Trust and Security Third Workshop Yonatan Zetuny, Gabor Terstyanszky, Stephen Winter, Peter Kacsuk Centre for Parallel Computing Cavendish School of Informatics University of Westminster 08 July, 2008 Key words: Grid Security, Reputation, Policy, Trust Model, Resource Selection http://www.cpc.wmin.ac.uk Research Background Toward Reputation-Policy Based Trust in Grid computing Reputation-Policy Trust Model Grid Reputation-Policy Trust Management Service Architecture Test bed deployment, simulation & experiments Summary Yonatan Zetuny - Trust and Security Third Workshop 2 Two common approaches for managing trust: Policy based: Web services, E-Commerce Reputation based: P2P, Ad-hoc networks Traditional Grids use CA security measurements to enable trust between parties Current research efforts focus on integrating one of the two approaches for managing trust. Identified needs for: Establishing dynamic evaluation of resources to manage risk of workflow execution failure Autonomic trust decision making based on reputation evaluation strategy Expressing reputation using policy assertions in order to promote semantic interoperability. Yonatan Zetuny - Trust and Security Third Workshop 3 Provided argument that: Reputation-policy based approach should be considered in order to provide a complete resolution for dynamic trust establishment between Grid resources. Reputation provides trust evaluation measurements in dynamic scenarios where parties are not known to each other. Policy provides strong ties to standards and interoperability. Suggested synergistic approach where: Grid clients (e.g. brokers, monitoring toolkits) are able to encapsulate reputation evaluation requirements inside a policy file. These requirements constitute as a complete blueprint for a trust metrics algorithm. Novelty points: Synergistic model - combining policy framework with a reputation algorithm (not used in Grid computing so far) modelling reputation as policy assertions – Trust model integrates an evaluation model as well as a decision model. Exoteric and extensible trust metrics algorithm. Use of fuzzy logic to model uncertainties and subjective opinions on trust. Yonatan Zetuny - Trust and Security Third Workshop 4 Traditional Grid security research addressed trust through security mechanisms. The need for reputation evaluation of Grid resources as Grid shifts to ubiquitous and pervasive computing models. Few attempts to apply Reputation based TMS (GridEigenTrust, PathTrust, PeerTrust, etc) Limitations of current solutions – single, deterministic, community based reputation algorithm disallowing user participation in the trust evaluation process. Grid clients are not able to calculate the trust value of a Grid resource by specifying their own trust evaluation criteria and as a result, they are obliged to rely on a community reputation algorithm to compute trust values. Yonatan Zetuny - Trust and Security Third Workshop 5 Allowing Grid clients to carry out an active involvement in the trust and reputation evaluation process. Enabling Grid clients to augment their existing reputation queries with a set of reputation policy statements. Encapsulating both evaluation decision models, therefore providing complete trust metrics for the reputation algorithm and allowing decision support based on supplied criteria. Three properties: Synergistic, Exoteric, Heuristic. Yonatan Zetuny - Trust and Security Third Workshop 6 Distributed data model: trust data is divided between Grid client and reputation algorithm. Model contains three artefacts: ◦ Trust Decision Strategy (TDS) > Heuristics Trust Evaluation Model > Subjective view Trust Decision Model > Opportunistic view ◦ Opinion Matrices (OM) Store and manipulate historical execution data ◦ Correlation Process (CP) Correlates each opinion element in the TDS with its historical ratings in the OM. Computes trust values using an Opinion Summary Table (OST). Yonatan Zetuny - Trust and Security Third Workshop 7 Represented by Fuzzy Tree Model (FTM) expressing reputation-policy statements which are defined by trusting agents. Ramified into two branches: Trust Evaluation Model (TEM) ▪ Permutation of opinions representing subjective trust building blocks (e.g. availability, reliability, cost, etc). Trust Decision Model (TDM) ▪ Potential trust value calculation outcomes and opportunistic correspondent courses of actions. Provides complete trust metrics for the reputation algorithm. Yonatan Zetuny - Trust and Security Third Workshop 8 Trust value Trust level INPUT OUTPUT IF trust_value IS poor THEN trust_level IS none IF trust_value IS good THEN trust_level IS limited IF trust_value IS excellent THEN trust_level IS full RULES Trust value Is interpreted as {poor, good, excellent} Trust level Is assigned to be {none, limited, full} INPUT TERM OUTPUT TERM Yonatan Zetuny - Trust and Security Third Workshop 9 Provides subjective view on trust. A Client defines a finite set of opinions where each opinion represents a building block of trust (e.g. availability, data accuracy, cost, etc) Client opinions must be a subset of opinions applicable for the VO (Defined by MP). Each opinion is dependent on one or more sources of references for historical trust data. A source can have one of the following values: experience, reputation or combination of experience and reputation. A weight rule is a special constraint which indicates the importance of one set item over another (decisions, opinions, sources). Each weight rule uses a fuzzy value [0…1] to indicate a degree of importance. Yonatan Zetuny - Trust and Security Third Workshop 10 Provides opportunistic view on trust A client defines a finite set of decision rules to indicate potential trust value calculation outcomes and potential courses of action. Trust values are fuzzified using membership functions defined by the client. Rules are modelled as fuzzy logic sets where each trust level calculation is coupled with it’s membership function to indicate a degree of belonging to each set. Yonatan Zetuny - Trust and Security Third Workshop 11 TDS = {TEM; (TDR1;TDR2; … ;TDRn)} Yonatan Zetuny - Trust and Security Third Workshop 12 Tabular data structures which store the historical evaluation feedback values reported by trusting agents. For each opinion defined in the MP universe there is one and only one correspondent matrix, storing evaluation feedback data regarding that opinion. When an execution is completed, a trusting agent is required to rate the quality of the transaction using an evaluation feedback mechanism. This mechanism gathers a score value for each opinion originally defined by the trusting agent using the trust decision strategy. Yonatan Zetuny - Trust and Security Third Workshop 13 M(O) Matrix M for an Opinion O Values are based on time series distribution, trust decay function, cut off time and weighted mean Calculation of matrix value V(i,j) Yonatan Zetuny - Trust and Security Third Workshop 14 Involves matching each opinion defined in TDS with its historical references in the OMs and calculating the trust value for that opinion. Each TDS opinion type is routed via the MP in order to return a correspondent OM. The CP examines the opinion’s source nodes (experience, reputation) and their weight factors. The CP generates two vectors: experience vector and reputation vector and calculates the opinion value using a standard mean: Yonatan Zetuny - Trust and Security Third Workshop 15 Yonatan Zetuny - Trust and Security Third Workshop 16 GREPTrust is comprised of three domains: •Client Domain – Grid Client, TDS Data Store •Service Domain – Querying Manager, Feedback Manager and Admin Manager •Data Domain – Reputation-Policy Data Store Yonatan Zetuny - Trust and Security Third Workshop 17 There are three major scenarios regarding reputation-policy querying management: The Grid client submits a Reputation-Policy Query (RPQ) to the GREPTrust resource. The GREPTrust resource processes the RPQ, generates Reputation-Policy Report (RPR) and delivers it to the Grid client. The Grid client utilises the RPR in order to make a decision on which resource(s) to submit the job to. Yonatan Zetuny - Trust and Security Third Workshop 18 Yonatan Zetuny - Trust and Security Third Workshop 19 The Grid client contacts the TDS data store using a strategy identifier specified by the user when he submitted the job. The TDS data store returns the TDS file back to the Grid client. The Grid client assembles a reputation-policy query containing the following parameters: Identifier of the Grid client. Identifiers of the resources to be evaluated. (This is assumed to be previously obtained via a Grid Information Service). Cut-off date - the start date of which to gather the feedback data. Null value assumes to use the earliest date a feedback was ever submitted Trust decay function identifier – the rate of trust of trust decay. This results in assigning a weight to each submitted feedback given higher precedence of importance to feedbacks submitted recently. The Grid client can submit custom decay functions but for the purpose of the simulation 3 functions are supported: (1/x, 1/x^2 and exp (x)). Null value assumes no trust decay function to be used. The TDS file to be processed. The Grid client submits the reputation-policy query to the GREPTrust resource for processing the TDS and returning a reputation-policy report. Yonatan Zetuny - Trust and Security Third Workshop 20 Parameter Value Type ClientID 1 String Resources 1,2 String[] CutoffDateTime 20080520 Date TrustDecayFunction 3 (Exponential) String TrustDecisionStrategy <XML> String Grid Client GREPTrust Yonatan Zetuny - Trust and Security Third Workshop 21 GREPTrust resource receives a new RPQ: RPQ is dispatched to the Query Manager (QM) The QM validates the RPQ and submits it to the Reputation Algorithm (RA) for processing: ▪ Step 1: Processing the TDS Evaluation Model ▪ Step 2: Processing the TDS Decision Model ▪ Step 3: Generating Reputation-Policy Report Yonatan Zetuny - Trust and Security Third Workshop 22 Yonatan Zetuny - Trust and Security Third Workshop 23 STEP1: Process TDS Evaluation Model STEP2: Process TDS Decision Model STEP3: Generate Reputation-Policy Report Yonatan Zetuny - Trust and Security Third Workshop 24 Yonatan Zetuny - Trust and Security Third Workshop 25 Yonatan Zetuny - Trust and Security Third Workshop 26 Yonatan Zetuny - Trust and Security Third Workshop 27 <TrustEvaluationModel> <Opinions> <Opinion Type="1" Weight="0.1"> <Sources> <Source Type="Experience" Weight="0.9"/> <Source Type="Reputation" Weight="0.1"/> </Sources> </Opinion> <Opinion Type="2" Weight="0.9"> <Sources> <Source Type="Experience" Weight="0.9"/> <Source Type="Reputation" Weight="0.1"/> </Sources> </Opinion> </Opinions> </TrustEvaluationModel> Yonatan Zetuny - Trust and Security Third Workshop Permutation of opinions Permutation of Sources 28 <Fuzzifier Name="trust_value"> Input variable <Terms> <Term Name="poor"> <Points> <Point X="0.0" Y="1.0" /> <Point X="0.5" Y="0.0" /> </Points> </Term> Term names <Term Name="good"> <Points> <Point X="0.0" Y="0.0" /> Membership <Point X="0.5" Y="1.0" /> functions <Point X="1.0" Y="0.0" /> </Points> </Term> <Term Name="excellent"> <Points> <Point X="0.5" Y="0.0" /> <Point X="1.0" Y="1.0" /> </Points> </Term> The value of the trust_value variable has to be </Terms> </Fuzzifier> converted into degrees of membership for the membership functions defined on the variable. Yonatan Zetuny - Trust and Security Third Workshop 29 Poor: 0.78 Good: 0.22 Excl: 0.00 Trust Value: 0.11 Yonatan Zetuny - Trust and Security Third Workshop 30 trust value: 0.11 Implication Method: MIN Accumulation Method: MAX IF trust_value trust_level IS IF trust_value trust_level IS IF trust_value trust_level IS IS poor THEN none IS good THEN limited IS excellent THEN full trust level: 0.32 Yonatan Zetuny - Trust and Security Third Workshop Defuziffication Method: COG 31 <Defuzzifier Name="trust_level" AccumulationMethod="MAX" DefuzzificationMethod="COG" DefaultValue="0"> <Terms> Output variable <Term Name="none"> <Points> <Point X="0.0" Y="0.0" /> <Point X="0.1" Y="1.0" /> <Point X="0.2" Y="0.0" /> </Points> </Term> <Term Name="limited"> <Points> <Point X="0.2" Y="0.0" /> Membership <Point X="0.5" Y="1.0" /> functions <Point X="0.8" Y="0.0" /> </Points> </Term> <Term Name="full"> <Points> A linguistic variable – <Point X="0.8" Y="0.0" /> trust_level for an output <Point X="0.9" Y="1.0" /> <Point X="1.0" Y="0.0" /> variable has to be converted </Points> into a value. </Term> </Terms> </Defuzzifier> Yonatan Zetuny - Trust and Security Third Workshop 32 <Rules> <Rule Id="1" Expression="IF trust_value IS poor THEN trust_level IS none" /> <Rule Id="2" Expression="IF trust_value IS good THEN trust_level IS limited" /> <Rule Id="3" Expression="IF trust_value IS excellent THEN trust_level IS full" /> </Rules> Rule block/ID Condition Output variable Conclusion •The inference of the fuzzy algorithm is defined in one or more rule blocks. •Each rule block defines a predicate based on de Morgan’s Law. •Each rule block has a unique name defining a distinct set. M = {(x1,μM(x1)), (x2,μM(x2)),,..,(xn,μM(xn))}, xi mem G, i=1,2,..n (A.1) Yonatan Zetuny - Trust and Security Third Workshop 33 <GREPTrust:Report> <Resources> <Resource Id="2" <Rules> <Rule Id="3" <Rule Id="2" <Rule Id="1" </Rules> </Resource> <Resource Id="1" <Rules> <Rule Id="3" <Rule Id="2" <Rule Id="1" </Rules> </Resource> </Resources> </GREPTrust:Report> Value="0.11" Level="0.32"> Degree="0.0"/> Degree="0.22"/> Degree="0.78"/> TDM: Trust Level Value="0.41" Level="0.46"> Degree="0.0"/> Degree="0.82"/> Degree="0.18"/> Quantitative methodologies for modelling Subjective & Opportunistic perception on trust… Yonatan Zetuny - Trust and Security Third Workshop TDM: Degree membership 34 GridSIM simulation environment Providing both scheduled and manual based approaches ReputationPolicy Query Historical Data Decoupling the model’s logic from the actual domain using IQueryManager interface Reports Strategy Selection Reputation Analytics – Evaluations and decisions based on existing and preselected data Yonatan Zetuny - Trust and Security Third Workshop 35 Performance studies – Does this model really allow prudent resource selection? Behaviour – How does this model behaves under various conditions? How will different strategies effect the recommended resources? What are the limitations? Time series analysis Correlation analysis Epistemology studies– How does the knowledge provided manage execution risk? How can Grid client applications make use of the model? Analytics - statistical analysis in order to discover and understand historical patterns Cognitive studies - can we use this model to develop patterns for resource selection? Machine learning? Knowledge management? Repercussions and merits of the model on Grid computing Yonatan Zetuny - Trust and Security Third Workshop 36 Reputation-Policy Trust Model behaviour experiment with different test case scenarios. Deployment on simulation environment. Scalability and performance of the GREPTrust architecture. Yonatan Zetuny - Trust and Security Third Workshop 37 Novel paradigm for managing trust in Grid computing. Adaptable Reputation-policy trust model vs. current Grid reputation models which offer single, community-based deterministic reputation algorithm. Reputation-policy trust model allows fine-grained resource selection based on a trust decision strategy defined by a trusting agent as opposed to the reputation algorithm. Synergistic TDS - trust decision strategy definition using opinions, sources and rules. Internal artefacts of the model TDS, OM and CMP were proposed in order to support trust data. Questions/Comments/Suggestions? Yonatan Zetuny - Trust and Security Third Workshop 38