150 likes | 167 Views
This paper explores trustworthiness in dynamic and heterogeneous environments, focusing on information gathering, penalties, and the need for decentralized trust management. It also discusses direct and indirect attacks, as well as the aims and methods of malicious agents and communities.
E N D
Threat Scenarios and Trust Dynamics in Reputation Enabled Systems Alfarez Abdul Rahman, Stephen Hailes and Mohamed Ahmed 8th of June 2004
Ubicomp Security Environmental characteristics: • Underlying systems are highly dynamic and mobile • There is massive heterogeneity in the components and services available • Components have a limitedview of the global environment • Principals have conflictingbeliefs, desires and intentions • There are nogeographical boundaries and organisational boundaries are fuzzy Determine the trustworthiness of individuals in such environments: • What information can be used to determine this? And how can it be used? • Where should this information be gathered from? • What penalties can be in place to support acting on trusting intentions?
Motivation • No well defined threat models for decentralised trust management • No well defined scope for decentralised trust management • To move away from ad-hoc models and enable direct comparison on trust/reputation evaluation mechanism • Most models assume malicious agents with fixed and simple strategies • and finally .. Credibility
Aim • Trust management: Situate decision making in the local context of interaction: Based on information a resource can gather, the risks it faces, the potential threat posed by a trustee and the local policies of interaction: • Translation: • Share information to asses the likely behaviour of agents • Minimise the impact of subversion by segregating malicious agents
Scope • Environment: • Decentralised • Temporal • Locally persistent identities • Subjects: • An individual benign agent • A community of benign agents • A malicious agent • A community of malicious agents
Threat model* *This model ignores the nuisance agent
Direct Attack: Benign agent • Aim: • Convince the target that the attacker is trustworthy: • Method: Embellish the attackers reputation • Act cooperatively for N cycles, • Defect against the target at cycle N+1 • Result: • Target is exploited
x x y y Indirect Attack: Benign agent • Aim: • Convince the target’s embedded social network that it is uncooperative. • Result: Destructive • Isolate the target from the community thereby denying them or reducing the quality of the service they receive
Community • Structurally predefined: i.e. Members of a board • Emergent: i.e. Friends of friends • Strong/dense: Large degree of connectedness • Weak: Small degree of connectedness
x x y y Direct Attack: Benign Community • Aim: • Reduce the value of the communities opinions to other communities • Divide and conquer • Undermine the opinions of individual members of a community • Result: • Exploitation • Weakening • Isolation • Destruction
Indirect Attack: Benign Community • Aim: • Reduce the quantity of information available to community members: Weakening the community • Result: • Segregate the community - Isolating/Destroying the community • Undermine the opinions of individual members of a community x y y x
The Malicious Agent • Aim: One shot exploit or Destroy • What determines the aim? • The cost/benefit analysis of the attack: What is the cost of launching an attack? • How long does it take to develop an influential reputation? • How much do we gain from the attack? • How well connected is the community to the rest of the system? • What is the cost of re-establishing a new reputation of equal value to the one used in an attack?
The Malicious Community • Aim: Repeatedly exploit or disrupt a benign agent or community of agents • Method: • The community of malicious agents (which may just be a single agent with a number pseudonyms) collude to provide : • Positive ratings to members • Negative ratings to non-members • Result: • The cost of a malicious agent re-establishing a new reputation is reduced i.e: Instant refill attack, Sybil attack, Community Weakening • The cost of running a service is dramatically increased for the benign agent. • What is then the value of group membership?
Concluding Remarks • We present: • A classification of the attacks present in reputation enabled communities. • Aim: • Develop ‘intelligent’ malicious agents to test the performance of trust/reputation evaluation algorithms. • Identify how resistance to attacks can be quantified • Develop reputation mechanisms that are x-degree resistant to the attacks discussed Thank you for your attention All questions welcome
Use the good testimonies gained from the target to defect against members of their embedded social network, reducing the value of the targets opinions