|
|
|
| |
Defence Technology Centre in
|
 Trust Management in
Collaborative Systems. |
DIF-DTC |
|
Secure and
Trusted Agents for Data and Information Fusion. |
DIF-DTC |
The project is aimed to provide a formal policy-based approach to the management of trust, uncertainty and risks. aToMICS will be integrated into components of a collaborative system, for example a Multi-Agent System developed using the JADE framework, or provided as a trusted service that is provided by a concrete middle-ware. The central benefit is that policies capture the dynamics of trust. Policies can change with observations and over time, therefore accounting for the intuitive subjectivity of the concept as individuals in the collaboration can define their own policies. The formal, mathematical underpinning provided for policies and their interaction with system's security mechanisms provide the necessary assurance that is needed for a successful military exploitation.
It is widely accepted that:
``The ability to form multi-organizational networks rapidly is crucial to humanitarian aid, disaster relief, and large urgent projects. Designing and implementing the network's conversation space is the central challenge.''
We have seen a move from traditionally isolated and closed environments towards more networked applications where organisations increasingly share and exchange information. Organisations nowadays cooperate with a very limited number of carefully selected and trusted partners which has huge security implications on these networked environments. It is anticipated that this trend will continue, leading to open environments where organisations form ad-hoc collaborations with partners whose long-term intentions are unknown and difficult to predict.
The dynamics of these ad-hoc collaborations and the increased number of partners and information poses two fundamental problems:
The move towards autonomous systems, that can to some degree participate in collaborations at their own discretion provides a solution, as their agility to adapt and reconfigure to new, unforeseen conditions overcomes beforementioned problems. This autonomy, however, leads to entirely new challenges for the security of these systems which are best addressed by introducing the notion of a trust management system that intertwines with the system's security mechanisms.
Trust and Security are not orthogonal concepts. Some aspects of trust rely heavily on the existence of sound security mechanisms. One example is the adequate protection and handling of meta-information, e.g. log-files, that are associated with trust. Equally security decisions can be also influenced by trust as an access control policy may depend on the trust-level that the system has in the entities that are requesting access to secured data. As a result existing security mechanisms must be able to cope with the dynamics of trust. Policies, that govern the access to resources will change as a result of trust-evaluations.
Trust is typically not enough to model the complexity of our decision
making within collaborations. We therefore associate trust with a
degree of uncertainty, reflecting for example the entity's
confidence in the trust evaluation. Trust therefore is denoted by a
tuple: trust-level/uncertainty. We also introduce
risk as an equally weighted component of the proposed trust
management framework. Risk assessment is essential to the decision
making, especially when the confidence in the trust assessment is low.
Risk assessments allow the trust-model to evolve using experience
gained from low risk interactions to build up trust and confidence for
future interactions.
Trust is a fundamental concept in human behaviour, and has governed collaboration between humans and organisations for millennia. The ultimate aim of our research on trust-based systems is to transfer such forms of collaboration to future autonomous systems scenarios. Trust in computing is the attempt to formalise, implement and utilise trust models borrowed from social sciences to govern and control the interactions between a set of autonomous entities in an open environment.
In such environment entities are owned by different providers, some of which are benevolent and others that have different interests in the overall objective of the system. The interactions between the entities are based on the trust that these entities have in each other, the uncertainty of the assessment and the risk that is involved.
We view the system as a collection of autonomous entities. The trust management system itself is encapsulated within each entity.
The trust management system consists of a trust- and a risk engine that are controlled by policies.
We divide trust into three categories:
Information trust is especially relevant to all command and control (C2) applications and every system that processes intelligence information. A model of trust must be able to provide meta-information that is required to calculate trust-levels. Meta-information could for example be the original source, the access log, versions or the way the information has been communicated.
When exchanging information it is important to clearly define which meta-information can be communicated and which meta-information must be kept secret from other entities. This establishes the link to more traditional mechanisms such as access control and information flow that are dependent on trust evaluations.
Behavioural trust requires a model of the entities' expected behaviours. Trust in an entity is established if its observable behaviours match the expected ones.
To be able to build such a model it is necessary to have prior knowledge of the entity's specification (expected behaviour). A source of this are informal interface descriptions or more formal representations such as semantically marked up service descriptions that are employed in service-based computing. One of the key problems, which we will explore, is the incompleteness of these descriptions.
The trust in derived information is not only dependent on the raw information sources, but also on the trust we have in its processing. It is important to define the effect that behavioural trust has on the produced information.
Identity trust deals with the trust that one has in the authenticity of an entity's identity. It can actually be seen as a combination of behavioural trust and information trust, as the credentials the entity presents are information and the mechanism that is used to establish their authenticity is a behaviour.
Uncertainty is a major aspect of our trust model. Trust is constantly re-evaluated based on freshly obtained information and communication of trust information with other entities. Ideally trust converges to give an accurate picture of the trustworthiness of information and other entities' behaviours. However, in any real world application this is unlikely to happen, as trusted entities that were once benevolent may engage in perceptively malicious activities or new trustworthy information is contradicting another trusted information.
The concept of uncertainty complements the notion of trust as it does define a secondary measure that can be used in trust-based decision making. Every trust evaluation is accompanied by an uncertainty assessment reflecting that, for example a specific information is principally trusted (the trust assessment) but there is not enough evidence that can support this trust evaluation (the uncertainty assessment). In this case the information would be trusted, but our confidence in the assessment remains low. The level of uncertainty will change over time and reflects the increase/decrease, in the confidence of the trust evaluation.
Similar to trust, uncertainty measures of trust evaluations do change over time and on events. For example the event of obtaining the contradictory information will force a re-evaluation of the uncertainty assessment of the associated trust levels.
Before engaging in an interaction with an unknown entity a decision must be made whether to trust its behaviour and the received information. This decision will take into account the trust-level in the entity's behaviour and the uncertainty of this trust evaluation. An important aspect is the risk assessment of this decision. By risk assessment we mean an assessment of the severity of the decision's consequences.
The importance of including risks in the decision making is that the Trust Management System has the ability to engage in an interaction that is deemed to be untrusted or that has a very low confidence rating. Based on the policies it may choose to do so if the risk involved is very low. The experience gained from that interaction can then be used to update the trust/uncertainty values to either promote this form of interaction in the future or to prevent it.
Provide a sound, unifying and compositional framework for the development of secure and trusted MAS in which security, functionality and temporal aspects are integrated.
The computational model describes the functioning of the Multi-Agent
System. The entities that are defined in the computational model are
agents, objects and enforcement mechanisms.
Agents are active entities in the MAS that can perform actions to perceive or act upon their environment. They are autonomous, viz. in control of the actions they execute.
Objects are passive entities in the MAS that can be accessed by agents. They represent the shared environment of the agents in the MAS. Objects provide interfaces that define the operations that can be performed on them.
Enforcement Mechanisms link the security model with the computational model. They define what the enforcement of a policy means and how it is implemented. We distinguish between Vigilant Mechanisms where the enforcement is implemented as part of the agent or object and Security Enforcer where the enforcement is implemented in a central entity that protects the interfaces of a collection of objects.
The focus of the framework is the expression of complex, history-dependent protection requirements such as authorisation, delegation, obligation and integrity in form of policies. Policies are dynamic, viz. they can change over time and on the occurrence of events.
History Dependent Rules capture protection requirements that are dependent on the past execution of the MAS. An example is the Chinese Wall Policy.
Once a subject has accessed an object, the only other objects accessible by that subject are within the same company data-set or within a different conflict of interest class.
allow (S,O,A) when T: exists x in objects : {
(sometime done(S,x,access)) and dataset(O) = dataset(x) },
allow (S,O,A) when T: exists x in objects : {
(sometime done(S,x,access)) and (always not(ciclass(O)=ciclass(x))) }
Policy Composition is used to express security
requirements that apply only to a certain
situation. For example the policy that is enforced at airports depends
on the national terrorist threat-level.
policy low-threat : /* ... */ end
policy high-threat : /* ... */ end
policy composition :
repeat ( (unless done(S,system,alert): low-threat) ;
(unless done(S,system,resetalert): high-threat) )
end
To ease the writing of the specification, linguistic support for the expression of the systems functional and security requirements is provided in form of the SANTA language. SANTA has a specification oriented semantics in Interval Temporal Logic that allows to reason about properties of the MAS.
SANTA is a wide-spectrum language, viz. the MAS is expressed at different levels of abstraction. During the development, design-decisions are made that move from the abstract specification towards a concrete implementation. The refinement rules that are used to make design-decisions are provably correct, ensuring that the implementation does not violate its original specification.
Tool support for the analysis of the program at specification and implementation level is provided. The tools use a logic-based approach for the validation of the systems functional, security and temporal requirements. SPAT (Security Policy Analysis Tool) allows for the animation of policies to validate the initial protection requirements. SPAT is part of the SANTA workbench.
