july 14 th sam 2008 las vegas, nv an ad hoc trust inference model for flexible and controlled...
TRANSCRIPT
July 14July 14thth SAM 2008 Las Vegas, NV SAM 2008 Las Vegas, NV
An Ad Hoc Trust Inference An Ad Hoc Trust Inference Model for Flexible and Model for Flexible and
Controlled Information SharingControlled Information Sharing
Danfeng (Daphne) YaoDanfeng (Daphne) YaoRutgers University, New BrunswickRutgers University, New Brunswick
Motivation: Hurricane Katrina 2005Motivation: Hurricane Katrina 2005
Motivation cont’dMotivation cont’d
Flexible authorization for cross-domain information Flexible authorization for cross-domain information sharingsharing– Traditional access control models are too strict Traditional access control models are too strict – Motivating scenario: inadequate crisis communication among Motivating scenario: inadequate crisis communication among
FEMA & Coast Guard after FEMA & Coast Guard after Hurricane KatrinaHurricane Katrina
Need to efficiently share and utilize data generated in Need to efficiently share and utilize data generated in pervasive computing environments pervasive computing environments – Sensor data, location, etcSensor data, location, etc
Challenge: there is no central authority in this Challenge: there is no central authority in this decentralized environmentdecentralized environment– How does the resource owner adaptively makes access control How does the resource owner adaptively makes access control
decisions in response to decisions in response to emergency situationsemergency situations??
Decentralized trust managementDecentralized trust management
Digital identity and certificateDigital identity and certificate
Most of existing trust management models only work for static Most of existing trust management models only work for static access control policiesaccess control policies– Policies are pre-defined and not adaptive to contextsPolicies are pre-defined and not adaptive to contexts– Models cannot handle crisis and emergency situationsModels cannot handle crisis and emergency situations
Our approach: ad hoc trust inference Our approach: ad hoc trust inference – Allow the requester to specify emergency levelAllow the requester to specify emergency level– Use fuzzy logic to integrate user informationUse fuzzy logic to integrate user information
Request for accessRequest for access
BobBob
Is Bob qualified to access DB?Is Bob qualified to access DB?
PoliciesBob’s credentialBob’s credential
HospitalUniversityUniversity
Broader implication of dynamic Broader implication of dynamic authorizationauthorization
Useful for flexible information sharing in mission-critical Useful for flexible information sharing in mission-critical systems systems
00
DenyDeny
11
AllowAllow
[[JASON Report 04JASON Report 04] studied the need for broader access model] studied the need for broader access model
Our idea: multimodal authorizationOur idea: multimodal authorization
Authorization decisions are made based on multiple Authorization decisions are made based on multiple factors including the identity, history, environment factors including the identity, history, environment associated with a request.associated with a request.
A requester is given multiple chances of proving A requester is given multiple chances of proving trustworthiness, instead of a type of criteria.trustworthiness, instead of a type of criteria.
Our Our ad hocad hoc trust inference model trust inference model
We introduce attribute We introduce attribute urgency levelurgency level that is to be that is to be specified by the requesterspecified by the requester– Urgency level Urgency level defines how urgent a requester needs the
information– This attribute is This attribute is self-claimed self-claimed by the requester, e.g., urgency level by the requester, e.g., urgency level
= very high= very high– Three attribute types: identity type, history type, and Three attribute types: identity type, history type, and
environment typeenvironment type
We develop a mechanism that combines various We develop a mechanism that combines various attribute values and outputs a numeric trustworthiness attribute values and outputs a numeric trustworthiness score for the requesterscore for the requesterOur design integrates Our design integrates an audit component an audit component in trust in trust inferenceinference
Input attributes in our trust modelInput attributes in our trust model
Attribute typeAttribute type Attribute nameAttribute name Authentication Authentication methodmethod
Value range Value range
Identity inputIdentity input Affiliation Affiliation CredentialCredential [0, 1][0, 1]
History inputHistory input Historic Historic performanceperformance
n/an/a [0, 1][0, 1]
Environment Environment inputinput
Urgency levelUrgency level Audit Audit mechanismmechanism
[0, 1][0, 1]
How does the resource owner combine these attribute values and How does the resource owner combine these attribute values and obtain the trustworthiness of a requester? obtain the trustworthiness of a requester?
Inference output Inference output TrustworthinessTrustworthiness n/an/a [0, 1][0, 1]
Access policies are intrinsically flexibleAccess policies are intrinsically flexible– Supports continuous access decisionsSupports continuous access decisions– More flexible than binary access verdictsMore flexible than binary access verdicts
Access rules are intuitive to defineAccess rules are intuitive to define– Rules are individually defined for each attribute Rules are individually defined for each attribute
Can handle incomplete and imprecise inputsCan handle incomplete and imprecise inputs– In decentralized environments, resource owners In decentralized environments, resource owners
usually do not have complete and precise inputsusually do not have complete and precise inputs
Advantages of ad hoc trust Advantages of ad hoc trust inference with fuzzy logicinference with fuzzy logic
An example of membership function and degrees of membership in fuzzy logic
Earliness(time) = { 1, IF time ≤ 1200, (2000−time) / 800, IF 1200 < time ≤ 2000,
0, IF time > 2000 }
Time of the day Degree of earliness
09:0009:00 11
14:0014:00 0.750.75
16:0016:00 0.50.5
22:0022:00 00
Trust inference stepsTrust inference steps
Define attributes from which trustworthiness may be inferredDefine the fuzzy variables associated with each attributeFor each fuzzy variable, define a membership functionDefine the output membership function for the output variable (i.e., degrees of trustworthiness)Define fuzzy rules to specify the logic used to infer the trustworthiness score from attributes
Example Example
Bob from FEMA needs to access US Coast Guard Bob from FEMA needs to access US Coast Guard (USCG) database for a rescue task(USCG) database for a rescue task– Bob has a FEMA credentialBob has a FEMA credential– Urgency level = very highUrgency level = very high
USCG has prior interactions with FEMAUSCG has prior interactions with FEMA– Affiliation score = highAffiliation score = high– History = very highHistory = very high– USCG has also defined fuzzy membership functions and fuzzy USCG has also defined fuzzy membership functions and fuzzy
rulesrules
Ad hoc trust inference computation produces a Ad hoc trust inference computation produces a trustworthiness score for Bob’s requesttrustworthiness score for Bob’s request– E.g., trustworthiness = very highE.g., trustworthiness = very high
Note that the actual inference is done on crisp inputs and outputs a crisp trust score.Note that the actual inference is done on crisp inputs and outputs a crisp trust score.Please refer to the paper for detailed computation.Please refer to the paper for detailed computation.
ArchitectureArchitecture
Audit Audit
Urgency level is self-claimed by the requester Urgency level is self-claimed by the requester and may be inaccurateand may be inaccurateAudit process identifies cheating usersAudit process identifies cheating users– A dishonest user may always claim high urgency level A dishonest user may always claim high urgency level
Audit process selectively examines and verifies Audit process selectively examines and verifies the urgency levels associated past requestersthe urgency levels associated past requestersDishonest user and organization will have lower Dishonest user and organization will have lower trustworthiness in the future transactionstrustworthiness in the future transactions– Lower affiliation scoreLower affiliation score– Lower history scoreLower history score
Conclusions and Future workConclusions and Future work
Conclusions Conclusions – Crisis information sharing requires flexible trust Crisis information sharing requires flexible trust
inference mechanisminference mechanism– We have presented an ad hoc trust inference We have presented an ad hoc trust inference
framework that allows user-specified context inputframework that allows user-specified context input
Future workFuture work– To automate audit mechanism by analyzing public To automate audit mechanism by analyzing public
and sensory information and sensory information – To apply ad hoc trust inference mechanism to To apply ad hoc trust inference mechanism to
manage trust in Web 2.0 applicationsmanage trust in Web 2.0 applications
AcknowledgementsAcknowledgements
Professor James Garnett, Rutgers University Department of Public Policy and Administration
Funding: Rutgers University Computing Funding: Rutgers University Computing Coordination Council (CCC) Pervasive Coordination Council (CCC) Pervasive Computing Initiative GrantComputing Initiative Grant