Towards a dynamic and composable model of trust

During their everyday decision making, humans consider the interplay between two types of trust: vertical trust and horizontal trust. Vertical trust captures the trust relationships that exist between individuals and institutions, while horizontal trust represents the trust that can be inferred from the observations and opinions of others. Although researchers are actively exploring both vertical and horizontal trust within the context of distributed computing (e.g., credential-based trust and reputation-based trust, respectively), the specification and enforcement of composite trust management policies involving the flexible composition of both types of trust metrics is currently an unexplored area. In this paper, we take the first steps towards developing a comprehensive approach to composite trust management for distributed systems. In particular, we conduct a use case analysis to uncover the functional requirements that must be met by composite trust management policy languages. We then present the design and semantics of CTM: a flexible policy language that allows arbitrary composition of horizontal and vertical trust metrics. After showing that CTM embodies each of the requirements discovered during our use case analysis, we demonstrate that CTM can be used to specify a wide range of interesting composite trust management policies, and comment on several systems challenges that arise during the composite trust management process.

[1]  N. Shahmehri,et al.  An Integration of Reputation-based and Policy-based Trust Management , 2005 .

[2]  Barbara Carminati,et al.  Combining Social Networks and Semantic Web Technologies for Personalizing Web Access , 2008, CollaborateCom.

[3]  Ernesto Damiani,et al.  A reputation-based approach for choosing reliable resources in peer-to-peer networks , 2002, CCS '02.

[4]  Audun Jøsang,et al.  A survey of trust and reputation systems for online service provision , 2007, Decis. Support Syst..

[5]  Geoffrey Green,et al.  Social Capital, Community Trust, and E-government Services , 2003, iTrust.

[6]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[7]  Elisa Bertino,et al.  Trust-X: A Peer-to-Peer Framework for Trust Establishment , 2004, IEEE Trans. Knowl. Data Eng..

[8]  Barbara Carminati,et al.  A Decentralized Security Framework for Web-Based Social Networks , 2008, Int. J. Inf. Secur. Priv..

[9]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[10]  Sushil Jajodia,et al.  A propositional policy algebra for access control , 2003, TSEC.

[11]  Cédric Tabin,et al.  Liberty Alliance Project , 2007 .

[12]  Naji Habra,et al.  Distributed audit trail analysis , 1995, Proceedings of the Symposium on Network and Distributed System Security.

[13]  Ninghui Li,et al.  Beyond proof-of-compliance: security analysis in trust management , 2005, JACM.

[14]  Cristina Nita-Rotaru,et al.  A survey of attack and defense techniques for reputation systems , 2009, CSUR.

[15]  Mikhail J. Atallah,et al.  Attribute-Based Access Control with Hidden Policies and Hidden Credentials , 2006, IEEE Transactions on Computers.

[16]  Lujo Bauer,et al.  Distributed proving in access-control systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[17]  Marianne Winslett,et al.  Towards an efficient and language-agnostic compliance checker for trust negotiation systems , 2008, ASIACCS '08.

[18]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[19]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[20]  Bharat K. Bhargava,et al.  Authorization Based on Evidence and Trust , 2002, DaWaK.

[21]  Ernesto Damiani,et al.  Choosing reputable servents in a P2P network , 2002, WWW.

[22]  Joachim Biskup,et al.  A Hybrid PKI Model: Application to Secure Mediation , 2002, DBSec.

[23]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[24]  Sebastian Ryszard Kruk,et al.  D-FOAF: Distributed Identity Management with Access Rights Delegation , 2006, ASWC.

[25]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[26]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[27]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[28]  Hector Garcia-Molina,et al.  EigenRep: Reputation Management in P2P Networks , 2003 .

[29]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[30]  Ling Liu,et al.  A reputation-based trust model for peer-to-peer ecommerce communities , 2003, EC.

[31]  K.E. Seamons,et al.  Automated trust negotiation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[32]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[33]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[34]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.