ABSTRACT
During their everyday decision making, humans consider the interplay between two types of trust: vertical trust and horizontal trust. Vertical trust captures the trust relationships that exist between individuals and institutions, while horizontal trust represents the trust that can be inferred from the observations and opinions of others. Although researchers are actively exploring both vertical and horizontal trust within the context of distributed computing (e.g., credential-based trust and reputation-based trust, respectively), the specification and enforcement of composite trust management policies involving the flexible composition of both types of trust metrics is currently an unexplored area.
In this paper, we take the first steps towards developing a comprehensive approach to composite trust management for distributed systems. In particular, we conduct a use case analysis to uncover the functional requirements that must be met by composite trust management policy languages. We then present the design and semantics of CTM: a flexible policy language that allows arbitrary composition of horizontal and vertical trust metrics. After showing that CTM embodies each of the requirements discovered during our use case analysis, we demonstrate that CTM can be used to specify a wide range of interesting composite trust management policies, and comment on several systems challenges that arise during the composite trust management process.
- Amazon.com: Recommended for you. Web Site, Dec. 2008. http://www.amazon.com/gp/yourstore/recs/.Google Scholar
- S. Axelsson. Intrusion detection systems: A survey and taxonomy. Dept. of Computer Engineering Technical Report 99-15, Chalmers University of Technology, Mar. 2000.Google Scholar
- L. Bauer, S. Garriss, and M. K. Reiter. Distributed proving in access-control systems. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 81--95, May 2005. Google ScholarDigital Library
- M. Y. Becker and P. Sewell. Cassandra: Distributed access control policies with tunable expressiveness. In Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, pages 159--168, June 2004. Google ScholarDigital Library
- E. Bertino, E. Ferrari, and A. C. Squicciarini. Trust-X: A peer-to-peer framework for trust establishment. IEEE Transactions on Knowledge and Data Engineering, 16(7):827--842, July 2004. Google ScholarDigital Library
- B. K. Bhargava and Y. Zhong. Authorization based on evidence and trust. In International Conference on Data Warehousing and Knowledge Discovery, pages 94--103, Aix-en-Provence, France, Sept. 2002. Google ScholarDigital Library
- J. Biskup and Y. Karabulut. A hybrid pki model: Application to secure mediation. In DBSec, pages 271--282, 2002.Google Scholar
- M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized Trust Management. In IEEE Symposium on Security and Privacy, Oakland, CA, May 1996. Google ScholarDigital Library
- M. Blaze, J. Feigenbaum, and M. Strauss. Compliance checking in the PolicyMaker trust management system. In Proceedings of the Second International Conference on Financial Cryptography, number 1465 in Lecture Notes in Computer Science, pages 254--274. Springer, Feb. 1998. Google ScholarDigital Library
- P. Bonatti, C. Duma, D. Olmedilla, and N. Shahmehri. An integration of reputation-based and policy-based trust management. In Sematic Web and Policy Workshop, Galway, Ireland, Nov. 2005.Google Scholar
- B. Carminati, E. Ferrari, and A. Perego. Enforcing access control in web-based social networks. ACM Transactions in Information and System Security. to appear. Google ScholarDigital Library
- B. Carminati, E. Ferrari, and A. Perego. Combining social networks and semantic web technologies for personalizing web access. In Proceedings of the 4th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), Nov. 2008.Google Scholar
- B. Carminati, E. Ferrari, and A. Perego. A decentralized security framework for web-based social networks. International Journal of Information Security and Privacy, 2(4):22--53, 2008.Google ScholarCross Ref
- F. Cornelli, E. Damiani, S. D. C. di Vimercati, S. Paraboschi, and P. Samarati. Choosing reputable servents in a p2p network. In Proceedings of the 11th international conference on World Wide Web, pages 376--386, 2002. Google ScholarDigital Library
- E. Damiani, D. C. di Vimercati, S. Paraboschi, P. Samarati, and F. Violante. A reputation-based approach for choosing reliable resources in peer-to-peer networks. In Proceedings of the 9th ACM conference on Computer and communications security, pages 207--216, 2002. Google ScholarDigital Library
- K. Frikken, M. Atallah, and J. Li. Attribute-based access control with hidden policies and hidden credentials. IEEE Transactions on Computers, 55(10):1259--1270, 2006. Google ScholarDigital Library
- M. Grimsley, A. Meehan, G. Green, and B. Stafford. Social capital, community trust, and e-government services. In International Conference on Trust Management, Pisa, Italy, May 2003. Google ScholarDigital Library
- K. Hoffman, D. Zage, and C. Nita-Rotaru. A survey of attack and defense techniques for reputation systems. ACM Computing Surveys, to appear. Google ScholarDigital Library
- T. Jim. SD3: A trust management system with certified evaluation. In Proceedings of the IEEE Symposium on Security and Privacy, pages 106--115, May 2001. Google ScholarDigital Library
- A. Josang, R. Ismail, and C. Boyd. A survey of trust and reputation systems for online service provision. Decis. Support Syst., 43(2):618--644, 2007. Google ScholarDigital Library
- S. Kamvar, M. Schlosser, and H. Garcia-Molina. EigenRep: Reputation Management in P2P Networks. In Twelfth International World Wide Web Conference, 2003. Google ScholarDigital Library
- S. Kruk, S. Grzonkowski, A. Gzella, T. Woroniecki, and H.-C. Choi. D-foaf: Distributed identity management with access rights delegation. In Asian Semantic Web Conference, Beijing, China, Sept. 2006. Google ScholarDigital Library
- A. J. Lee and M. Winslett. Towards an efficient and language-agnostic compliance checker for trust negotiation systems. In Proceedings of the 3rd ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), pages 228--239, Mar. 2008. Google ScholarDigital Library
- N. Li and J. C. Mitchell. RT: A role-based trust-management framework. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), pages 201--212, Apr. 2003.Google Scholar
- N. Li, J. C. Mitchell, and W. H. Winsborough. Beyond proof-of-compliance: security analysis in trust management. Journal of the ACM, 52(3):474--514, 2005. Google ScholarDigital Library
- N. Li, W. H. Winsborough, and J. C. Mitchell. Distributed credential chain discovery in trust management. Journal of Computer Security, 11(1):35--86, 2003. Google ScholarCross Ref
- Liberty alliance project. Web Site, Dec. 2008. http://www.projectliberty.org/.Google Scholar
- A. Mounji, B. L. Charlier, D. Zampunieris, and N. Habra. Distributed audit trail analysis. In Proceedings of the 1995 Symposium on Network and Distributed System Security (SNDSS'95), 1995. Google ScholarDigital Library
- NetFlix prize: Home. Web Site, Dec. 2008. http://www.netflixprize.com/.Google Scholar
- R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, Feb. 1996. Google ScholarDigital Library
- K. E. Seamons, M. Winslett, T. Yu, B. Smith, E. Child, J. Jacobson, H. Mills, and L. Yu. Requirements for policy languages for trust negotiation. In IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), June 2002. Google ScholarDigital Library
- Shibboleth Project. http://shibboleth.internet2.edu/.Google Scholar
- TrustBuilder2 download page. Web site, Oct. 2008. http://dais.cs.uiuc.edu/dais/security/tb2/.Google Scholar
- L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In Proceedings of the Second ACM Workshop on Formal Methods in Security Engineering (FMSE 2004), pages 45--55, Oct. 2004. Google ScholarDigital Library
- D. Wijesekera and S. Jajodia. A propositional policy algebra for access control. ACM Transactions on Information and Systems Security (TISSEC), 6(2):286--325, May 2003. Google ScholarDigital Library
- W. H. Winsborough, K. E. Seamons, and V. E. Jones. Automated trust negotiation. In DARPA Information Survivability Conference and Exposition, Jan. 2000.Google ScholarDigital Library
- L. Xiong and L. Liu. A reputation based trust model for peer-to-peer ecommerce communities. In IEEE International Conference on E-Commerce (CEC), 2003. Google ScholarDigital Library
Index Terms
- Towards a dynamic and composable model of trust
Recommendations
The Role of Reputation on Trust and Loyalty: A Cross-Cultural Analysis of Tablet E-Tailing
The purpose of this article is to empirically examine the role of online retailer's website reputation on tablet commerce and to compare the trust arbitration between reputation and loyalty in two cultures-Finland and Nigeria. Data was collected from ...
Determinants of repurchase intention in online group-buying
A theoretical model integrating the D&M model and trust literature was proposed.The model was tested using data collected customers of a group-buying website.Increasing satisfaction and perceived quality will facilitate repurchase intention.Increasing ...
A Distributed Trust-based Reputation Model in P2P System
SNPD '07: Proceedings of the Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing - Volume 01The P2P system is an anonymous and dynamic system, thus, some malicious behaviour can't be punished. In order to restrict the malicious behaviour in the P2P system, researchers have focused on establishing effective reputation systems. However, the ...
Comments