Towards a Dynamic and Composite Model of Trust

During their everyday decision making, humans consider the interplay between two types of trust: vertical trust and horizontal trust. Vertical trust captures the trust relationships that exist between individuals and institutions, while horizontal trust represents the trust that can be inferred from the observations and opinions of others. Although researchers are actively exploring both vertical and horizontal trust within the context of distributed computing (e.g., credential-based trust and reputation-based trust, respectively), the specification and enforcement of composite trust management policies involving the flexible composition of both types of trust metrics is currently an unexplored area. In this paper, we take the first steps towards developing a comprehensive approach to composite trust management for distributed systems. In particular, we conduct a use case analysis to uncover the functional requirements that must be met by composite trust management policy languages. We then present the design and semantics of CTM: a flexible policy language that allows arbitrary composition of horizontal and vertical trust metrics. After showing that CTM embodies each of the requirements discovered during our use case analysis, we demonstrate that CTM can be used to specify a wide range of interesting composite trust management policies, and comment on several systems challenges that arise during the composite trust management process.

[1]  Ernesto Damiani,et al.  Choosing reputable servents in a P2P network , 2002, WWW.

[2]  Geoffrey Green,et al.  Social Capital, Community Trust, and E-government Services , 2003, iTrust.

[3]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[4]  N. Shahmehri,et al.  An Integration of Reputation-based and Policy-based Trust Management , 2005 .

[5]  Ernesto Damiani,et al.  A reputation-based approach for choosing reliable resources in peer-to-peer networks , 2002, CCS '02.

[6]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[7]  Joachim Biskup,et al.  A Hybrid PKI Model: Application to Secure Mediation , 2002, DBSec.

[8]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[9]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[10]  Marianne Winslett,et al.  Towards an efficient and language-agnostic compliance checker for trust negotiation systems , 2008, ASIACCS '08.

[11]  Sushil Jajodia,et al.  A propositional policy algebra for access control , 2003, TSEC.

[12]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[13]  Audun Jøsang,et al.  A survey of trust and reputation systems for online service provision , 2007, Decis. Support Syst..

[14]  Lujo Bauer,et al.  Distributed proving in access-control systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[15]  Elisa Bertino,et al.  Trust-X: A Peer-to-Peer Framework for Trust Establishment , 2004, IEEE Trans. Knowl. Data Eng..

[16]  Hector Garcia-Molina,et al.  EigenRep: Reputation Management in P2P Networks , 2003 .

[17]  Cristina Nita-Rotaru,et al.  A survey of attack and defense techniques for reputation systems , 2009, CSUR.

[18]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[19]  Cédric Tabin,et al.  Liberty Alliance Project , 2007 .

[20]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[21]  Naji Habra,et al.  Distributed audit trail analysis , 1995, Proceedings of the Symposium on Network and Distributed System Security.

[22]  Bharat K. Bhargava,et al.  Authorization Based on Evidence and Trust , 2002, DaWaK.

[23]  K.E. Seamons,et al.  Automated trust negotiation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[24]  Barbara Carminati,et al.  Combining Social Networks and Semantic Web Technologies for Personalizing Web Access , 2008, CollaborateCom.

[25]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[26]  Ninghui Li,et al.  Beyond proof-of-compliance: security analysis in trust management , 2005, JACM.

[27]  Ling Liu,et al.  A reputation-based trust model for peer-to-peer ecommerce communities , 2003, EC.

[28]  Mikhail J. Atallah,et al.  Attribute-Based Access Control with Hidden Policies and Hidden Credentials , 2006, IEEE Transactions on Computers.

[29]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[30]  Barbara Carminati,et al.  A Decentralized Security Framework for Web-Based Social Networks , 2008, Int. J. Inf. Secur. Priv..

[31]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[32]  Sebastian Ryszard Kruk,et al.  D-FOAF: Distributed Identity Management with Access Rights Delegation , 2006, ASWC.

[33]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.