Specifiying and Analysing Trust for Internet Applications

Transcription

1 Specifiying and Analysing Trust for Internet Applications Tyrone Grandison Morris Sloman Department of Computing Imperial College

2 Contents Trust: what and why Trust and recommendation specification Trust monitoring and consulation Trust analysis Risk service Conclusions and future work 2

3 What is Trust A quantified belief by a trustor with respect to the competence, honesty, security and dependability of a trustee within a specified context Trustor Context: Medical treatment Trustee Trust relationship Distrust useful for trust revocation or in default trusted environments Quantification implies various degrees of trust/distrust Dependability implies timeliness 3

4 Why Specify & Analyse Trust Use trust specification for e-commerce decisions Trust is an important consideration in on-line contract negotiation Trust specifications refined into security policy for authorisation, authentication, encryption etc. Authorisation policy with trust based constraints access control queries trust database Determine trust conflicts and dependencies 4

5 Trust Classification 1. Access to Trustor Resources eg MSN Messenger MyMachine trusts MSNMess to save files Trustor Trustee Trustor Trustee Tom trusts news.com 2. Provision of Service by Trustee eg e-news deliveries, financial advice 3. Delegation of trust eg accountant makes my investment decisions Trustor Trustee Micky delegates all decisions concerning his investments to his financial advisor 4. Certification of trustee eg VeriSign or Brit. Medical Assoc. 5. Infrastructure trust eg trusted computer system, network 5

6 Trust Specification Trust Predicate trust (trustor, trustee, actions, level, ) constraint set trust (Helen, _doctor, heart_diagnosis; operate, 50) is_consultant ( _doctor, NHLI) Distrust when level < 0 Recommend Predicate recommend (recommendor, recomendee, actions, level) constraint set recommend (Morris, J.Bloggs, WebProgram, high) has_degree (J.Bloggs, IC-computing, 2i) 6

7 A Recommendation-based Trust Specification Harry (trustor) Frank (trustee/recommendee) Harry trusts Frank to design his house based on Tom s recommendation Tom recommends Frank at a EXCELLENT level to design a house Tom (recommendor) TR: trust(harry, Frank, design_house(frank), Medium ) recommend(tom, Frank, design_house(frank), EXCELLENT); 7

8 A Trust-based Recommendation George (recommendor) AN-Consult (trustor) George recommends GoodSoft for doing Accounts(_) for anyone if AN-Consult trusts them for their own Accounts at a high level AN-Consult trusts GoodSoft for Accounts GoodSoft (recommendee/trustee) TBR: recommend(george, GoodSoft, Accounts(_), CONFIDENT ) trust(an-consult, GoodSoft, Accounts(AN-Consult), High); 8

9 Trust-based Authorisation Policy type auth+ Access ( domain sub-directory, string TrustValue){ subject Client; target sub-directory; action AccessMusic(); when trust+(frontend, ClientApp, AccessMusic(ContentDatabase), TrustValue ) }; inst auth+ AccessHigh = Access(/BMW/ContentBase, HighTrust); inst auth+ AccessLow = Access(/BMW/ContentBase/Restricted, LowTrust); 9

10 Trust, Experience and Risk Trust is not static but changes with time as a result of experience/reputation Reputation = evaluation of experience Need for 3rd party recommendations c.f. PGP Trust is related to risk and value High risk low trust But high risk, low value may be medium trust Trust framework must monitor experience, risk and constraints in order to dynamically update trust levels and relationships. 10

11 Trust Management The activity of collecting, codifying, analysing and evaluating evidence relating to competence, honesty, security or dependability with the purpose of making assessments and decisions regarding trust relationships for Internet applications ( (adapted from Trust Management for E-Commerce, Josang 2002) Includes: Specification of trust relationships Analysis of trust relationships Monitoring of experience, risk and constraint information Risk information provision and risk calculation. 11

12 The Model SULTAN Trust Management Application updates experience information Systems Administrator Specifies relationships Performs analysis Application updates constraint information Specification Editor Monitoring Service Analysis Tool Risk Service SULTAN Trust Management Suite Application consults SULTAN system 12

13 Trust Management Architecture State Information Specification Server Scenario, experience & risk information Analysis Engine Systems Administrator Monitoring service Risk Service 13

14 Sultan Tools Sultan notation editor Translate to Prolog Prolog analysis queries Hooks to risk and monitoring Service 14

15 Trust Analysis The process of checking specified properties hold. Properties can be defined based on: Source code Actual trust relationships Analysis also includes : Conflict & ambiguity detection Simulation Analysis ( What if questions) Constraint Satisfaction Question (Abductive reasoning) SULTAN Trust Analysis prototype developed in Prolog. The main predicate is the query: query(reqvars, Description, Answer) 15

16 Example Queries Various predefined query templates are provided. Conflict: arises as a result of two assertions of different polarities (positive and negative) with the same action set referring to the same subject and target. query( [T,D], ( p_pos_trust(t), p_neg_trust(d), p_trustor(tr,t), p_trustor(tr, D), p_trustee(te,t), p_trustee(te, D), p_actionset(act, T), p_actionset(act, D) ), Result). Ambiguity (or Redundancy): arises when two assertions, of the same type (trust or recommendation), have the same subject, target and action sets and levels are of the same polarity, but different values. query( [R1,R2], ( neg_rec(r1), neg_rec(r2), R1 \== R2, subject(tr,r1), subject(tr, R2), target(te,r1), target(te, R2), actionset(act, R1), actionset(act, R2), level(l1, R1), level(l2, R2), L1 =\= L2 ), Result). 16

17 Trust Monitoring and Consultation Clients can access the Sultan system via: Consultant Interface Allows an application (e.g. order processing) to query the specifications, state information and risk service via the analysis engine. Consultant Monitor Interface Allows an application ( e.g. invoice payments) to update state information as a result of current transactions. Monitor 17

18 Example Trust Consultations Should I trust target, Y, to do action(s) [at level L (optional) ] Answer: Yes or No + justification Should I recommend target, Y, to do action(s) [at level L (optional) ]? Answer: Yes or No + justification What is my risk in engaging in actions with target Y? Answer: integer (0-100) + justification What has my experience been w.r.t. target Y and action(s)? Answer: Value representing poor, medium, good or excellent + justification 18

19 Risk Service Risk is a probability of an action failing The Risk Model is a hybrid of quantitative and qualitative risk models, augmented by the use of Josang s Opinions and a modified Capital Asset Pricing Model equation. The Risk Service can be asked: about risk information stored by the SULTAN system, or To calculate the risk involved in a transaction. 19

20 Conclusions Trust Specification Trust, recommend SULTAN Specification Editor Trust Analysis SULTAN Analysis Tool Trust Monitoring SULTAN Monitor Trust Consultation SULTAN Consultant Risk Management SULTAN Risk Service 20

21 Future Work Completion of toolset for monitoring, consultation and risk service Case studies Trust refinement to Ponder Trust model and tools for ubiquitous systems and ad-hoc group formation 21