trust in pervasive computing

8/11/2019 Trust in Pervasive Computing

1/49

Agent approaches to Security, Trust

and Privacy in Pervasive Computing

Anupam Joshi

[email protected]

http://www.cs.umbc.edu/~joshi/


2/49

The Vision

Pervasive Computing: a natural extension of thepresent human computing life style

Using computing technologies will be as natural as using

other non-computing technologies (e.g., pen, paper, and

cups)

Computing services will be available anytime and

anywhere.


3/49

Pervasive Computing

The most profound technologies are those thatdisappear. They weave themselves into the

fabric of everyday life until they are

indistinguishable from it Mark Weiser

Think:writing, central heating, electric

lighting,

Not:taking your laptop to the beach, orimmersing yourself into a virtual reality


4/49

Today: Life is Good.


5/49

Tomorrow: We Got Problems!


6/49

The Brave New World

Devices increasingly more{powerful ^ smaller ^ cheaper}

People interact daily with hundreds of computingdevices (many of them mobile): Cars

Desktops/Laptops

Cell phones

PDAs

MP3 players

Transportation passes

Computing is becoming pervasive


7/49

Securing Data & Services

Security is critical because in many pervasive

applications, we interact with agents that are not in

our home or office environment.

Much of the work in security for distributed systems

is not directly applicable to pervasive environments Need to build analogs to trust and reputation

relationships in human societies

Need to worry about privacy!


8/49

An early policy for agents

1A robot may not injure a human being, or,

through inaction, allow a human being to

come to harm.

2A robot must obey the orders given it by human beings except

where such orders would conflict with the First Law.

3A robot must protect its own existence as long as such

protection does not conflict with the First or Second Law.-- Handbook of Robotics, 56th Edition, 2058 A.D.


9/49

On policies, rules and laws

The interesting thing about Asimovs laws were that robots did not

always strictly follow them.

This is a point of departure from more traditional hard coded rules

like DB access control, and OS file permissions

For autonomous agents, we need policies that describe norms of

behavior that they should follow to be good citizens.

So, its natural to worry about issues like

When an agent is governed by multiple policies, how does it

resolve conflicts among them?

How can we define penalties when agents dont fulfill their

obligations? How can we relate notions of trust and reputation to policies?


10/49

The Role of Ontologies

We will require shared ontologies to support thisframework

A common ontology to represent basic concepts:agents, actions, permissions, obligations,prohibitions, delegations, credentials, etc.

Appropriate shared ontologies to describe classes,properties and roles of people and agents, e.g., any device owned by TimFinin

any request from a faculty member at ETZ Ontologies to encode policy rules


11/49

ad-hoc networking technologies

Ad-hoc networking technologies (e.g. Bluetooth)

Main characteristics: Short range

Spontaneous connectivity

Free, at least for now

Mobile devices

Aware of their neighborhood

Can discover others in their vicinity

Interact with peers in their neighborhood inter-operate and cooperate as needed and as desired

Both information consumers and providers

Ad-hoc mobile technology challenges the traditional client/server

information access model


12/49

pervasive environment paradigm

Pervasive Computing Environment

1.Ad-Hoc mobile connectivity Spontaneous interaction

2. Peers Service/Information consumers and providers

Autonomous, adaptive, and proactive

3. Data intensive deeply networked environment Everyone can exchange information

Data-centric model

Some sources generate streams of data, e.g. sensors

Pervasive Computing Environments


13/49

motivationconference scenario

Smart-room infrastructure and personal devices can assist an ongoing meeting: data exchange,

schedulers, etc.


14/49

imperfect world

In aperfectworld

everything available and done automatically

In therealworld

Limited resources

Battery, memory, computation, connection, bandwidth

Must live with less than perfect results

Dumb devicesMust explicitly be told What, When, and How

Foreign entities and unknown peers

So, we really want

Smart, autonomous, dynamic, adaptive, and

proactive methods to handle data and services


15/49

Securing Ad-Hoc Networks

MANETs underlie much of pervasive computing

They bring to fore interesting problems related to

Open

Dynamic

Distributed Systems

Each node is an independent, autonomous router

Has to interact with other nodes, some never seen

before. How do you detect bad guys ?


16/49

Network Level : Good Neighbor

Ad hoc network

Node A sends packet

destined for E, through B.

B and C make snoop entry

(A,E,Ck,B,D,E).

B and C check for snoop

entry.

Perform Misroute

A

B

C

D

E


17/49

Good Neighbor

No Broadcast

Hidden terminal

Exposed terminal

DSR vs. AODV

GLOMOSIM

A

B

C

D

E


18/49

Intrusion Detection

Behaviors

Selfish

Malicious

Detection vs. Reactions

Shunning bad nodes

Cluster Voting

Incentives (Game Theoretic)

Colluding nodes

Forgiveness


19/49

Simulation in GlomoSim

Passive Intrusion Detection

Individual determination

No results forwarding

Active Intrusion Detection

Cluster Scheme Voting

Result flooding


20/49

GlomoSim Setup

16 nodes communication

4 nodes sources for 2 CBR streams

2 nodes pair CBR streams

Mobility 020 meters/sec

Pause time 015s

No bad nodes


21/49

Simulation Results


22/49

Preliminary Results

Passive

False alarm rate > 50%

Throughput rate decrease < 3% additional

Active

False alarm rate < 30%

Throughput rate decrease ~ 25% additional


23/49

challengesis that all? (1)

1. Spatio-temporal variation of data and data sources

All devices in the neighborhood are potential informationproviders

Nothing is fixed

No global catalog

No global routing table

No centralized control

However, each entity can interact with its neighbors By advertising / registering its service

By collecting / registering services of others


24/49


2. Query may be explicit or implicit, but is often known

up-front

Users sometimes ask explicitly

e.g. tell me the nearest restaurant that has vegetarian menuitems

The system can guess likely queries based on

declarative information or past behavior

e.g. the user always wants to know the price of IBM stock


25/49


3. Since information sources are not known a priori, schema

translations cannot be done beforehand

Resource limited devices

so hope for common, domain specific ontologies

Different modes:

Device could interact with only such providers whose schemas itunderstands

Device could interact with anyone, and cache the information in hopes ofa translation in the future.

Device could always try to translate itself Prior work in Schema Translation, Ongoing work in Ontology Mapping.


26/49


4. Cooperation amongst information sources cannot be

guaranteed

Device has reliable information,but makes it inaccessible

Devices provides information,which is unreliable

Once device shares information, it needsthe capability to protect future propagation

and changes tothat information


27/49


Need to avoid humans in the loop

Devices must dynamically "predict" data importance and utility based on thecurrent context

The key insight: declarative (or inferred) descriptions help

Information needs

Information capability

Constraints

Resources

Data

Answer fidelity

Expressive Profiles can capture such descriptions


28/49

4. our data management architecture

MoGATU

Design and implementation consists of

Data

Metadata

Profiles

Entities

Communication interfaces

Information Providers

Information Consumers

Information Managers


29/49

MoGATUmetadata

Metadata representation

To provide information about Information providers and consumers,

Data objects, and

Queries and answers

To describe relationships

To describe restrictions To reason over the information

Semantic language

DAML+OIL / DAML-S

http://mogatu.umbc.edu/ont/


30/49

MoGATUprofile

Profile

Userpreferences, schedule, requirements Deviceconstraints, providers, consumers

Dataownership, restriction, requirements, process model

Profiles based on BDI models

Beliefs are facts about user or environment/context

Desires and Intentions

higher level expressions of beliefs and goals

Devices reason over the BDI profiles

Generate domains of interest and utility functions

Change domains and utility functions based on context


31/49

MoGATUinformation manager (8)

Problems

Not all sources and data are correct/accurate/reliable No common sense

Person can evaluate a web site based on how it looks, a computer cannot

No centralized party that could verify peer reliability or reliability of itsdata

Device is reliable, malicious, ignorant or uncooperative

Distributed Belief Need to depend on other peers

Evaluate integrity of peers and data based on peer distributed belief Detect which peer and what data is accurate

Detect malicious peers

Incentive model: if A is malicious, it will be excluded from the network


32/49


Distributed Belief Model

Device sends a query to multiple peers

Ask its vicinity for reputation of untrusted peers that responded to the

query

Trust a device only if trusted before or if enough of trusted peers trust it

Use answers from (recommended to be) trusted peers to determine

answer

Update reputation/trust level for all devices that responded

A trust level increases for devices that responded according to final

answer

A trust level decreases for devices that responded in a conflicting way

Each devices builds a ring of trust


33/49

A: D, where is Bob?A: C, where is Bob?A: B, where is Bob?


34/49

C:

A, Bob is at work.

D:

A, Bob is home.

B: A, Bob is home.


35/49

A:

B: Bob at home,

C: Bob at work,D: Bob at home

A: I have enough

trust in D. What

about B and C?


36/49

A: Do you trust C?

C: I always do.

D: I dont.

B: I am not sure.

E: I dont.

F: I do.

A:

I dont care what C says.

I dont know enough about B,

but I trust D, E, and F. Together,

they dont trust C, so wont I.


37/49

A: Do you trust B?

C: I never do.

D: I am not sure.

B: I do.

E: I do.

F: I am not sure.

A:

I dont care what B says.

I dont trust C,

but I trust D, E, and F. Together,

they trust B a little, so will I.


38/49

A: I trust B and D,

both say Bob ishome

A:

Increase trust in D.A:

Decrease trust in C.

A:

Increase trust in B.

A:

Bob is home!


39/49


Distributed Belief Model

Initial Trust Function

Positive, negative, undecided

Trust Learning Function Blindly +, Blindly -, F+/S-, S+/F-, F+/F-, S+/S-, Exp

Trust Weighting Function

Multiplication, cosine

Accuracy Merging Function

Max, min, average


40/49

experiments

Primary goal of distributed belief

Improve query processing accuracy by using trusted sources and trusted data

Problems

Not all sources and data are correct/accurate/reliable

No centralized party that could verify peer reliability or reliability of its data

Need to depend on other peers

No common sense

Person can evaluate a web site based on how it looks, a computer cannot

Solution

Evaluate integrity of peers and data based on peer distributed belief

Detect which peer and what data is accurate

Detect malicious peers

Incentive model: if A is malicious, it will be excluded from the network


41/49

experiments

Devices

Reliable (Share reliable data only) Malicious (Try to share unreliable data as reliable)

Ignorant (Have unreliable data but believe they are reliable)

Uncooperative (Have reliable data, will not share)

Model Device sends a query to multiple peers

Ask its vicinity for reputation of untrusted peers that responded to the query

Trust a device only if trusted before or if enough of trusted peers trust it

Use answers from (recommended to be) trusted peers to determine answer

Update reputation/trust level for all devices that responded A trust level increases for devices that responded according to final answer

A trust level decreases for devices that responded in a conflicting way


42/49

experimental environment

HOW:

Mogatu and GloMoSim

Spatio-temporal environment:

150 x 150 m2field

50 nodes Random way-point mobility

AODV

Cache to hold 50% of global knowledge

Trust-based LRU

50 minute eachsimulation run 800 questions-tuples

Each device 100 random unique questions

Each device 100 random unique answers not matching its questions

Each device initially trusts 3-5 other devices


43/49

experimental environment (2)

Level of Dishonesty

0100% Dishonest device

Never provides an honest answer

Honest device

Best effort

Initial Trust Function

Positive, negative, undecided

Trust Learning Function

Blindly +, Blindly -, F+/S-, S+/F-, F+/F-, S+/S-, Exp

Trust Weighting Function

Multiplication, cosine

Accuracy Merging Function

Max, min, avg Trust and Distrust Convergence

How soon are dishonest devices detected


44/49

results

Answer Accuracy vs. Trust Learning Functions

Answer Accuracy vs. Accuracy Merging Functions

Distrust Convergence vs. Dishonesty Level


45/49

Answer Accuracy vs. Trust Learning Functions

The effects of trust learning functions with an initial optimistictrust for

environments with varying level of dishonesty. The results are shown for ++, --, s, f, f+, f-, and explearning

functions.


46/49

Answer Accuracy vs. Trust Learning Functions (2)

The effects of trust learning functions with an initial pessimistictrust for

environments with varying level of dishonesty. The results are shown for ++, --, s, f, f+, f-, and explearning

functions.


47/49

Answer Accuracy vs. Accuracy Merging Functions

The effects of accuracy merging functions for environments with varying

level of dishonesty. The results are shown for (a) MIN using only-one(OO) final answer approach

(b) MIN using {\it highest-one} (HO) final answer approach

(c) MAX + OO, (d) MAX + HO, (e) AVG + OO, and (f) AVG + HO.


48/49

Distrust Convergence vs. Dishonesty Level

Average distrust convergence period in seconds for environments with

varying level of dishonesty. The results are shown for ++, --, s, and ftrust learning functions with

an initial optimal trust strategy and for the same functions using an

undecided initial trust strategy for results (e-h), respectively.

htt // bi it b d /


49/49

http://ebiquity.umbc.edu/

trust in pervasive computing

Documents