IN THE NAME OF GOD Gholamali Naderian MD Isfahan University Of Medical Sciences Feiz Eye Center.
Generic Reliability Trust Model Glenn Mahoney Wendy Myrvold Gholamali (Ali) Shoja Department of...
-
Upload
corey-dean -
Category
Documents
-
view
215 -
download
0
Transcript of Generic Reliability Trust Model Glenn Mahoney Wendy Myrvold Gholamali (Ali) Shoja Department of...
Generic Reliability Trust Model
Glenn MahoneyWendy Myrvold
Gholamali (Ali) Shoja
Department of Computer Science, University of Victoria
Email: {gmahoney,wendym,gshoja}@cs.uvic.ca
Presented at:Third Annual Conference on Privacy, Security and
Trust (PST’05) St. Andrews, New Brunswick
October 12-14, 2005
Generic Reliability Trust Model, Glenn Mahoney, PST'05
2
Agenda
Problem and Background– Abstract computational trust model
Generic Reliability Trust Model– Definition– Metric– Algorithms– Experimental results– Comparison to other trust models.
Conclusion
Generic Reliability Trust Model, Glenn Mahoney, PST'05
3
Problem…
Just because your connection is secure, it doesn’t mean you can trust who you are connected to.
(Channel) security ≠ trust
Generic Reliability Trust Model, Glenn Mahoney, PST'05
4
Problem: (Lack of) Trust in Networks
•Economic activity involving– operations on digital objects,– network-mediated interactions between
digital entities.
•Trust as a prerequisite for value-based interaction.
•Limited and/or application-specific capabilities for automated handling of trust.
•Security trust.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
5
Example: eBay
• An effectively anonymous community of ad-hoc buyers and sellers.
• Created in 1995; by 2002 had:– 61.7 million registered users, – 638 million listed items, – facilitated $14.9 billion dollars (US) in gross
sales.
``The key to eBay's success is trust. Trust between the buyers and sellers who make up the eBay community. And trust between the user and
eBay, the company.'' -- eBay Web Site
Generic Reliability Trust Model, Glenn Mahoney, PST'05
6
Alice
Tom
Sally
Fred
Sue
Bob
Network
M1M2
Channel
Goal: create a generalized, decentralized, application-independent trust reasoning capability for use in ad-hoc, network-mediated environments -- a simulant useful for trust-related decisions.
Distributed entities exchanging Distributed entities exchanging messages.messages.
Practical goal: Computational Trust (not human trust)
Generic Reliability Trust Model, Glenn Mahoney, PST'05
7
Abstract Trust ModelEntities Subjects of trust.
Trust ValueSome quantification or measure of assertions/beliefs, and value result of metrics; e.g. boolean, real, discrete, probability.
Roots of Trust
Irreducible beliefs; assumptions made by all entities about whom to trust.
Direct Trust Localized belief about others; asymmetric.
Indirect Trust
Subjective belief derived from the beliefs of others; conditional transitivity.
Subject-matter
“A trusts B” is shorthand for “A trusts B about X under certain conditions”.
Trust Metric
Defines how a to calculate some trust value based on direct and indirect trust (evidence); typically chain-of-proof, arithmetic, or probabilistic.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
8
The Generic Reliability Trust Model (GRTM)
•Definition•Metric•Algorithms
Generic Reliability Trust Model, Glenn Mahoney, PST'05
9
Reliability
Reliability theory is the study of the performance of a system of failure-prone elements.
Given the graph G=( V(G), E(G) ), where pe is the probability that edge e is operational,
Rel(G) =
loperationaisS
GES SGEee
See pp
);( )(
)1(
Generic Reliability Trust Model, Glenn Mahoney, PST'05
10
Trust Graph
A trust graph is a labeled digraph G=( V(G), E(G) )V(G) represents the entitiesE(G) represents statements or beliefs
Each arc e=(u,v) in E(G) represents a trust statement or belief by u about v, and has a label <l,c>:
l 0 is a trust level (generally, amount of indirect trust)c is a confidence value, c [0,1]ce = pe is the probability of operation of this arc/link.
A trust metric defines the operational criteria -- what edges are required for any trust to exist.
The reliability model is used to calculate a value:
Trust(G) = Rel(G)
Generic Reliability Trust Model, Glenn Mahoney, PST'05
11
Example Trust Graph
Alice trusts Sally with a confidence of 0.8, and at the level 2, etc.
Assumes common subject matter.Need something more to say whether
Alice trusts Bob.
2,.8
Alice
Sally
Tom
Bob
Sue
2,.80,.8
1,.8
0,.8
0,.8
Generic Reliability Trust Model, Glenn Mahoney, PST'05
12
Generalized Operational Criteria
Can also represent a trust graph as a set of statements:
• The derived statement for the arc e=(u,v) with label <l,c> is <u,v,l>
• There are transitivity rules R for derived statements given a trust graph G and vertices s (source) and t (target or sink).
A state S in E(G) is operational iff the derived statement <s,t,0> exists in the reflexive, transitive closure of S, under R.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
13
Hop-count Limited Transitive Trust (HLTT)
Let i>0, j ≥ 0, and k=min(i-1, j),If <u,v,i> and <v,x,j> are derived statements
then <u,x,k> is a derived statement.
E.g. Given <Alice,Tom,1> and <Tom,Bob,0> then <Alice,Bob,0>.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
14
Example
The HLTT transitivity rule produces the following minimal operational states for trust from Alice to Bob: S1 = { (Alice,Sally), (Sally,Sue), (Sue,Bob) } S2 = { (Alice,Tom), (Tom,Bob) }
2
Alice
Sally
Tom
Bob
Sue
20
1
0
0
Generic Reliability Trust Model, Glenn Mahoney, PST'05
15
Exact Algorithms
Inclusion-exclusion: First, find all possible operational states T, k=|T|.– Exponential in time and memory
Then, calculate probability using inclusion-exclusion.– Enumerate all 2k-1 subsets, alternately add and subtract
product of probabilities of the union of arcs in the k-subsets
Factoring:Recursively simplify the graph G:
Rel(G) = peRel(G * e) + (1-pe)Rel(G - e);– Still enumerates 2k-1 subsets (worst-case), but does not
require pre-generation of operational states
All exact methods are #P-complete
Generic Reliability Trust Model, Glenn Mahoney, PST'05
16
Example
Recall,S1 ={ (Alice, Sally), (Sally, Sue), (Sue,
Bob) }S2 ={ (Alice, Tom), (Tom, Bob) }
Assume pe is 0.8,
Trust(G,HLTT,Alice,Bob) is= Pr(S1) + Pr(S2) - Pr(S1 S2)
= .512 + .64 - .327 = .824
Generic Reliability Trust Model, Glenn Mahoney, PST'05
17
Approximation
Use the inclusion-exclusion approach but truncate the computation:
During search phase -– Discard candidate operational states if probability product falls
below some threshold or maximum time limit reached.– Stop if a single operational state exceeds minimum desired
confidence.
After search phase -– Prune operational states to some maximum number before
performing inclusion-exclusion.
During inclusion-exclusion phase -– Stop if lower-bound meets the desired confidence.
The result will be less-or-equal to exact result.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
18
SimulatedTrust Graph Data
0
20
40
60
80
100
120
140
0 200 400 600 800 1000
expe
cted
# ve
rtices
degree
RPLG (n=1000, a=0.7, b=0.8)• Straightforward representation in XML using the semantics of Graph eXchange Language (GXL).
<node id=“Alice"/><edge from=“Alice"
to=“Sally">
• Generate graph data using a random power law (RPLG):
– Generate desired number of vertices
– Randomly generate arcs between vertices such that the probability there exists some vertex of degree k is roughly
Prob(degree k) ~ k- – where = 0.7 and = 0.8 .
Generic Reliability Trust Model, Glenn Mahoney, PST'05
19
Performance of Approximation
0
10
20
30
40
50
60
70
80
90
100
0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000
ela
pse
d (
se
c)
vertices
Heuristic Performance
early-discard
soln-reduction
late-lower-bound
combination
Generic Reliability Trust Model, Glenn Mahoney, PST'05
20
ComparisonGRTM+ HLTT
Mahoney Decentralized, probabilistic metric, generalized subject-matter, belief statements.
X.509 PKI IETF Centralized, chain-of-proof metric; restrictive subject-matter of identity authentication; digital certificates.
PGP Zimmerman, et.al.
Decentralized, chain-of-proof metric; restrictive subject-matter of public key authentication; digital certificates.
Trust Management
Blaze, Feigenbaum, Lacy
Partially decentralized, chain-of-proof metric; subject-matter focus on access control and delegation; digital certificates.
Distributed Trust
Abdul-Rahman, Hailes
Decentralized model; arithmetic trust metric; exchange of recommendations; some subject-matter flexibility.
Network Flow
Levien, Aiken
Generalized model; network-flow metric test for chain-of-proof sufficiency; generalized certificates.
Bayesian Network
Wang, Vassileva
Generalized model; arithmetic trust metric; subject-matter flexibility and adaptation using Bayesian networks.
Maurer Confidence Valuation
Maurer Somewhat generalized; probabilistic trust metric; restrictive subject-matter of a certificate chain-of-proof system evaluation.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
21
Conclusion
Generic Reliability Trust Model, Glenn Mahoney, PST'05
22
Summary of Results
•New trust model: Generic reliability trust model (GRTM)
– Appling reliability model to solve problem of computational trust
•New trust metric: Hop-count limited transitive trust (HLTT)
•Practical approximation•Trust graph simulation as a scale-free
network:– Random power-law graphs (RPLG) – XML/GXL representation
Generic Reliability Trust Model, Glenn Mahoney, PST'05
23
Potential Application Areas
•eCommerce•Reputation systems•Agent-Based Systems (Social Agents)•Delegated Rights•Computer-based collaboration•Distributed resource management /
Grids•Ad-hoc networking
Generic Reliability Trust Model, Glenn Mahoney, PST'05
24
Future Research
•Use GRTM+HLTT within some application•Trust model quality measure?•Improve approximation techniques•Use of multiple subject-matters•Distrust?•Standardized representation and
exchange protocol•Trust establishment in ad-hoc networks
Generic Reliability Trust Model
Glenn MahoneyWendy Myrvold
Gholamali (Ali) Shoja
Department of Computer Science, University of Victoria
Email: {gmahoney,wendym,gshoja}@cs.uvic.ca
Presented at:Third Annual Conference on Privacy, Security and
Trust (PST’05) St. Andrews, New Brunswick
October 12-14, 2005
Generic Reliability Trust Model, Glenn Mahoney, PST'05
26
additional material
Generic Reliability Trust Model, Glenn Mahoney, PST'05
27
Trust Definition (informal)
Trust is one's reasonable expectation of a positive outcome in a situation where there is less than full control over the actions
of the participants.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
28
References
[colbourn87] Colbourn, C. “The Combinatorics or Network Reliability”, Oxford University Press, 1987
Generic Reliability Trust Model, Glenn Mahoney, PST'05
29
Network Reliability…
“…is some measure of the ability of a network to carry out a desired network
operation.”[colbourn87]
Operational Criterion is the distinguishing feature of different metrics
Probability of “operation” of the arc e.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
30
An example of 2-terminal reliability
RelAlice,Bob = Prob( any path from Alice to Bob )= 1-Prob( all paths failed )= 1 – (1 - .81)(1 - .81)= .9639
.9
Alice
Sally
Bob
Tom
.9 .9
.9
Jeff
.9
Generic Reliability Trust Model, Glenn Mahoney, PST'05
31
XML/GXL Representation<gxl>
<graph id="PowerLaw_10_09:31:48 (MCVs)"><attr name="Model">
<string>MCVs</string></attr><attr name="Note">
<string>Power law random graph, size 10, alph=0.7, beta=0.8, maxLevel=4, fixed conf=0.8, generated Thu Apr 22 09:31:48 PDT 2004 by models.algo.GraphGen
</string></attr><node id="V1"/><node id="V3"/>…<edge from="V1" to="V3">
<attr name="Level"><int>4</int>
</attr><attr name="Confidence">
<float>0.8</float></attr>
</edge>…
</gxl>
Generic Reliability Trust Model, Glenn Mahoney, PST'05
32
Implementation Verification
• Three types of input data sets:– Manually created examples.– Generated complete graphs.– Generated RPLGs.
• Compare results:– Two exact algorithms.– Manual calculations.– Examples in Maurer's paper.– 2-terminal reliability– Setting approximation parameters to product
exact result.
• Inspect debug/trace output.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
33
Verification Example: D.Shier
Example from section 4.1 of D.Shier,"Network Reliability and Algebraic Structures",1991.
4 pathsets: {(s,a),(a,t)}{(s,a),(a,b),(b,c),(c,t)}{(s,b),(b,c),(c,t)}{(s,b),(b,c),(c,a),(a,t)} p=0.6, Rel(s,t)=0.53971
D:\gmahoney\projects\UVic\trust_modeling\source>java dtrust.maintest runverify
Generic Reliability Trust Model, Glenn Mahoney, PST'05
34
Verification Example: D.Shier (2)
************************* Test Run #1*************************runTest: model=null, options= s t -uprob comb -noapprox -maxloop -1 -nosubsetrrunTest: inputdata=testcases\MCVs\shier_example_4_1.xmlrunTest: graph note=Example take from section 4.1 of D.Shier,"Network Reliability and Algebraic
Structures",1991.4 pathsets: {(s,a),(a,t)}{(s,a),(a,b),(b,c),(c,t)}{(s,b),(b,c),(c,t)}{(s,b),(b,c),(c,a),(a,t)} p=0.6, Rel(s,t)=0.53971runTest: graph Shier Example 4.1 vertices=5 arcs=7runTest: start calculation...
...calculation completed; result=[TrustMetricBasic: conf=0.539712, local=s, remote=t, subject=ID, model=MCVs]
algorithm results: time Fri Dec 10 14:52:00 PST 2004 datafile testcases\MCVs\shier_example_4_1.xml graph id Shier Example 4.1 vertices 5 arcs 7 completed Exhaustive support search with Uprobability using ksubset
generation allow approx(p) false
total loops 44 elapsed(ms) 60 Memory usage summary: max 282344 average 261256 - Exhaustive Search counters - MSS count 4 elapsed(support) 10 elapsed(prob) 10 loops(support) 12 loops(prob) 32 dropped subsets 0 total elements 13 elements reduced 0 uprob type ksubset generation - MCVs Exhaustive counters - num minpath 4 num MSS 4 loop count(path) 12 ******************************* End of Test Run #1*******************************
************************* Test Run #2*************************runTest: model=null, options= s t -noapproxrunTest: inputdata=testcases\MCVs\shier_example_4_1.xmlrunTest: graph note=Example take from section 4.1 of D.Shier,"Network Reliability and
Algebraic Structures",1991.4 pathsets: {(s,a),(a,t)}{(s,a),(a,b),(b,c),(c,t)}{(s,b),(b,c),(c,t)}{(s,b),(b,c),(c,a),(a,t)} p=0.6,
Rel(s,t)=0.53971runTest: graph Shier Example 4.1 vertices=5 arcs=7runTest: start calculation...
...calculation completed; result=[TrustMetricBasic: conf=0.539712, local=s, remote=t, subject=ID, model=MCVs]
algorithm results: time Fri Dec 10 14:52:00 PST 2004 datafile testcases\MCVs\shier_example_4_1.xml graph id Shier Example 4.1 vertices 5 arcs 7 completed Factoring calculation successful. allow approx(p) false total loops 49 elapsed(ms) 30 - Factoring counters - selection method random - MCVs Model counters - generic 0 supportExists 98 - MCVs Transitivity counters - full passes 25 inner loops 471
******************************* End of Test Run #2*******************************
Generic Reliability Trust Model, Glenn Mahoney, PST'05
35
General Characteristics of Potential Application
•Value-based interaction,•Involving human proxies or digital agents,•Using open, distributed, or ad-hoc
architectures,•Require flexibility and maximization of the
number of potential interactors,•Desire to leverage pools of local or private
knowledge,•High-control, high-security solutions are
inappropriate.
Generic Reliability Trust Model, Glenn Mahoney, PST'05
36
Inclusion-Exclusion Example: Sets
E3
E2E1
E2&E3
E1&
E2
E1&E3
E1&E2&E3
From set theory;|E1E2E3| = |E1| + |E2| + |E3|
- |E1E2| - | E1E3| - |E2E3| + |E1 E2 E3|
Generic Reliability Trust Model, Glenn Mahoney, PST'05
37
Inclusion-Exclusion applied to operational probabilities
Another way to derive the inclusion-exclusion algorithm:
Generic Reliability Trust Model, Glenn Mahoney, PST'05
38
Factoring ExampleAlice
Sally
Tom
BobREL(G)= 0.9 REL(G dot {Alice,Tom}) + 0.1 REL( G - {Alice,Tom})
0.9 0.981 0.1 0.810.8829 0.080.9639
REL(G dot {Alice,Tom}) 0.9 REL(G dot {Tom,Bob} + 0.1 REL(G - {Tom,Bob})0.9 1 0.1 0.810.9 0.08
0.981
REL(G - {Tom,Bob}) 0.9 REL(G dot {Alice,Sally}) + 0.1 REL(G - {Alice,Sally})0.9 0.9 0.1 0
0.81
REL(G dot {Alice,Sally}) 0.9 REL(G dot {Sally,Bob}) + 0.1 REL(G-{Sally,Bob})0.9 1 0.1 00.9
REL(G - {Alice,Tom}) 0.9 REL(G dot {Tom,Bob}) + 0.1 REL(G - {Tom,Bob})0.9 0.81 0.1 0.81
0.729 0.080.81
REL(G dot {Tom,Bob}) 0.9 REL(G dot {Alice,Sally}) + 0.1 REL(G - {Alice,Sally})0.9 0.9 0.1 0
0.81
REL(G dot {Alice,Sally}) 0.9 REL(G dot {Sally,Bob}) + 0.1 REL(G - {Alice,Sally})0.9 1 0.1 00.9
REL(G - {Tom,Bob}) 0.9 REL(G dot {Alice,Sally}) + 0.1 REL(G - {Alice,Sally})0.9 0.9 0.1 0
0.81
REL(G dot {Alice,Sally}) 0.9 REL(G dot {Sally,Bob}) + 0.1 REL(G - {Sally,Bob})0.9 1 0.1 00.9
Sally
Alice,Tom
Bob
Sally
Alice,Tom
Bob
Alice,Tom,SallyBob
AliceSally
Tom
Bob
Alice
Sally
Tom,Bob
Alice,SallyTom,Bob
AliceSally
Tom
Bob
Alice,Sally
Tom
Bob
Generic Reliability Trust Model, Glenn Mahoney, PST'05
39
Primary Graph Reductions• Irrelevant – do not contribute to any operational state;
remove• Series – sequence of edges are required simultaneously;
combine with axiom of probability: P(AB) = P(A)P(B)
• Parallel – network is operational if any of these edges are operational; combine with axiom of probability:
P(AB) = P(A) + P(B) – P(AB)
.81
.81Alice Bob
Alice Bob.9639
Sequential reduction
Parallel reduction
Generic Reliability Trust Model, Glenn Mahoney, PST'05
40
Related Research Projects
Project Institutions Lead Researchers
KeyNote Yale University, Columbia University, AT&T Research Labs
Joan Feigenbaum, Matt Blaze
STRONGMAN University of Pennsylvania, Columbia University
Angelos Keromytis, Michael Greenwald
PeerTrust Georgia Institute of Technology
Ling Liu
P-Grid Swiss Federal Institute of Technology
Karl Aberer
Social Agents, ACORN
National Research Council Steve Marsh