A First-Order Policy Language for History-Based Transaction Monitoring

Online trading invariably involves dealings between strangers, so it is important for one party to be able to judge objectively the trustworthiness of the other. In such a setting, the decision to trust a user may sensibly be based on that user's past behaviour. We introduce a specification language based on linear temporal logic for expressing a policy for categorising the behaviour patterns of a user depending on its transaction history. We also present an algorithm for checking whether the transaction history obeys the stated policy. To be useful in a real setting, such a language should allow one to express realistic policies which may involve parameter quantification and quantitative or statistical patterns. We introduce several extensions of linear temporal logic to cater for such needs: a restricted form of universal and existential quantification; arbitrary computable functions and relations in the term language; and a "counting" quantifier for counting how many times a formula holds in the past. We then show that model checking a transaction history against a policy, which we call the history-based transaction monitoring problem, is PSPACE -complete in the size of the policy formula and the length of the history, assuming that the underlying interpreted functions and relations are polynomially computable. The problem becomes decidable in polynomial time when the policies are fixed. We also consider the problem of transaction monitoring in the case where not all the parameters of actions are observable. We formulate two such "partial observability" monitoring problems, and show their decidability under certain restrictions.

[1]  Martin Leucker,et al.  Monitoring of Real-Time Properties , 2006, FSTTCS.

[2]  Grigore Rosu,et al.  Synthesizing Monitors for Safety Properties , 2002, TACAS.

[3]  Audun Jøsang,et al.  A survey of trust and reputation systems for online service provision , 2007, Decis. Support Syst..

[4]  Yuri Matiyasevich,et al.  Hilbert’s tenth problem , 2019, 100 Years of Math Milestones.

[5]  Vladimiro Sassone,et al.  A framework for concrete reputation-systems with applications to history-based access control , 2005, CCS '05.

[6]  Gian Luigi Ferrari,et al.  History-Based Access Control with Local Policies , 2005, FoSSaCS.

[7]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[9]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[10]  Mogens Nielsen,et al.  Models for Concurrency , 1992 .

[11]  Dov M. Gabbay,et al.  Handbook of logic in computer science (vol. 4): semantic modelling , 1995 .

[12]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  Bernd Finkbeiner,et al.  LOLA: runtime monitoring of synchronous systems , 2005, 12th International Symposium on Temporal Representation and Reasoning (TIME'05).

[14]  Rajeev Goré,et al.  A decidable policy language for history-based transaction monitoring , 2009, ArXiv.

[15]  Yuri V. Matiyasevich,et al.  Hilbert's 10th Problem , 1993 .

[16]  Vladimiro Sassone,et al.  A logical framework for history-based access control and reputation systems , 2008, J. Comput. Secur..

[17]  Vladimiro Sassone,et al.  A Logical Framework for Reputation Systems and History-based Access Control , 2007 .

[18]  Eitan M. Gurari,et al.  Introduction to the theory of computation , 1989 .

[19]  Jean Goubault-Larrecq,et al.  Log auditing through model-checking , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[20]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.