuny - Trust and Security Third Workshop 2
Two common approaches for managing trust: Policy based: Web services, E-Commerce Reputation based: P2P, Ad-hoc networks
Traditional Grids use CA security measurements to enable trust between parties Current research efforts focus on integrating one
of the two approaches for managing trust. Identified needs for:
Establishing dynamic evaluation of resources to manage risk of workflow execution failure
Autonomic trust decision making based on reputation evaluation strategy
Expressing reputation using policy assertions in order to promote semantic interoperability.
Yonatan Zetuny - Trust and Security Third Workshop 3
Provided argument that: Reputation-policy based approach should be considered in order to provide a
complete resolution for dynamic trust establishment between Grid resources. Reputation provides trust evaluation measurements in dynamic scenarios
where parties are not known to each other. Policy provides strong ties to standards and interoperability.
Suggested synergistic approach where: Grid clients (e.g. brokers, monitoring toolkits) are able to encapsulate
reputation evaluation requirements inside a policy file. These requirements constitute as a complete blueprint for a trust metrics
algorithm. Novelty points:
Synergistic model - combining policy framework with a reputation algorithm (not used in Grid computing so far)
modelling reputation as policy assertions – Trust model integrates an evaluation model as well as a decision model. Exoteric and extensible trust metrics algorithm. Use of fuzzy logic to model uncertainties and subjective opinions on trust.
Yonatan Zetuny - Trust and Security Third Workshop 4
Traditional Grid security research addressed trust through security mechanisms.
The need for reputation evaluation of Grid resources as Grid shifts to ubiquitous and pervasive computing models.
Few attempts to apply Reputation based TMS (GridEigenTrust, PathTrust, PeerTrust, etc)
Limitations of current solutions – single, deterministic, community based reputation algorithm disallowing user participation in the trust evaluation process.
Grid clients are not able to calculate the trust value of a Grid resource by specifying their own trust evaluation criteria and as a result, they are obliged to rely on a community reputation algorithm to compute trust values.
Yonatan Zetuny - Trust and Security Third Workshop 5
Allowing Grid clients to carry out an active involvement in the trust and reputation evaluation process.
Enabling Grid clients to augment their existing reputation queries with a set of reputation policy statements.
Encapsulating both evaluation decision models, therefore providing complete trust metrics for the reputation algorithm and allowing decision support based on supplied criteria.
Three properties: Synergistic, Exoteric, Heuristic.
Yonatan Zetuny - Trust and Security Third Workshop 6
Distributed data model: trust data is divided between Grid client and reputation algorithm.
Model contains three artefacts:◦Trust Decision Strategy (TDS) > Heuristics
Trust Evaluation Model > Subjective view Trust Decision Model > Opportunistic view
◦Opinion Matrices (OM) Store and manipulate historical execution data
◦Correlation Process (CP) Correlates each opinion element in the TDS with its
historical ratings in the OM. Computes trust values using an Opinion Summary Table
(OST).Yonatan Zetuny - Trust and Security Third Workshop 7
Represented by Fuzzy Tree Model (FTM) expressing reputation-policy statements which are defined by trusting agents.
Ramified into two branches: Trust Evaluation Model (TEM)
▪ Permutation of opinions representing subjective trust building blocks (e.g. availability, reliability, cost, etc).
Trust Decision Model (TDM)▪ Potential trust value calculation outcomes and
opportunistic correspondent courses of actions. Provides complete trust metrics for the
reputation algorithm.
Yonatan Zetuny - Trust and Security Third Workshop 8
Yonatan Zetuny - Trust and Security Third Workshop 9
Trust value Trust level
INPUT OUTPUT
IF trust_value IS poor THEN trust_level IS noneIF trust_value IS good THEN trust_level IS limitedIF trust_value IS excellent THEN trust_level IS full
RULES
Trust valueIs interpreted as
{poor, good, excellent}
INPUT TERM
Trust levelIs assigned to be
{none, limited, full}
OUTPUT TERM
Provides subjective view on trust. A Client defines a finite set of opinions where each opinion
represents a building block of trust (e.g. availability, data accuracy, cost, etc)
Client opinions must be a subset of opinions applicable for the VO (Defined by MP).
Each opinion is dependent on one or more sources of references for historical trust data.
A source can have one of the following values: experience, reputation or combination of experience and reputation.
A weight rule is a special constraint which indicates the importance of one set item over another (decisions, opinions, sources).
Each weight rule uses a fuzzy value [0…1] to indicate a degree of importance.
Yonatan Zetuny - Trust and Security Third Workshop 10
Provides opportunistic view on trust A client defines a finite set of decision rules
to indicate potential trust value calculation outcomes and potential courses of action.
Trust values are fuzzified using membership functions defined by the client.
Rules are modelled as fuzzy logic sets where each trust level calculation is coupled with it’s membership function to indicate a degree of belonging to each set.
Yonatan Zetuny - Trust and Security Third Workshop 11
Yonatan Zetuny - Trust and Security Third Workshop 12
TDS = {TEM; (TDR1;TDR2; … ;TDRn)}
Tabular data structures which store the historical evaluation feedback values reported by trusting agents.
For each opinion defined in the MP universe there is one and only one correspondent matrix, storing evaluation feedback data regarding that opinion.
When an execution is completed, a trusting agent is required to rate the quality of the transaction using an evaluation feedback mechanism. This mechanism gathers a score value for each opinion originally defined by the trusting agent using the trust decision strategy.
Yonatan Zetuny - Trust and Security Third Workshop 13
Yonatan Zetuny - Trust and Security Third Workshop 14
M(O) Matrix M for an Opinion O
Calculation of matrix value V(i,j)
Values are based on time series distribution, trust decay function, cut off time and weighted mean
Involves matching each opinion defined in TDS with its historical references in the OMs and calculating the trust value for that opinion.
Each TDS opinion type is routed via the MP in order to return a correspondent OM.
The CP examines the opinion’s source nodes (experience, reputation) and their weight factors.
The CP generates two vectors: experience vector and reputation vector and calculates the opinion value using a standard mean:
Yonatan Zetuny - Trust and Security Third Workshop 15
Yonatan Zetuny - Trust and Security Third Workshop 16
Yonatan Zetuny - Trust and Security Third Workshop 17
GREPTrust is comprised of three domains:•Client Domain – Grid Client, TDS Data Store•Service Domain – Querying Manager, Feedback Manager and Admin Manager•Data Domain – Reputation-Policy Data Store
There are three major scenarios regarding reputation-policy querying management: The Grid client submits a Reputation-Policy
Query (RPQ) to the GREPTrust resource. The GREPTrust resource processes the RPQ,
generates Reputation-Policy Report (RPR) and delivers it to the Grid client.
The Grid client utilises the RPR in order to make a decision on which resource(s) to submit the job to.
Yonatan Zetuny - Trust and Security Third Workshop 18
Yonatan Zetuny - Trust and Security Third Workshop 19
The Grid client contacts the TDS data store using a strategy identifier specified by the user when he submitted the job.
The TDS data store returns the TDS file back to the Grid client. The Grid client assembles a reputation-policy query containing the
following parameters: Identifier of the Grid client. Identifiers of the resources to be evaluated. (This is assumed to
be previously obtained via a Grid Information Service). Cut-off date - the start date of which to gather the feedback data.
Null value assumes to use the earliest date a feedback was ever submitted
Trust decay function identifier – the rate of trust of trust decay. This results in assigning a weight to each submitted feedback given higher precedence of importance to feedbacks submitted recently. The Grid client can submit custom decay functions but for the purpose of the simulation 3 functions are supported: (1/x, 1/x^2 and exp (x)). Null value assumes no trust decay function to be used.
The TDS file to be processed. The Grid client submits the reputation-policy query to the GREPTrust
resource for processing the TDS and returning a reputation-policy report.
Yonatan Zetuny - Trust and Security Third Workshop 20
Parameter Value Type
ClientID 1 String
Resources 1,2 String[]
CutoffDateTime 20080520 Date
TrustDecayFunction 3 (Exponential) String
TrustDecisionStrategy <XML> String
Yonatan Zetuny - Trust and Security Third Workshop 21
Grid Client GREPTrust
GREPTrust resource receives a new RPQ: RPQ is dispatched to the Query Manager (QM) The QM validates the RPQ and submits it to
the Reputation Algorithm (RA) for processing:▪ Step 1: Processing the TDS Evaluation
Model▪ Step 2: Processing the TDS Decision Model▪ Step 3: Generating Reputation-Policy
Report
Yonatan Zetuny - Trust and Security Third Workshop 22
Yonatan Zetuny - Trust and Security Third Workshop 23
Yonatan Zetuny - Trust and Security Third Workshop 24
STEP1: Process TDS Evaluation Model
STEP2: Process TDS Decision Model
STEP3: Generate Reputation-Policy Report
Yonatan Zetuny - Trust and Security Third Workshop 25
Yonatan Zetuny - Trust and Security Third Workshop 26
Yonatan Zetuny - Trust and Security Third Workshop 27
<TrustEvaluationModel> <Opinions> <Opinion Type="1" Weight="0.1"> <Sources> <Source Type="Experience" Weight="0.9"/> <Source Type="Reputation" Weight="0.1"/> </Sources> </Opinion> <Opinion Type="2" Weight="0.9"> <Sources> <Source Type="Experience" Weight="0.9"/> <Source Type="Reputation" Weight="0.1"/> </Sources> </Opinion> </Opinions></TrustEvaluationModel>
Yonatan Zetuny - Trust and Security Third Workshop 28
Permutation of opinions
Permutation of opinions
Permutation of Sources
Permutation of Sources
<Fuzzifier Name="trust_value"><Terms>
<Term Name="poor"><Points>
<Point X="0.0" Y="1.0" /><Point X="0.5" Y="0.0" />
</Points> </Term> <Term Name="good">
<Points><Point X="0.0" Y="0.0" /><Point X="0.5" Y="1.0" /><Point X="1.0" Y="0.0" />
</Points> </Term> <Term Name="excellent">
<Points><Point X="0.5" Y="0.0" /><Point X="1.0" Y="1.0" />
</Points> </Term>
</Terms></Fuzzifier>
Yonatan Zetuny - Trust and Security Third Workshop 29
Term namesTerm names
The value of the trust_value variable has to be converted into degrees of membership for themembership functions defined on the variable.
Input variableInput variable
Membership functions
Membership functions
Yonatan Zetuny - Trust and Security Third Workshop 30
Trust Value: 0.11
Good: 0.22
Poor: 0.78
Excl: 0.00
Yonatan Zetuny - Trust and Security Third Workshop 31
IF trust_value IS poor THEN trust_level IS noneIF trust_value IS good THEN trust_level IS limitedIF trust_value IS excellent THEN trust_level IS full
trust level: 0.32
Accumulation Method: MAX
Defuziffication Method: COG
Implication Method: MINtrust value: 0.11
<Defuzzifier Name="trust_level" AccumulationMethod="MAX" DefuzzificationMethod="COG" DefaultValue="0"><Terms>
<Term Name="none"><Points>
<Point X="0.0" Y="0.0" /><Point X="0.1" Y="1.0" /><Point X="0.2" Y="0.0" />
</Points> </Term> <Term Name="limited">
<Points><Point X="0.2" Y="0.0" /><Point X="0.5" Y="1.0" /><Point X="0.8" Y="0.0" />
</Points> </Term> <Term Name="full">
<Points><Point X="0.8" Y="0.0" /><Point X="0.9" Y="1.0" /><Point X="1.0" Y="0.0" />
</Points> </Term>
</Terms></Defuzzifier>
Yonatan Zetuny - Trust and Security Third Workshop 32
Output variableOutput variable
A linguistic variable – trust_level for an output variable has to be converted into a value.
Membership functions
Membership functions
<Rules><Rule Id="1" Expression="IF trust_value IS poor THEN trust_level IS none" /><Rule Id="2" Expression="IF trust_value IS good THEN trust_level IS limited" /><Rule Id="3" Expression="IF trust_value IS excellent THEN trust_level IS full" />
</Rules>
Yonatan Zetuny - Trust and Security Third Workshop 33
•The inference of the fuzzy algorithm is defined in one or more rule blocks.•Each rule block defines a predicate based on de Morgan’s Law.•Each rule block has a unique name defining a distinct set.
M = {(x1,μM(x1)), (x2,μM(x2)),,..,(xn,μM(xn))}, xi mem G, i=1,2,..n (A.1)
ConclusionConditionRule block/ID
Output variableOutput variable
<GREPTrust:Report> <Resources> <Resource Id="2" Value="0.11" Level="0.32"> <Rules> <Rule Id="3" Degree="0.0"/> <Rule Id="2" Degree="0.22"/> <Rule Id="1" Degree="0.78"/> </Rules> </Resource> <Resource Id="1" Value="0.41" Level="0.46"> <Rules> <Rule Id="3" Degree="0.0"/> <Rule Id="2" Degree="0.82"/> <Rule Id="1" Degree="0.18"/> </Rules> </Resource> </Resources></GREPTrust:Report>
Yonatan Zetuny - Trust and Security Third Workshop 34
TDM: Trust Level
TDM: Trust Level
TDM: Degree membershipTDM: Degree membershipQuantitative methodologies for modelling
Subjective & Opportunistic perception on trust…Quantitative methodologies for modelling Subjective & Opportunistic perception on trust…
Yonatan Zetuny - Trust and Security Third Workshop 35
Decoupling the model’s logic from the actual domain using IQueryManager interface
GridSIM simulation environmentProviding both scheduled and manual based approaches
Historical Data
Historical Data
Strategy SelectionStrategy Selection
Reputation-Policy QueryReputation-Policy Query
Reputation Analytics – Evaluations and decisions based on existing and preselected data
Reports
Performance studies – Does this model really allow prudent resource selection? Behaviour – How does this model behaves under various conditions? How will different strategies effect the recommended resources? What are the limitations? Time series analysis Correlation analysis
Epistemology studies– How does the knowledge provided manage execution risk? How can Grid client applications make use of the model? Analytics - statistical analysis in order to discover and understand historical patterns
Cognitive studies - can we use this model to develop patterns for resource selection? Machine learning? Knowledge management?
Repercussions and merits of the model on Grid computing
Yonatan Zetuny - Trust and Security Third Workshop 36
Reputation-Policy Trust Model behaviour - experiment with different test case scenarios.
Deployment on simulation environment.
Scalability and performance of the GREPTrust architecture.
Yonatan Zetuny - Trust and Security Third Workshop 37
Novel paradigm for managing trust in Grid computing. Adaptable Reputation-policy trust model vs. current
Grid reputation models which offer single, community-based deterministic reputation algorithm.
Reputation-policy trust model allows fine-grained resource selection based on a trust decision strategy defined by a trusting agent as opposed to the reputation algorithm.
Synergistic TDS - trust decision strategy definition using opinions, sources and rules.
Internal artefacts of the model TDS, OM and CMP were proposed in order to support trust data.
Questions/Comments/Suggestions?
Yonatan Zetuny - Trust and Security Third Workshop 38