Trust and Security Third Workshop Centre for Parallel Computing Key words:

advertisement
Trust and Security Third Workshop
Yonatan Zetuny, Gabor Terstyanszky, Stephen Winter, Peter Kacsuk
Centre for Parallel Computing
Cavendish School of Informatics
University of Westminster
08 July, 2008
Key words: Grid Security, Reputation, Policy, Trust Model, Resource Selection
http://www.cpc.wmin.ac.uk
 Research Background
 Toward Reputation-Policy Based Trust in Grid
computing
 Reputation-Policy Trust Model
 Grid Reputation-Policy Trust Management
Service Architecture
 Test bed deployment, simulation &
experiments
 Summary
Yonatan Zetuny - Trust and Security Third Workshop
2



Two common approaches for managing trust:
 Policy based: Web services, E-Commerce
 Reputation based: P2P, Ad-hoc networks
Traditional Grids use CA security measurements to enable
trust between parties
 Current research efforts focus on integrating one of the
two approaches for managing trust.
Identified needs for:
 Establishing dynamic evaluation of resources to manage
risk of workflow execution failure
 Autonomic trust decision making based on reputation
evaluation strategy
 Expressing reputation using policy assertions in order to
promote semantic interoperability.
Yonatan Zetuny - Trust and Security Third Workshop
3



Provided argument that:
 Reputation-policy based approach should be considered in order to provide a complete
resolution for dynamic trust establishment between Grid resources.
 Reputation provides trust evaluation measurements in dynamic scenarios where parties are
not known to each other.
 Policy provides strong ties to standards and interoperability.
Suggested synergistic approach where:
 Grid clients (e.g. brokers, monitoring toolkits) are able to encapsulate reputation evaluation
requirements inside a policy file.
 These requirements constitute as a complete blueprint for a trust metrics algorithm.
Novelty points:
 Synergistic model - combining policy framework with a reputation algorithm (not used in
Grid computing so far)
 modelling reputation as policy assertions –
 Trust model integrates an evaluation model as well as a decision model.
 Exoteric and extensible trust metrics algorithm.
 Use of fuzzy logic to model uncertainties and subjective opinions on trust.
Yonatan Zetuny - Trust and Security Third Workshop
4





Traditional Grid security research addressed trust through
security mechanisms.
The need for reputation evaluation of Grid resources as Grid
shifts to ubiquitous and pervasive computing models.
Few attempts to apply Reputation based TMS
(GridEigenTrust, PathTrust, PeerTrust, etc)
Limitations of current solutions – single, deterministic,
community based reputation algorithm disallowing user
participation in the trust evaluation process.
Grid clients are not able to calculate the trust value of a
Grid resource by specifying their own trust evaluation
criteria and as a result, they are obliged to rely on a
community reputation algorithm to compute trust
values.
Yonatan Zetuny - Trust and Security Third Workshop
5




Allowing Grid clients to carry out an active
involvement in the trust and reputation
evaluation process.
Enabling Grid clients to augment their existing
reputation queries with a set of reputation policy
statements.
Encapsulating both evaluation decision models,
therefore providing complete trust metrics for
the reputation algorithm and allowing decision
support based on supplied criteria.
Three properties: Synergistic, Exoteric,
Heuristic.
Yonatan Zetuny - Trust and Security Third Workshop
6
Distributed data model: trust data is divided
between Grid client and reputation algorithm.
 Model contains three artefacts:

◦ Trust Decision Strategy (TDS) > Heuristics
 Trust Evaluation Model > Subjective view
 Trust Decision Model > Opportunistic view
◦ Opinion Matrices (OM)
 Store and manipulate historical execution data
◦ Correlation Process (CP)
 Correlates each opinion element in the TDS with its historical
ratings in the OM.
 Computes trust values using an Opinion Summary Table (OST).
Yonatan Zetuny - Trust and Security Third Workshop
7


Represented by Fuzzy Tree Model (FTM)
expressing reputation-policy statements which
are defined by trusting agents.
Ramified into two branches:
 Trust Evaluation Model (TEM)
▪ Permutation of opinions representing subjective trust
building blocks (e.g. availability, reliability, cost, etc).
 Trust Decision Model (TDM)
▪ Potential trust value calculation outcomes and opportunistic
correspondent courses of actions.

Provides complete trust metrics for the
reputation algorithm.
Yonatan Zetuny - Trust and Security Third Workshop
8
Trust value
Trust level
INPUT
OUTPUT
IF trust_value IS poor THEN trust_level IS none
IF trust_value IS good THEN trust_level IS limited
IF trust_value IS excellent THEN trust_level IS full
RULES
Trust value
Is interpreted as
{poor, good,
excellent}
Trust level
Is assigned to be
{none, limited, full}
INPUT TERM
OUTPUT TERM
Yonatan Zetuny - Trust and Security Third Workshop
9







Provides subjective view on trust.
A Client defines a finite set of opinions where each opinion represents
a building block of trust (e.g. availability, data accuracy, cost, etc)
Client opinions must be a subset of opinions applicable for the VO
(Defined by MP).
Each opinion is dependent on one or more sources of references for
historical trust data.
A source can have one of the following values: experience, reputation
or combination of experience and reputation.
A weight rule is a special constraint which indicates the importance of
one set item over another (decisions, opinions, sources).
Each weight rule uses a fuzzy value [0…1] to indicate a degree of
importance.
Yonatan Zetuny - Trust and Security Third Workshop
10




Provides opportunistic view on trust
A client defines a finite set of decision rules to
indicate potential trust value calculation
outcomes and potential courses of action.
Trust values are fuzzified using membership
functions defined by the client.
Rules are modelled as fuzzy logic sets where
each trust level calculation is coupled with it’s
membership function to indicate a degree of
belonging to each set.
Yonatan Zetuny - Trust and Security Third Workshop
11
TDS = {TEM; (TDR1;TDR2; … ;TDRn)}
Yonatan Zetuny - Trust and Security Third Workshop
12



Tabular data structures which store the historical
evaluation feedback values reported by trusting
agents.
For each opinion defined in the MP universe there is
one and only one correspondent matrix, storing
evaluation feedback data regarding that opinion.
When an execution is completed, a trusting agent is
required to rate the quality of the transaction using an
evaluation feedback mechanism. This mechanism
gathers a score value for each opinion originally
defined by the trusting agent using the trust decision
strategy.
Yonatan Zetuny - Trust and Security Third Workshop
13

M(O) Matrix M for an Opinion O
Values are based on time
series distribution,
trust decay function, cut off
time and weighted mean

Calculation of matrix value V(i,j)
Yonatan Zetuny - Trust and Security Third Workshop
14




Involves matching each opinion defined in TDS with
its historical references in the OMs and calculating the
trust value for that opinion.
Each TDS opinion type is routed via the MP in order to
return a correspondent OM.
The CP examines the opinion’s source nodes
(experience, reputation) and their weight factors.
The CP generates two vectors: experience vector and
reputation vector and calculates the opinion value
using a standard mean:
Yonatan Zetuny - Trust and Security Third Workshop
15
Yonatan Zetuny - Trust and Security Third Workshop
16
GREPTrust is comprised of three domains:
•Client Domain – Grid Client, TDS Data Store
•Service Domain – Querying Manager, Feedback Manager and Admin Manager
•Data Domain – Reputation-Policy Data Store
Yonatan Zetuny - Trust and Security Third Workshop
17

There are three major scenarios regarding
reputation-policy querying management:
 The Grid client submits a Reputation-Policy Query
(RPQ) to the GREPTrust resource.
 The GREPTrust resource processes the RPQ,
generates Reputation-Policy Report (RPR) and
delivers it to the Grid client.
 The Grid client utilises the RPR in order to make a
decision on which resource(s) to submit the job to.
Yonatan Zetuny - Trust and Security Third Workshop
18
Yonatan Zetuny - Trust and Security Third Workshop
19
The Grid client contacts the TDS data store using a strategy identifier specified by
the user when he submitted the job.
 The TDS data store returns the TDS file back to the Grid client.
 The Grid client assembles a reputation-policy query containing the following
parameters:
 Identifier of the Grid client.
 Identifiers of the resources to be evaluated. (This is assumed to be
previously obtained via a Grid Information Service).
 Cut-off date - the start date of which to gather the feedback data. Null value
assumes to use the earliest date a feedback was ever submitted
 Trust decay function identifier – the rate of trust of trust decay. This results in
assigning a weight to each submitted feedback given higher precedence of
importance to feedbacks submitted recently. The Grid client can submit
custom decay functions but for the purpose of the simulation 3 functions are
supported: (1/x, 1/x^2 and exp (x)). Null value assumes no trust decay function
to be used.
 The TDS file to be processed.
 The Grid client submits the reputation-policy query to the GREPTrust resource for
processing the TDS and returning a reputation-policy report.

Yonatan Zetuny - Trust and Security Third Workshop
20
Parameter
Value
Type
ClientID
1
String
Resources
1,2
String[]
CutoffDateTime
20080520
Date
TrustDecayFunction
3 (Exponential)
String
TrustDecisionStrategy
<XML>
String
Grid Client
GREPTrust
Yonatan Zetuny - Trust and Security Third Workshop
21

GREPTrust resource receives a new RPQ:
 RPQ is dispatched to the Query Manager (QM)
 The QM validates the RPQ and submits it to the
Reputation Algorithm (RA) for processing:
▪ Step 1: Processing the TDS Evaluation Model
▪ Step 2: Processing the TDS Decision Model
▪ Step 3: Generating Reputation-Policy Report
Yonatan Zetuny - Trust and Security Third Workshop
22
Yonatan Zetuny - Trust and Security Third Workshop
23
STEP1: Process TDS Evaluation Model
STEP2: Process TDS Decision Model
STEP3: Generate Reputation-Policy Report
Yonatan Zetuny - Trust and Security Third Workshop
24
Yonatan Zetuny - Trust and Security Third Workshop
25
Yonatan Zetuny - Trust and Security Third Workshop
26
Yonatan Zetuny - Trust and Security Third Workshop
27
<TrustEvaluationModel>
<Opinions>
<Opinion Type="1" Weight="0.1">
<Sources>
<Source Type="Experience" Weight="0.9"/>
<Source Type="Reputation" Weight="0.1"/>
</Sources>
</Opinion>
<Opinion Type="2" Weight="0.9">
<Sources>
<Source Type="Experience" Weight="0.9"/>
<Source Type="Reputation" Weight="0.1"/>
</Sources>
</Opinion>
</Opinions>
</TrustEvaluationModel>
Yonatan Zetuny - Trust and Security Third Workshop
Permutation of
opinions
Permutation of
Sources
28
<Fuzzifier Name="trust_value">
Input variable
<Terms>
<Term Name="poor">
<Points>
<Point X="0.0" Y="1.0" />
<Point X="0.5" Y="0.0" />
</Points>
</Term>
Term names
<Term Name="good">
<Points>
<Point X="0.0" Y="0.0" />
Membership
<Point X="0.5" Y="1.0" />
functions
<Point X="1.0" Y="0.0" />
</Points>
</Term>
<Term Name="excellent">
<Points>
<Point X="0.5" Y="0.0" />
<Point X="1.0" Y="1.0" />
</Points>
</Term>
The value of the trust_value variable has to be
</Terms>
</Fuzzifier>
converted into degrees of membership for the
membership functions defined on the variable.
Yonatan Zetuny - Trust and Security Third Workshop
29
Poor: 0.78
Good: 0.22
Excl: 0.00
Trust Value: 0.11
Yonatan Zetuny - Trust and Security Third Workshop
30
trust value: 0.11
Implication Method: MIN
Accumulation Method: MAX
IF trust_value
trust_level IS
IF trust_value
trust_level IS
IF trust_value
trust_level IS
IS poor THEN
none
IS good THEN
limited
IS excellent THEN
full
trust level: 0.32
Yonatan Zetuny - Trust and Security Third Workshop
Defuziffication Method: COG
31
<Defuzzifier Name="trust_level" AccumulationMethod="MAX" DefuzzificationMethod="COG"
DefaultValue="0">
<Terms>
Output variable
<Term Name="none">
<Points>
<Point X="0.0" Y="0.0" />
<Point X="0.1" Y="1.0" />
<Point X="0.2" Y="0.0" />
</Points>
</Term>
<Term Name="limited">
<Points>
<Point X="0.2" Y="0.0" />
Membership
<Point X="0.5" Y="1.0" />
functions
<Point X="0.8" Y="0.0" />
</Points>
</Term>
<Term Name="full">
<Points>
A linguistic variable –
<Point X="0.8" Y="0.0" />
trust_level for an output
<Point X="0.9" Y="1.0" />
<Point X="1.0" Y="0.0" />
variable has to be converted
</Points>
into a value.
</Term>
</Terms>
</Defuzzifier>
Yonatan Zetuny - Trust and Security Third Workshop
32
<Rules>
<Rule Id="1" Expression="IF trust_value IS poor THEN trust_level IS none" />
<Rule Id="2" Expression="IF trust_value IS good THEN trust_level IS limited" />
<Rule Id="3" Expression="IF trust_value IS excellent THEN trust_level IS full" />
</Rules>
Rule block/ID
Condition
Output variable
Conclusion
•The inference of the fuzzy
algorithm is defined in one or
more rule blocks.
•Each rule block defines a
predicate based on de
Morgan’s Law.
•Each rule block has a unique
name defining a distinct set.
M = {(x1,μM(x1)), (x2,μM(x2)),,..,(xn,μM(xn))}, xi mem G, i=1,2,..n (A.1)
Yonatan Zetuny - Trust and Security Third Workshop
33
<GREPTrust:Report>
<Resources>
<Resource Id="2"
<Rules>
<Rule Id="3"
<Rule Id="2"
<Rule Id="1"
</Rules>
</Resource>
<Resource Id="1"
<Rules>
<Rule Id="3"
<Rule Id="2"
<Rule Id="1"
</Rules>
</Resource>
</Resources>
</GREPTrust:Report>
Value="0.11" Level="0.32">
Degree="0.0"/>
Degree="0.22"/>
Degree="0.78"/>
TDM: Trust Level
Value="0.41" Level="0.46">
Degree="0.0"/>
Degree="0.82"/>
Degree="0.18"/>
Quantitative methodologies for modelling
Subjective & Opportunistic perception on trust…
Yonatan Zetuny - Trust and Security Third Workshop
TDM: Degree
membership
34
GridSIM simulation environment
Providing both scheduled and
manual based approaches
ReputationPolicy Query
Historical Data
Decoupling the model’s logic
from the actual domain
using IQueryManager interface
Reports
Strategy
Selection
Reputation Analytics – Evaluations and decisions based on existing and preselected data
Yonatan Zetuny - Trust and Security Third Workshop
35

Performance studies – Does this model really allow prudent
resource selection? Behaviour – How does this model behaves
under various conditions? How will different strategies effect the
recommended resources? What are the limitations?
 Time series analysis
 Correlation analysis
Epistemology studies– How does the knowledge provided
manage execution risk? How can Grid client applications make use
of the model? Analytics - statistical analysis in order to discover
and understand historical patterns
 Cognitive studies - can we use this model to develop patterns for
resource selection? Machine learning? Knowledge management?
 Repercussions and merits of the model on Grid computing

Yonatan Zetuny - Trust and Security Third Workshop
36



Reputation-Policy Trust Model behaviour experiment with different test case scenarios.
Deployment on simulation environment.
Scalability and performance of the GREPTrust
architecture.
Yonatan Zetuny - Trust and Security Third Workshop
37
Novel paradigm for managing trust in Grid computing.
Adaptable Reputation-policy trust model vs. current Grid reputation
models which offer single, community-based deterministic
reputation algorithm.
 Reputation-policy trust model allows fine-grained resource
selection based on a trust decision strategy defined by a trusting
agent as opposed to the reputation algorithm.
 Synergistic TDS - trust decision strategy definition using opinions,
sources and rules.
 Internal artefacts of the model TDS, OM and CMP were proposed in
order to support trust data.



Questions/Comments/Suggestions?
Yonatan Zetuny - Trust and Security Third Workshop
38
Download