Trust based risk management for distributed system security - a new approach

Security measures alone are not sufficient for counteracting malicious behaviors in distributed systems. The new trend is to use economical models (mainly game-theoretic models) to characterize such malicious behaviors in the security context with the aim to mitigate the risk introduced by such malicious behaviors. However, there is a general lack in the integration of risk and security and this hinders the effectiveness of these existing economical models when applied in the security context for distributed systems. Recently, utility has become an important consideration for information security. We show that the decisions by security mechanisms, such as the authorization decisions in a distributed system can have a direct impact on the utility of the underlying system. However there is little work done on utility maximization when designing secure distributed systems. To address this gap, we present in this paper a new approach through integrating risk management into security with the help of a trust model. Furthermore, we show that the proposed trust based security model with risk management can be applied to maximize the utility of the underlying distributed systems. The new model possesses a unique feature - the ability to use trust evaluation to not only "weed out" malicious entities, but also allocate appropriate access permissions to the benevolent entities according to the risk levels. Using a mobile agent system as an example, we study the properties of the proposed model through simulation and present the experimental results which confirm the mew feature of the proposal.

[1]  J. C. Byington,et al.  Mobile agents and security , 1998, IEEE Commun. Mag..

[2]  Vijay Varadharajan Security enhanced mobile agents , 2000, CCS.

[3]  Stephen Hailes,et al.  Supporting trust in virtual communities , 2000, Proceedings of the 33rd Annual Hawaii International Conference on System Sciences.

[4]  Vijay Varadharajan,et al.  Modelling and Evaluating Trust Relationships in Mobile Agents Based Systems , 2003, ACNS.

[5]  Paula Kotzé,et al.  Proceedings of the 2002 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology , 2002 .

[6]  Shanshan Song,et al.  Selfish grid computing: game-theoretic modeling and NAS performance results , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[7]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[8]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[9]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[10]  Audun Jøsang,et al.  A Logic for Uncertain Probabilities , 2001, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[11]  Sverker Jansson,et al.  Simulated Social Control for Secure Internet Commerce ( position paper ) , 1996 .

[12]  Vijay Varadharajan,et al.  Trust enhanced security for mobile agents , 2005, Seventh IEEE International Conference on E-Commerce Technology (CEC'05).

[13]  Elsabé Cloete,et al.  Classification of malicious host threats in mobile agent computing , 2002 .

[14]  Danny B. Lange,et al.  Programming and Deploying Java¿ Mobile Agents with Aglets¿ , 1998 .

[15]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[16]  Vijay Varadharajan,et al.  Trust Enhanced Security - A New Philosophy for Secure Collaboration of Mobile Agents , 2006, 2006 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[17]  Rolf Oppliger Security issues related to mobile code and agent-based systems , 1999, Comput. Commun..

[18]  Munindar P. Singh,et al.  Distributed Reputation Management for Electronic Commerce , 2002, Comput. Intell..

[19]  Stephen Marsh,et al.  Formalising Trust as a Computational Concept , 1994 .

[20]  W. A. Jansen,et al.  MOBILE AGENTS AND SECURITY , 1999 .

[21]  Lars Rasmusson,et al.  Simulated social control for secure Internet commerce , 1996, NSPW '96.

[22]  Morrie Gasser,et al.  The Digital Distributed System Security Architecture , 1989 .

[23]  Michael Sonntag,et al.  Mobile agent security based on payment , 2000, OPSR.

[24]  Thomas Beth,et al.  Valuation of Trust in Open Networks , 1994, ESORICS.

[25]  Shanshan Song,et al.  Fuzzy Trust Integration for Security Enforcement in Grid Computing , 2004, NPC.

[26]  A. Jøsang Subjective Evidential Reasoning � , 2002 .