agent approaches to security, trust and privacy in pervasive computing anupam joshi...
TRANSCRIPT
Agent approaches to Security, Trust and Privacy in Pervasive
Computing
Agent approaches to Security, Trust and Privacy in Pervasive
Computing
Anupam JoshiAnupam [email protected]
http://www.cs.umbc.edu/~joshi/http://www.cs.umbc.edu/~joshi/
Anupam JoshiAnupam [email protected]
http://www.cs.umbc.edu/~joshi/http://www.cs.umbc.edu/~joshi/
The VisionThe Vision
• Pervasive Computing: a natural extension of the present human computing life style• Using computing technologies will be as natural as
using other non-computing technologies (e.g., pen, paper, and cups)
• Computing services will be available anytime and anywhere.
Pervasive ComputingPervasive
Computing“The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it ” – Mark Weiser
Think: writing, central heating, electric lighting, …
Not: taking your laptop to the beach, or immersing yourself into a virtual reality
Today: Life is Good.Today: Life is Good.
Tomorrow: We Got Problems!Tomorrow: We Got Problems!
The Brave New WorldThe Brave New World
• Devices increasingly more {powerful ^ smaller ^ cheaper}
• People interact daily with hundreds of computing devices (many of them mobile):• Cars• Desktops/Laptops• Cell phones• PDAs• MP3 players• Transportation passes
Computing is becoming pervasiveComputing is becoming pervasive
Securing Data & ServicesSecuring Data & Services
• Security is critical because in many pervasive applications, we interact with agents that are not in our “home” or “office” environment.
• Much of the work in security for distributed systems is not directly applicable to pervasive environments
• Need to build analogs to trust and reputation relationships in human societies
• Need to worry about privacy!
An early policy for agentsAn early policy for agents1 A robot may not injure a human being, or,
through inaction, allow a human being tocome to harm.
2 A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
3 A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
-- Handbook of Robotics, 56th Edition, 2058 A.D.
On policies, rules and laws
On policies, rules and laws
• The interesting thing about Asimov’s laws were that robots did not always strictly follow them.
• This is a point of departure from more traditional “hard coded” rules like DB access control, and OS file permissions
• For autonomous agents, we need policies that describe “norms of behavior” that they should follow to be good citizens.
• So, it’s natural to worry about issues like• When an agent is governed by multiple policies, how does
it resolve conflicts among them?• How can we define penalties when agents don’t fulfill
their obligations?• How can we relate notions of trust and reputation to
policies?
The Role of OntologiesThe Role of Ontologies
We will require shared ontologies to support this framework
• A common ontology to represent basic concepts: agents, actions, permissions, obligations, prohibitions, delegations, credentials, etc.
• Appropriate shared ontologies to describe classes, properties and roles of people and agents, e.g.,• “any device owned by TimFinin”• “any request from a faculty member at ETZ”
• Ontologies to encode policy rules
ad-hoc networking technologiesad-hoc networking technologies• Ad-hoc networking technologies (e.g. Bluetooth)
• Main characteristics:• Short range• Spontaneous connectivity• Free, at least for now
• Mobile devices• Aware of their neighborhood
• Can discover others in their vicinity• Interact with peers in their neighborhood
• inter-operate and cooperate as needed and as desired• Both information consumers and providers
Ad-hoc mobile technology challenges the traditional Ad-hoc mobile technology challenges the traditional client/server information access modelclient/server information access model
pervasive environment paradigmpervasive environment paradigm• Pervasive Computing Environment
1. Ad-Hoc mobile connectivity• Spontaneous interaction
2. Peers• Service/Information consumers and providers• Autonomous, adaptive, and proactive
3. “Data intensive” “deeply networked” environment• Everyone can exchange information• Data-centric model• Some sources generate “streams” of data, e.g. sensors
Pervasive Computing EnvironmentsPervasive Computing Environments
motivation – conference scenariomotivation – conference scenario
• Smart-room infrastructure and personal devices can assist an ongoing meeting: data exchange, schedulers, etc.
imperfect worldimperfect world• In a perfect world
• everything available and done automatically
• In the real world• Limited resources
• Battery, memory, computation, connection, bandwidth Must live with less than perfect results
• Dumb devices Must explicitly be told What, When, and How
• “Foreign” entities and unknown peers
• So, we really wantSmart, autonomous, dynamic, adaptive, and Smart, autonomous, dynamic, adaptive, and
proactive methods to handle data and services…proactive methods to handle data and services…
Securing Ad-Hoc NetworksSecuring Ad-Hoc Networks
• MANETs underlie much of pervasive computing• They bring to fore interesting problems related
to• Open• Dynamic• Distributed Systems
• Each node is an “independent, autonomous” router
• Has to interact with other nodes, some never seen before. • How do you detect bad guys ?
“Network Level : Good Neighbor”“Network Level : Good Neighbor”• Ad hoc network• Node A sends packet
destined for E, through B.
• B and C make snoop entry (A,E,Ck,B,D,E).
• B and C check for snoop entry.
• Perform Misroute
A
B
C
D
E
“Good Neighbor”“Good Neighbor”• No Broadcast• Hidden terminal• Exposed terminal• DSR vs. AODV• GLOMOSIM
A
B
C
D
E
Intrusion DetectionIntrusion Detection• Behaviors
• Selfish• Malicious
• Detection vs. Reactions• Shunning bad nodes• Cluster Voting
• Incentives (Game Theoretic)• Colluding nodes• Forgiveness
Simulation in GlomoSimSimulation in GlomoSim
• Passive Intrusion Detection• Individual determination• No results forwarding
• Active Intrusion Detection• Cluster Scheme• Voting• Result flooding
GlomoSim SetupGlomoSim Setup
• 16 nodes communication• 4 nodes sources for 2 CBR streams• 2 nodes pair CBR streams
• Mobility 0 – 20 meters/sec• Pause time 0 – 15s• No bad nodes
Simulation ResultsSimulation Results
Preliminary ResultsPreliminary Results
• Passive• False alarm rate > 50%• Throughput rate decrease < 3% additional
• Active• False alarm rate < 30%• Throughput rate decrease ~ 25% additional
challenges – is that all? (1)challenges – is that all? (1)1. Spatio-temporal variation of data and data
sources
• All devices in the neighborhood are potential information providers
• Nothing is fixed• No global catalog• No global routing table• No centralized control
• However, each entity can interact with its neighbors• By advertising / registering its service• By collecting / registering services of others
challenges – is that all? (2)challenges – is that all? (2)
2. Query may be explicit or implicit, but is often known up-front
• Users sometimes ask explicitly• e.g. tell me the nearest restaurant that has vegetarian
menu items
• The system can “guess” likely queries based on declarative information or past behavior• e.g. the user always wants to know the price of IBM stock
challenges – is that all? (3)challenges – is that all? (3)3. Since information sources are not known a priori,
schema translations cannot be done beforehand
• Resource limited devices so hope for common, domain specific ontologies
• Different modes:• Device could interact with only such providers whose schemas
it understands• Device could interact with anyone, and cache the information
in hopes of a translation in the future.• Device could always try to translate itself
• Prior work in Schema Translation, Ongoing work in Ontology Mapping.
challenges – is that all? (4)challenges – is that all? (4)4. Cooperation amongst information sources cannot be
guaranteed
• Device has reliable information, but makes it inaccessible
• Devices provides information, which is unreliable
• Once device shares information, it needs the capability to protect future propagation and changes to that information
challenges – is that all? (5)challenges – is that all? (5)• Need to avoid humans in the loop
• Devices must dynamically "predict" data importance and utility based on the current context
• The key insight: declarative (or inferred) descriptions help• Information needs• Information capability• Constraints
• Resources• Data• Answer fidelity
• Expressive Profiles can capture such descriptions
4. our data management architecture
4. our data management architecture
MoGATUMoGATU
• Design and implementation consists of• Data
• Metadata• Profiles
• Entities• Communication interfaces• Information Providers• Information Consumers• Information Managers
MoGATU – metadataMoGATU – metadata• Metadata representation
• To provide information about• Information providers and consumers,• Data objects, and• Queries and answers
• To describe relationships• To describe restrictions• To reason over the information
Semantic language• DAML+OIL / DAML-S
• http://mogatu.umbc.edu/ont/
MoGATU – profileMoGATU – profile• Profile
• User – preferences, schedule, requirements• Device – constraints, providers, consumers• Data – ownership, restriction, requirements, process model
• Profiles based on BDI models• Beliefs are “facts”
• about user or environment/context• Desires and Intentions
• higher level expressions of beliefs and goals
• Devices “reason” over the BDI profiles • Generate domains of interest and utility functions• Change domains and utility functions based on context
MoGATU – information manager (8)
MoGATU – information manager (8)
• Problems• Not all sources and data are correct/accurate/reliable• No common sense
• Person can evaluate a web site based on how it looks, a computer cannot
• No centralized party that could verify peer reliability or reliability of its data
• Device is reliable, malicious, ignorant or uncooperative
• Distributed Belief• Need to depend on other peers• Evaluate integrity of peers and data based on peer distributed
belief• Detect which peer and what data is accurate• Detect malicious peers
• Incentive model: if A is malicious, it will be excluded from the network…
MoGATU – information manager (9)
MoGATU – information manager (9)
• Distributed Belief Model• Device sends a query to multiple peers
• Ask its vicinity for reputation of untrusted peers that responded to the query
• Trust a device only if trusted before or if enough of trusted peers trust it…
• Use answers from (recommended to be) trusted peers to determine answer
• Update reputation/trust level for all devices that responded• A trust level increases for devices that responded according to
final answer• A trust level decreases for devices that responded in a conflicting
way
• Each devices builds a ring of trust…
A: D, where is Bob?A: C, where is Bob?A: B, where is Bob?
C: A, Bob is at work.
D:A, Bob is home.
B: A, Bob is home.
A:B: Bob at home,C: Bob at work,D: Bob at home
A: I have enoughtrust in D. Whatabout B and C?
A: Do you trust C?
C: I always do.
D: I don’t.
B: I am not sure.
E: I don’t.
F: I do.
A:I don’t care what C says.
I don’t know enough about B, but I trust D, E, and F. Together,
they don’t trust C, so won’t I.
A: Do you trust B?
C: I never do.
D: I am not sure.
B: I do.
E: I do.
F: I am not sure.
A:I don’t care what B says.
I don’t trust C, but I trust D, E, and F. Together,
they trust B a little, so will I.
A: I trust B and D,both say Bob is
home…
A:Increase trust in D.
A:Decrease trust in C.
A:Increase trust in B.
A:Bob is home!
MoGATU – information manager (10)
MoGATU – information manager (10)
• Distributed Belief Model
• Initial Trust Function• Positive, negative, undecided
• Trust Learning Function• Blindly +, Blindly -, F+/S-, S+/F-, F+/F-, S+/S-, Exp
• Trust Weighting Function• Multiplication, cosine
• Accuracy Merging Function• Max, min, average
experimentsexperiments• Primary goal of distributed belief
• Improve query processing accuracy by using trusted sources and trusted data
• Problems• Not all sources and data are correct/accurate/reliable• No centralized party that could verify peer reliability or reliability of its
data• Need to depend on other peers
• No common sense• Person can evaluate a web site based on how it looks, a computer cannot
• Solution• Evaluate integrity of peers and data based on peer distributed belief
• Detect which peer and what data is accurate• Detect malicious peers
• Incentive model: if A is malicious, it will be excluded from the network…
experimentsexperiments• Devices
• Reliable (Share reliable data only)• Malicious (Try to share unreliable data as reliable)• Ignorant (Have unreliable data but believe they are reliable)• Uncooperative (Have reliable data, will not share)
• Model• Device sends a query to multiple peers
• Ask its vicinity for reputation of untrusted peers that responded to the query
• Trust a device only if trusted before or if enough of trusted peers trust it…
• Use answers from (recommended to be) trusted peers to determine answer
• Update reputation/trust level for all devices that responded• A trust level increases for devices that responded according to final answer• A trust level decreases for devices that responded in a conflicting way
experimental environmentexperimental environment• HOW:
• Mogatu and GloMoSim
• Spatio-temporal environment:
• 150 x 150 m2 field• 50 nodes
• Random way-point mobility• AODV• Cache to hold 50% of global knowledge
• Trust-based LRU
• 50 minute each simulation run• 800 questions-tuples
• Each device 100 random unique questions• Each device 100 random unique answers not matching its questions
• Each device initially trusts 3-5 other devices
experimental environment (2)experimental environment (2)• Level of Dishonesty
• 0 – 100%• Dishonest device
• Never provides an honest answer• Honest device
• Best effort
• Initial Trust Function• Positive, negative, undecided
• Trust Learning Function• Blindly +, Blindly -, F+/S-, S+/F-, F+/F-, S+/S-, Exp
• Trust Weighting Function• Multiplication, cosine
• Accuracy Merging Function• Max, min, avg
• Trust and Distrust Convergence• How soon are dishonest devices detected
resultsresults
• Answer Accuracy vs. Trust Learning Functions
• Answer Accuracy vs. Accuracy Merging Functions
• Distrust Convergence vs. Dishonesty Level
Answer Accuracy vs. Trust Learning FunctionsAnswer Accuracy vs. Trust Learning Functions
• The effects of trust learning functions with an initial optimistic trust for environments with varying level of dishonesty.
• The results are shown for ∆++, ∆--, ∆s, ∆f, ∆f+, ∆f-, and ∆exp learning functions.
Answer Accuracy vs. Trust Learning Functions (2)
Answer Accuracy vs. Trust Learning Functions (2)
• The effects of trust learning functions with an initial pessimistic trust for environments with varying level of dishonesty.
• The results are shown for ∆++, ∆--, ∆s, ∆f, ∆f+, ∆f-, and ∆exp learning functions.
Answer Accuracy vs. Accuracy Merging Functions
Answer Accuracy vs. Accuracy Merging Functions
• The effects of accuracy merging functions for environments with varying level of dishonesty. The results are shown for• (a) MIN using only-one (OO) final answer approach• (b) MIN using {\it highest-one} (HO) final answer approach• (c) MAX + OO, (d) MAX + HO, (e) AVG + OO, and (f) AVG + HO.
Distrust Convergence vs. Dishonesty LevelDistrust Convergence vs. Dishonesty Level
• Average distrust convergence period in seconds for environments with varying level of dishonesty.
• The results are shown for ∆++, ∆--, ∆s, and ∆f trust learning functions with an initial optimal trust strategy and for the same functions using an undecided initial trust strategy for results (e-h), respectively.
http://ebiquity.umbc.edu/http://ebiquity.umbc.edu/