Trust Establishment Mechanisms for Distributed Service Environments

The aim and motivation of this dissertation can be best described in one of the most important application fields, the cloud computing. It has changed entire business model of service-oriented computing environments in the last decade. Cloud computing enables information technology related services in a more dynamic and scalable way than before – more cost-effective than before due to the economy of scale and of sharing resources. These opportunities are too attractive for consumers to ignore in today’s highly competitive service environments. The way to realise these opportunities, however, is not free of obstacles. Services offered in cloud computing environments are often composed of multiple service components, which are hosted in distributed systems across the globe and managed by multiple parties. Potential consumers often feel that they lose the control over their data, due to the lack of transparent service specification and unclear security assurances in such environments. These issues encountered by the consumers boiled down to an unwillingness to depend on the service providers regarding the services they offer in the marketplaces. Therefore, consumers have to be put in a position where they can reliably assess the dependability of a service provider. At the same time, service providers have to be able to truthfully present the service-specific security capabilities. If both of these objectives can be achieved, consumers have a basis to make well-founded decisions about whether or not to depend on a particular service provider out of many alternatives. In this thesis, computational trust mechanisms are leveraged to assess the capabilities and evaluate the dependability of service providers. These mechanisms, in the end, potentially support consumers to establish trust on service providers in distributed service environments, e.g., cloud computing. In such environments, acceptable quality of the services can be maintained if the providers possess required capabilities regarding different service-specific attributes, e.g., security, performance, compliance. As services in these environments are often composed of multiple services, subsystems and components, evaluating trustworthiness of the service providers based on the service-specific attributes is non-trivial. In this vein, novel mechanisms are proposed for assessing and evaluating the trustworthiness of service providers considering the trustworthiness of composite services. The scientific contributions towards those novel mechanisms are summarised as follows: • Firstly, we introduce a list of service-specific attributes, QoS+ [HRM10, HHRM12], based on a systematic and comprehensive analysis of existing literatures in the field of cloud computing security and trust. • Secondly, a formal framework [SVRH11, RHMV11a, RHMV11b] is proposed to analyse the composite services along with their required service-specific attributes considering consumer requirements and represent them in simplified meaningful terms, i.e., Propositional Logic Terms (PLTs). • Thirdly, a novel trust evaluation framework CertainLogic [RHMV11a, RHMV11b, HRHM12a, HRHM12b] is proposed to evaluate the PLTs, i.e., capabilities of service providers. The framework provides computational operators to evaluate the PLTs, considering that uncertain and conflicting information are associated with each of the PLTs and those information can be derived from multiple sources. • Finally, harnessing these technical building blocks we present a novel trust management architecture [HRM11] for cloud computing marketplaces. The architecture is designed to support consumers in assessing and evaluating the trustworthiness of service providers based on the published information about their services. The novel contributions of this thesis are evaluated using proof-of-concept-system, prototype implementations and formal proofs. The proof-of-concept-system [HRMV13, HVM13a, HVM13b] is a realisation of the proposed architecture for trust management in cloud marketplaces. The realisation of the system is implemented based on a self-assessment framework, proposed by the Cloud Security Alliance, where the formal framework and computational operators of CertainLogic are applied. The realisation of the system enables consumers to evaluate the trustworthiness of service providers based on their published datasets in the CSA STAR. A number of experiments are conducted in different cloud computing scenarios leveraging the datasets in order to demonstrate the technical feasibility of the contributions made in this thesis. Additionally, the prototype implementations of CertainLogic framework provide means to demonstrate the characteristics of the computational operators by means of various examples. The formal framework as well as computational operators of CertainLogic are validated against desirable mathematical properties, which are supported by formal algebraic proofs.

[1]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[2]  Max Mühlhäuser,et al.  CertainLogic: A Logic for Modeling Trust and Uncertainty - (Short Paper) , 2011, TRUST.

[3]  Morris Sloman,et al.  Trust Management Tools for Internet Applications , 2003, iTrust.

[4]  Vijay Varadharajan,et al.  A Hybrid Trust Model for Authorisation Using Trusted Platforms , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[5]  Nicholas R. Jennings,et al.  An integrated trust and reputation model for open multi-agent systems , 2006, Autonomous Agents and Multi-Agent Systems.

[6]  Joobin Choobineh,et al.  Trust in electronic commerce: definition and theoretical considerations , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[7]  Julita Vassileva,et al.  Bayesian network-based trust model , 2003, Proceedings IEEE/WIC International Conference on Web Intelligence (WI 2003).

[8]  Yao Wang,et al.  Toward Trust and Reputation Based Web Service Selection : A Survey , 2007 .

[9]  Robin Cohen,et al.  Smart cheaters do prosper: defeating trust and reputation systems , 2009, AAMAS.

[10]  A. Jøsang TRUST-BASED DECISION MAKING FOR ELECTRONIC TRANSACTIONS , 1999 .

[11]  Masoud Saeedi,et al.  Trust and Confidence in E-Commerce , 2002 .

[12]  Benoit Hudzia,et al.  Future Generation Computer Systems Optimis: a Holistic Approach to Cloud Service Provisioning , 2022 .

[13]  S. Buchegger,et al.  A Robust Reputation System for Peer-to-Peer and Mobile Ad-hoc Networks , 2004 .

[14]  Max Mühlhäuser,et al.  A Trust-Aware Framework for Evaluating Security Controls of Service Providers in Cloud Marketplaces , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Mani B. Srivastava,et al.  Reputation-based framework for high integrity sensor networks , 2008, TOSN.

[16]  Jan Vitek,et al.  Secure Internet Programming: Security Issues for Mobile and Distributed Objects , 1999 .

[17]  Julita Vassileva,et al.  A Review on Trust and Reputation for Web Service Selection , 2007, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07).

[18]  Muttukrishnan Rajarajan,et al.  Trust Model for Optimized Cloud Services , 2012, IFIPTM.

[19]  Jennifer Golbeck,et al.  Computing and Applying Trust in Web-based Social Networks , 2005 .

[20]  Sarvapali D. Ramchurn,et al.  Trust in multi-agent systems , 2004, The Knowledge Engineering Review.

[21]  Gleb Beliakov,et al.  Aggregation Functions: A Guide for Practitioners , 2007, Studies in Fuzziness and Soft Computing.

[22]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[23]  Munindar P. Singh,et al.  Trustworthy Service Selection and Composition , 2011, TAAS.

[24]  Jie Wu,et al.  Reputation and Trust-based Systems for Ad Hoc and Sensor Networks , 2006 .

[25]  N. L. Chervany,et al.  THE MEANINGS OF TRUST , 2000 .

[26]  Munindar P. Singh,et al.  Service-Oriented Computing: Key Concepts and Principles , 2005, IEEE Internet Comput..

[27]  W. M. Bolstad Introduction to Bayesian Statistics , 2004 .

[28]  Jennifer Widom,et al.  SimRank: a measure of structural-context similarity , 2002, KDD.

[29]  Joan Feigenbaum,et al.  KeyNote: Trust Management for Public-Key Infrastructures (Position Paper) , 1998, Security Protocols Workshop.

[30]  Daniel Schreiber,et al.  Evaluating User Representations for the Trustworthiness of Interaction Partners , 2008 .

[31]  Wenchang Shi,et al.  Using new fusion operations to improve trust expressiveness of subjective logic , 2011, Wuhan University Journal of Natural Sciences.

[32]  Jun-Jang Jeng,et al.  CCMarketplace: a marketplace model for a hybrid cloud , 2010, CASCON.

[33]  Jordi Sabater-Mir,et al.  Social ReGreT, a reputation model based on social relations , 2001, SECO.

[34]  Joan Feigenbaum,et al.  REFEREE: Trust Management for Web Applications , 1997, Comput. Networks.

[35]  L. A. Zadeh,et al.  Fuzzy logic and approximate reasoning , 1975, Synthese.

[36]  Audun Jøsang Probabilistic Logic under Uncertainty , 2007, CATS.

[37]  Nicholas R. Jennings,et al.  TRAVOS: Trust and Reputation in the Context of Inaccurate Information Sources , 2006, Autonomous Agents and Multi-Agent Systems.

[38]  Audun Jøsang,et al.  A Logic for Uncertain Probabilities , 2001, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[39]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[40]  A. Jøsang,et al.  Challenges for Robust Trust and Reputation Systems , 2009 .

[41]  F. John Krautheim,et al.  Private Virtual Infrastructure for Cloud Computing , 2009, HotCloud.

[42]  Erich Schikuta,et al.  SLA Validation in Layered Cloud Infrastructures , 2010, GECON.

[43]  H. Nissenbaum Can Trust be Secured Online? A theoretical perspective , 1999 .

[44]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[45]  Sebastian Ries,et al.  Analyzing the Robustness of CertainTrust , 2008, IFIPTM.

[46]  Sebastian Ries,et al.  Trust in ubiquitous computing , 2009 .

[47]  Khaled M. Khan,et al.  Establishing Trust in Cloud Computing , 2010, IT Professional.

[48]  Audun Jøsang,et al.  A survey of trust and reputation systems for online service provision , 2007, Decis. Support Syst..

[49]  Audun Jøsang,et al.  Multiplication and comultiplication of beliefs , 2005, Int. J. Approx. Reason..

[50]  Claudia Keser,et al.  Can We Manage Trust? , 2005, iTrust.

[51]  Max Mühlhäuser,et al.  Fusion of Opinions under Uncertainty and Conflict -- Application to Trust Assessment for Cloud Marketplaces , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[52]  Vijay Varadharajan,et al.  Dynamic trust enhanced security model for trusted platform based services , 2011, Future Gener. Comput. Syst..

[53]  Max Mühlhäuser,et al.  Towards a Trust Management System for Cloud Computing , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[54]  J. Sabater-Mir,et al.  Trust and reputation for agent societies , 2002 .

[55]  Max Mühlhäuser,et al.  Fusion of Opinions under Uncertainty and Conflict -- Trust Assessment for Cloud Marketplaces (Full version) , 2012 .

[56]  Tyrone Grandison,et al.  Conceptions of Trust: Definition, Constructs, and Models , 2007 .

[57]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[58]  Sebastian Ries,et al.  Extending Bayesian trust models regarding context-dependence and user friendly representation , 2009, SAC '09.

[59]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[60]  Diego Gambetta Can We Trust Trust , 2000 .

[61]  Eric R. Verheul,et al.  Constructions and Properties of k out of n Visual Secret Sharing Schemes , 1997, Des. Codes Cryptogr..

[62]  Hans Ulrich Simon,et al.  Contrast-optimal k out of n secret sharing schemes in visual cryptography , 1997, Theor. Comput. Sci..

[63]  Jemal H. Abawajy,et al.  Determining Service Trustworthiness in Intercloud Computing Environments , 2009, 2009 10th International Symposium on Pervasive Systems, Algorithms, and Networks.

[64]  Bin Li,et al.  Towards Application-Specific Service Level Agreements: Experiments in Clouds and Grids , 2010, Cloud Computing.

[65]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[66]  Amir Herzberg,et al.  Access control meets public key infrastructure, or: assigning roles to strangers , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[67]  Audun Jøsang,et al.  Simulating the Effect of Reputation Systems on E-markets , 2003, iTrust.

[68]  Nicholas R. Jennings,et al.  FIRE: An Integrated Trust and Reputation Model for Open Multi-Agent Systems , 2004, ECAI.

[69]  Audun Jøsang,et al.  Fission of opinions in subjective logic , 2009, 2009 12th International Conference on Information Fusion.

[70]  M. Schunter,et al.  Property Attestation — Scalable and Privacy-friendly Security Assessment of Peer Computers , 2004 .

[71]  Audun Jøsang,et al.  Exploring Different Types of Trust Propagation , 2006, iTrust.

[72]  Erwin Aitenbichler,et al.  Limiting Sybil Attacks on Bayesian Trust Models in Open SOA Environments , 2009, 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing.

[73]  Max Mühlhäuser,et al.  A framework for evaluating trust of service providers in cloud marketplaces , 2013, SAC '13.

[74]  Munindar P. Singh,et al.  Operators for propagating trust and their evaluation in social networks , 2009, AAMAS.

[75]  Audun Jøsang,et al.  AIS Electronic Library (AISeL) , 2017 .

[76]  Svein J. Knapskog,et al.  Trust transferability among similar contexts , 2008, Q2SWinet '08.

[77]  E. Chang,et al.  Trust and Reputation for Service-Oriented Environments: Technologies For Building Business Intelligence And Consumer Confidence , 2006 .

[78]  张莉,et al.  A Cloud-Based Trust Model for Evaluating Quality of Web Services , 2010 .

[79]  A. Jøsang,et al.  Filtering Out Unfair Ratings in Bayesian Reputation Systems , 2004 .

[80]  Max Mühlhäuser,et al.  Integrating Indicators of Trustworthiness into Reputation-Based Trust Models - Insurance, Certification, and Coalitions , 2012, IFIPTM.

[81]  Yolanda Gil,et al.  A survey of trust in computer science and the Semantic Web , 2007, J. Web Semant..

[82]  Reijo Savola,et al.  Trust and Cloud Services - An Interview Study , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[83]  Max Mühlhäuser,et al.  Cloud Computing Landscape and Research Challenges Regarding Trust and Reputation , 2010, 2010 7th International Conference on Ubiquitous Intelligence & Computing and 7th International Conference on Autonomic & Trusted Computing.

[84]  Peter Szolovits,et al.  Ratings in Distributed Systems: A Bayesian Approach , 2002 .

[85]  Ahmad-Reza Sadeghi,et al.  Property-Based TPM Virtualization , 2008, ISC.

[86]  Jordi Sabater-Mir,et al.  Reputation and social network analysis in multi-agent systems , 2002, AAMAS '02.

[87]  Trent Jaeger,et al.  Seeding clouds with trust anchors , 2010, CCSW '10.

[88]  Max Mühlhäuser,et al.  Trust as a facilitator in cloud computing: a survey , 2012, Journal of Cloud Computing: Advances, Systems and Applications.

[89]  E. Chang,et al.  Human system interaction with confident computing. The mega trend , 2008, 2008 Conference on Human System Interactions.

[90]  Max Mühlhäuser,et al.  Towards a trust management system for cloud computing marketplaces: using CAIQ as a trust information source , 2014, Secur. Commun. Networks.

[91]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[92]  Melanie Volkamer,et al.  A formal approach towards measuring trust in distributed systems , 2011, SAC.