Formalizing Evidence and Trust for User Authorization
Project Award Number: IIS-0209059
Principal Investigator
Bharat Bhargava
Department of Computer Sciences
Purdue University
250 N. University Street
West Lafayette, Indiana, 47907-2066
Office Phone: +1 765-494-6013
FAX: +1
765-494-0739
bb@cs.purdue.edu
http://cs.purdue.edu/~bb
Collaborator
Leszek Lilien
Department of Computer Sciences
Purdue University
West Lafayette, Indiana, 47907-2066
Office Phone: +1 765-496-2718
FAX: +1
765-494-0739
llilien@cs.purdue.edu
Collaborator
Sanjay Madria
Department of Computer Science
University of Missouri-Rolla
Rolla, MO 65409
Office Phone: +1 573-341-4856
FAX: +1
573-345-4501
madrias@umr.edu
Keywords
Trust, Security, Fraud, Authorization
Project Summary
Trust
characterizes the probability that a user will not harm the operations of an
information system. User or site trustworthiness is needed in transaction
processing, distributed database processing (consistency, integrity),
peer-to-peer systems, web based e-commerce systems, and building routes in ad
hoc networks. We argue that credentials are not sufficient to certify that a
user is trustworthy. We have presented a trust-enhanced role-mapping (TERM)
server that cooperates with role-based access control (RBAC) for authorization
based on evidence and trust. We have built an architecture that consists of
TERM server, RBAC server, trust manager, and event monitor.
The
prototype implementation of this architecture is underway. It realizes a
centralized trust model. The sites in one domain share a global view of trust.
The collected and derived trust information is stored in a centralized manner.
The prototype can be used to study the performance and scalability of trust
models. We have developed a classification algorithm to dynamically adjust the
trust value associated with each user. This algorithm will be implemented in
the trust manager. We are formalizing fraud detection in the context of
database processing and Internet auction. The application of this research is
in financial information systems.
Publications and Products
- Y.
Lu, B. Bhargava, W. Wang, Y. Zhong, and X. Wu "Secure Wireless
Network with Movable Base Stations", to appear in IEICE/IEEE Joint
Special Issue on Assurance Systems and Networks, October 2003.
- B.
Bhargava, Y. Zhong, and Y. Lu, "Fraud Formalization and Detection",
to appear in Proceeding of Data Warehouse and Knowledge Management
Conference (DaWak), September 2003.
- B.
Bhargava, M. Jenamani, and Y. Zhong, "Impact of Privacy Violation on
The Fairness of Internet Auctions ", submitted to IEEE Security &
Privacy.
- Y.
Zhong, Y. Lu, and B. Bhargava, "Dynamic Trust Production Based on
Interaction Sequence", CSD-TR 03-006, Department of Computer
Sciences, Purdue University.
- B.
Bhargava and Y. Zhong, "Authorization Based on Evidence and
Trust", in Proceeding of Data Warehouse and Knowledge Management
Conference (DaWak), September 2002.
- E.
Terzi, Y. Zhong, B. Bhargava, Pankaj, and S. Madria, "An Algorithm
for Building User-Role Profiles in a Trust Environment", in
Proceeding of Data Warehouse and Knowledge Management Conference (DaWak),
September 2002.
Project Impact
The research on authorization
based on evidence and trust is leading towards an efficient way for determining
the trustworthiness of information on the semantic web. The research on
quantification and formalization of evidence and trust can enhance trusted
collaboration and information sharing in the Internet.
The research has taught students to apply formal methods
in philosophy, statistics, and machine reasoning to practical problems in
information processing. The students are learning about formalization of
difficult concepts such as trust, evidence, and fraud. Quantification of these
concepts and design of experiments to study them in terms of malicious behavior
and interaction are unique in computer science. This work has enabled us to
collaborate with people in peer-to-peer systems and mobile ad hoc networking.
It helps in upgrading course material in database classes that goes beyond
reliability, integrity, and security. It leads to the notion of trust as a
measure.
Goals, Objectives and Targeted Activities
We are formalizing trust and
building models based on credentials, evidence, roles, user behavior, and
dynamic interactions. We have built an architecture for integrating user
trustworthiness into authorization. We are building prototype for experimental
studies. Experiments have been conducted on discovering the intention behind a
sequence of behaviors. The research on fraud formalization is being integrated
with vulnerabilities in any system to devise anomaly detectors, state
transition analysis, and risk analysis.
Area Background
Current research efforts grant
privilege to a user based on her properties that are demonstrated by digital
credentials (evidences). Holding credentials does not certify that the user
will not carry out harmful actions. Authorization based on evidence as well as
trust makes the access control adaptable to users' misbehaviors. Existing
computational trust management model can be broadly categorized into
authorization-based and reputation-based trust management. Our research effort
integrates them into one framework. Evidence testifies certain properties of an
entity, or subject. A computational evidence theory, such as Bayesian network,
Dampster-shafer theory and subjective logic, deals with the evaluation and
combination of evidence. In our research, Damspter-shafer theory is used to
integrate reputation and subjective logic is adopted to evaluate
recommendations.
Area References
- L.
Mui, "Computational Models of Trust and Reputation: Agents,
Evolutionary Games, and Social Networks", PhD Thesis, EECS, MIT 2002.
- J.
Park and R. Sandhu, "Role-based Access Control on the Web", ACM
Transactions on Information and System Security, Vol. 4, No. 1, Feb. 2001.
- G.
Shafer, "A Mathematical Theory of Evidence", Princeton
University Press, 1976.
- A.
Jøsang, "A Logic for Uncertain Probabilities", International
Journal of Uncertainty, Fuzziness and Knowledge-based Systems, Vol. 9 No.
3, June 2001.
Potential Related Projects
This project is related to "Vulnerability Analysis and
Threat Assessment/Avoidance" funded by NSF.
Project Websites
http://www.cs.purdue.edu/~bb/NSFtrust.html