1. July 14 th SAM 2008 Las Vegas, NV An Ad Hoc Trust Inference Model for Flexible and Controlled Information Sharing Danfeng (Daphne) Yao Rutgers University, New Brunswick

2. Motivation: Hurricane Katrina 2005

3. Motivation cont’d Flexible authorization for cross-domain information sharing –Traditional access control models are too strict –Motivating scenario: inadequate crisis communication among FEMA & Coast Guard after Hurricane Katrina Need to efficiently share and utilize data generated in pervasive computing environments –Sensor data, location, etc Challenge: there is no central authority in this decentralized environment –How does the resource owner adaptively makes access control decisions in response to emergency situations?

4. Decentralized trust management Digital identity and certificate Most of existing trust management models only work for static access control policies –Policies are pre-defined and not adaptive to contexts –Models cannot handle crisis and emergency situations Our approach: ad hoc trust inference –Allow the requester to specify emergency level –Use fuzzy logic to integrate user information Request for access Bob Is Bob qualified to access DB? Policies Bob’s credential Hospital University

5. Broader implication of dynamic authorization Useful for flexible information sharing in mission-critical systems Useful for flexible information sharing in mission-critical systems 0 Deny 1 Allow [JASON Report 04] studied the need for broader access model

6. Our idea: multimodal authorization Authorization decisions are made based on multiple factors including the identity, history, environment associated with a request. A requester is given multiple chances of proving trustworthiness, instead of a type of criteria.

7. Our ad hoc trust inference model We introduce attribute urgency level that is to be specified by the requester –Urgency level –Urgency level defines how urgent a requester needs the information –This attribute is self-claimed by the requester, e.g., urgency level = very high –Three attribute types: identity type, history type, and environment type We develop a mechanism that combines various attribute values and outputs a numeric trustworthiness score for the requester Our design integrates an audit component in trust inference

8. Input attributes in our trust model Attribute type Attribute name Authentication method Value range Identity input AffiliationCredential [0, 1] History input Historic performance n/a [0, 1] Environment input Urgency level Audit mechanism [0, 1] How does the resource owner combine these attribute values and obtain the trustworthiness of a requester? Inference output Trustworthinessn/a [0, 1]

9. Access policies are intrinsically flexible –Supports continuous access decisions –More flexible than binary access verdicts Access rules are intuitive to define –Rules are individually defined for each attribute Can handle incomplete and imprecise inputs –In decentralized environments, resource owners usually do not have complete and precise inputs Advantages of ad hoc trust inference with fuzzy logic

10. An example of membership function and degrees of membership in fuzzy logic Earliness(time) = { 1, IF time ≤ 1200, (2000−time) / 800, IF 1200 < time ≤ 2000, 0, IF time > 2000 } Time of the day Degree of earliness 09:001 14:000.75 16:000.5 22:000

11. Trust inference steps Define attributes from which trustworthiness may be inferred Define the fuzzy variables associated with each attribute For each fuzzy variable, define a membership function Define the output membership function for the output variable (i.e., degrees of trustworthiness) Define fuzzy rules to specify the logic used to infer the trustworthiness score from attributes

12. Example Bob from FEMA needs to access US Coast Guard (USCG) database for a rescue task –Bob has a FEMA credential –Urgency level = very high USCG has prior interactions with FEMA –Affiliation score = high –History = very high –USCG has also defined fuzzy membership functions and fuzzy rules Ad hoc trust inference computation produces a trustworthiness score for Bob’s request –E.g., trustworthiness = very high Note that the actual inference is done on crisp inputs and outputs a crisp trust score. Please refer to the paper for detailed computation.

13. Architecture

14. Audit Urgency level is self-claimed by the requester and may be inaccurate Audit process identifies cheating users –A dishonest user may always claim high urgency level Audit process selectively examines and verifies the urgency levels associated past requesters Dishonest user and organization will have lower trustworthiness in the future transactions –Lower affiliation score –Lower history score

15. Conclusions and Future work Conclusions –Crisis information sharing requires flexible trust inference mechanism –We have presented an ad hoc trust inference framework that allows user-specified context input Future work –To automate audit mechanism by analyzing public and sensory information –To apply ad hoc trust inference mechanism to manage trust in Web 2.0 applications

16. Acknowledgements Professor James Garnett, Rutgers University Department of Public Policy and Administration Funding: Rutgers University Computing Coordination Council (CCC) Pervasive Computing Initiative Grant