Trust Management Systems in Network of Networks

The STRL is leading the NATO funded project (through their Security through Science call) "Trust Management Systems in Network of Networks". The collaborator institutes are the Institute of Informatics, Macedonia and the University of Maryland USA.

Introduction

A 'Network of Networks' (NoN) provides new emerging services to its users, in addition to the services provided by its component networks. The entities of an NoN are large autonomous, decentralised, mobile, dynamically configurable, and are capable of operating under partial information. In addition, each entity will be in general an existing (legacy) network, comprising hardware and software, each potentially under separate management and ownership.

One of the key challenges in the development of an NoN is the need to increase dependability in the integrated system by protecting its secrecy, integrity and availability whilst allowing its constituents to evolve. Traditional security mechanisms have severe limitations in this setting, as they are often too weak or so stringent that they impose an unacceptable burden on the effectiveness and flexibility of the infrastructure. A Trust management system where security-critical decisions are made based on trust policies and their deployment in the presence of partial knowledge have an important role to play in the development of dependable NoNs.

The proposed therefore aims to develop efficient and practical means for composing a trusted NoN from a set of largely autonomous networks. An architecture for the enforcement of trust policies will be given together with supporting tool to complement the SANTA workbench which has resulted from our current work.

The project aims to develop a sound approach to the design and continual enforcement of trust policies in an evolvable NoN. The evolution of an NoN is seen at two levels: An NoN may evolve as a system by, for example adding or removing one or more of its constituent network. On the other hand, a constituent of an NoN may evolve independently - adding/removing functionalities, altering trust policies, etc.

The following research dimensions provide the intellectual foundation for an evolving set of Work Packages with which our research programme is organised and monitored: (a) modelling; (b) compositionality; (c) architecture & design; (d) validation & assessment; (e) tool support and (f) proof-of-concept. The proposed project has the following specific Work Packages.

WP1: Sound and Compositional Model for Trust

Although our notion of trusted entity intends to cover only computing entities - even though of variable nature, spanning from soft to hard devices of all sorts - familiarity with trust models from the social sciences is a good starting point in the quest for a foundational, comprehensive formal model of trust. For example, trust in domains like sociology, psychology, management, economics, and political sciences provide a conceptual classification of trust: disposition, when an entity A is naturally inclined to trust; situation, when A trusts a particular scenario; structure, when A trusts impersonally the structure B is part of; belief, when A believes B is trustworthy; intention, when A is willing to depend on B; behaviour, when A voluntarily depends on B. Orthogonally, the notion of trustee is classified in categories, the most relevant of which degree that B is trusted because of its competence, benevolence, integrity, or predictability.

We believe that a good mathematical model of computational trust should be capable of expressing these aspects, as well as further notions of primary relevance in NoN, e.g. that trust information is time dependent and, in general, varies rapidly. Also, it should be sufficiently general to allow complex structures representing combinations of different types of trust.

We shall take the view that trust involves entities (or principles), has a degree, is based on observations and ultimately determines the interaction among entities. Our model will target these aspects primarily. We assume a set T of trust values whose elements represent degrees of trust. These can be simple values, such as {trusted , distrusted}, or also structured values, e.g. pairs where the first element represents an action, say access a file, and the second is a trust level associated to that action; or perhaps vectors whose elements representing benevolence in different situations. As trust varies with experience, a model should be capable of dealing with observations resulting from the principle's interaction with the environment. For clarity, we will isolate the principle's trust management from the rest of its behaviour, and think of each principal as having a "module" containing all its trust management operations and data.

We shall therefore view a principle's trust as being defined by a policy. According to such view, each principal has a local policy which contributes by way of delegation to form the global trust. A policy expresses how the principal computes trust information given not just his own beliefs, but also other principals' beliefs.

The notion of uncertainty of trust values will also be introduced. Truthful to the NoN scenario, we so account for the fact that principals may have only a partial knowledge of their surroundings and, therefore, of other principal's trust policies. We shall address this by considering approximate trust values which embody a level of uncertainty as to which value we are actually presented with. Specifically, beside the usual trust value ordering, we will explore equipping trust values with a trust information ordering . While the former measures the degree of trustworthiness, the latter will measures the degree of uncertainty present in our trust information, that is its information content.

Tasks

• T1.1 Trust and information structures and ordering
• T1.2 Specification-oriented model for trust and its reasoning engine.
• T1.3 Add uncertainty dimension within trust and information structures.

WP2: Trust Management Engines

We think of the standard deployment of a trust management system as consisting of a "trust engine" and a "risk engine" coupled together as part of a principal.

The trust engine is responsible for

• updating trust information based on direct and indirect observations or evidence, and
• to provide trust information to the risk engine as input to its procedures for handling requests.

The risk engine will feed back information on principals' behaviours as updating input to the trust engine.

For this purpose we shall maintain two distinct order structures on trust values:

• a trust ordering and an information ordering. The former represents the degree of dependability, with a least element representing absolute distrust, and a greatest element representing absolute trust.
• The information ordering represents the degree of precision of trust information, with a least element representing no knowledge and a greatest element representing certainty.

Abstracting over this point of view, we single out as central issues for our trust model the aspects of trust formation, evolution, and propagation. The latter is particularly important in our intended application domain, where the set of active principals is so large and open-ended that centralised trust and ad-hoc methods of propagation of its variations make absolutely no sense. An important propagation mechanism is delegation, whereby principals cooperate to implement complex, intertwined "global" trusting schemes. For example, bank B may be willing to trust client C to an overdraft limit X only if bank B' trusts C at least up to 80%, and C itself does not trust D, a crook known to B. Delegation has important consequences for trust representation, because it brings forward the idea of a trust policy, i.e. algorithmic rules - such as bank B's above - to evaluate trust requests.

One aspect of trust propagation lies within the social networks of information creators and managers. Individuals have varying amounts of trust for one another, and for the statements asserted by others. This trust is often different depending on the subject. There is a strong background of recent research in propagating trust through social networks, and early work on the implications that can have for determining the trustworthiness of statements in collected knowledge bases and the logical inferences made within them. The connection between trust in social networks and the trust and information ordering will be a component of this work.

Tasks

• T2.1 Linguistic support for trust policies and their semantics
• T2.2 An architecture for trust management system
• T2.3 Trust propagation via delegation

WP3: Tool Support and Evaluation

The SANTA workbench will be augmented with trust management toolset for the continual enforcement of an NoN trust policies. It will provide a trust policy validating engine which may be used by any system within an NoN, including Security Enforcers and Vigilant Agents provided within SANTA.

The tools and model will be evaluated on a variety of case studies drawn from both military (e.g. Security policies related to NGOs) and civilian (Finance, Health and Retailing) domains.

Tasks

• T3.1 Trust analysis tool-kit
• T3.2 Design and implementation of trust management system
• T3.3 Evaluation (military senario of a typical NoN).

Major Deliverables

The following are high level deliverables of the proposed project:

1. Formal model of trust in NoN and constructs for expressing trust policies and its execution platform.
2. Architectural design for trust management system for evolvable NoN.
3. Trust management tool-kit that support for continual enforcement of trust policies.