pervasive computing - security & trust
DESCRIPTION
Pervasive ComputingTRANSCRIPT
-
AGENT APPROACHES TO SECURITY, TRUST AND PRIVACY IN PERVASIVE COMPUTING
-
THE VISIONPervasive Computing: a natural extension of the present human computing life styleUsing computing technologies will be as natural as using other non-computing technologies (e.g., pen, paper, and cups) Computing services will be available anytime and anywhere.
-
PERVASIVE COMPUTINGThe most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it Mark Weiser
Think: writing, central heating, electric lighting, Not: taking your laptop to the beach, or immersing yourself into a virtual reality
-
TODAY: LIFE IS GOOD.
-
TOMORROW: WE GOT PROBLEMS!
-
YESTERDAY: GADGET RULES
-
TODAY: COMMUNICATION RULES
-
TOMORROW: SERVICES WILL RULEThank God! Pervasive Computing is here
-
THE BRAVE NEW WORLDDevices increasingly more {powerful ^ smaller ^ cheaper}People interact daily with hundreds of computing devices (many of them mobile):CarsDesktops/LaptopsCell phonesPDAsMP3 playersTransportation passes
Computing is becoming pervasive
-
SECURING DATA & SERVICESSecurity is critical because in many pervasive applications, we interact with agents that are not in our home or office environment.Much of the work in security for distributed systems is not directly applicable to pervasive environmentsNeed to build analogs to trust and reputation relationships in human societiesNeed to worry about privacy!
-
SECURITY CHALLENGESExample 1ABC Industries Inc.ABC Industries Inc., BaltimoreABC Industries Inc., New YorkABC Industries Inc., LAWhat if someone from the New York office visits the LA office ? How are his rights for access to resources in the LA Office decided ?Company wide directory ? Needs dynamic updating by sysadmin, Violates minimality principles of security, Not scalable
-
SECURITY CHALLENGESExample 2ABC Industries Inc., BaltimoreXYZ Inc, Seattle`Rights ?How does the ABC system decide what rights to give a consultant from XYZ Inc ?How does the ABC system decide what rights to give a manager from XYZ Inc ?
-
SECURITY CHALLENGESExample 2 cont.Company directory cannot be usedCross organizational roles may be meaninglessIssues specific to pervasive environmentsCentral access control is not scalableForeign users or visitorsNot possible to store their individual access rights
The role of policies.
-
AN EARLY POLICY FOR AGENTS1 A robot may not injure a human being, or, through inaction, allow a human being to come to harm. 2 A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.3 A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.-- Handbook of Robotics, 56th Edition, 2058 A.D.
-
ON POLICIES, RULES AND LAWS The interesting thing about Asimovs laws were that robots did not always strictly follow them.This is a point of departure from more traditional hard coded rules like DB access control, and OS file permissionsFor autonomous agents, we need policies that describe norms of behavior that they should follow to be good citizens.So, its natural to worry about issues likeWhen an agent is governed by multiple policies, how does it resolve conflicts among them?How can we define penalties when agents dont fulfill their obligations?How can we relate notions of trust and reputation to policies?
-
THE ROLE OF ONTOLOGIESWe will require shared ontologies to support this frameworkA common ontology to represent basic concepts: agents, actions, permissions, obligations, prohibitions, delegations, credentials, etc.Appropriate shared ontologies to describe classes, properties and roles of people and agents, e.g.,any device owned by TimFininany request from a faculty member at ETZOntologies to encode policy rules
-
AD-HOC NETWORKING TECHNOLOGIESAd-hoc networking technologies (e.g. Bluetooth)Main characteristics:Short rangeSpontaneous connectivityFree, at least for now
Mobile devicesAware of their neighborhoodCan discover others in their vicinityInteract with peers in their neighborhoodinter-operate and cooperate as needed and as desiredBoth information consumers and providers
Ad-hoc mobile technology challenges the traditional client/server information access model
-
PERVASIVE ENVIRONMENT PARADIGMPervasive Computing Environment
Ad-Hoc mobile connectivitySpontaneous interaction
PeersService/Information consumers and providersAutonomous, adaptive, and proactive
Data intensive deeply networked environmentEveryone can exchange informationData-centric modelSome sources generate streams of data, e.g. sensors
Pervasive Computing Environments
-
MOTIVATION CONFERENCE SCENARIOSmart-room infrastructure and personal devices can assist an ongoing meeting: data exchange, schedulers, etc.
-
IMPERFECT WORLDIn a perfect worldeverything available and done automatically
In the real worldLimited resourcesBattery, memory, computation, connection, bandwidthMust live with less than perfect resultsDumb devicesMust explicitly be told What, When, and HowForeign entities and unknown peers
So, we really wantSmart, autonomous, dynamic, adaptive, and proactive methods to handle data and services
-
SECURING AD-HOC NETWORKSMANETs underlie much of pervasive computingThey bring to fore interesting problems related toOpenDynamicDistributed SystemsEach node is an independent, autonomous routerHas to interact with other nodes, some never seen before. How do you detect bad guys ?
-
NETWORK LEVEL : GOOD NEIGHBORAd hoc networkNode A sends packet destined for E, through B.B and C make snoop entry (A,E,Ck,B,D,E).B and C check for snoop entry.Perform MisrouteABCDE
-
GOOD NEIGHBORNo BroadcastHidden terminalExposed terminalDSR vs. AODVGLOMOSIM
-
INTRUSION DETECTIONBehaviorsSelfishMaliciousDetection vs. ReactionsShunning bad nodesCluster VotingIncentives (Game Theoretic)Colluding nodesForgiveness
-
SIMULATION IN GLOMOSIMPassive Intrusion DetectionIndividual determinationNo results forwardingActive Intrusion DetectionCluster SchemeVotingResult flooding
-
GLOMOSIM SETUP16 nodes communication4 nodes sources for 2 CBR streams2 nodes pair CBR streamsMobility 0 20 meters/secPause time 0 15sNo bad nodes
-
SIMULATION RESULTS
-
PRELIMINARY RESULTSPassiveFalse alarm rate > 50%Throughput rate decrease < 3% additionalActiveFalse alarm rate < 30%Throughput rate decrease ~ 25% additional
-
CHALLENGES IS THAT ALL? (1)Spatio-temporal variation of data and data sources
All devices in the neighborhood are potential information providers Nothing is fixedNo global catalogNo global routing tableNo centralized control
However, each entity can interact with its neighborsBy advertising / registering its serviceBy collecting / registering services of others
-
CHALLENGES IS THAT ALL? (2)Query may be explicit or implicit, but is often known up-front
Users sometimes ask explicitlye.g. tell me the nearest restaurant that has vegetarian menu items
The system can guess likely queries based on declarative information or past behaviore.g. the user always wants to know the price of IBM stock
-
CHALLENGES IS THAT ALL? (3)Since information sources are not known a priori, schema translations cannot be done beforehand
Resource limited devices so hope for common, domain specific ontologies
Different modes:Device could interact with only such providers whose schemas it understandsDevice could interact with anyone, and cache the information in hopes of a translation in the future.Device could always try to translate itselfPrior work in Schema Translation, Ongoing work in Ontology Mapping.
-
CHALLENGES IS THAT ALL? (4)Cooperation amongst information sources cannot be guaranteed
Device has reliable information, but makes it inaccessible
Devices provides information, which is unreliable
Once device shares information, it needs the capability to protect future propagation and changes to that information
-
CHALLENGES IS THAT ALL? (5)Need to avoid humans in the loopDevices must dynamically "predict" data importance and utility based on the current context
The key insight: declarative (or inferred) descriptions helpInformation needsInformation capabilityConstraintsResourcesDataAnswer fidelity
Expressive Profiles can capture such descriptions
-
4. OUR DATA MANAGEMENT ARCHITECTUREMoGATU
Design and implementation consists ofDataMetadataProfilesEntitiesCommunication interfacesInformation ProvidersInformation ConsumersInformation Managers
-
MOGATU METADATAMetadata representationTo provide information aboutInformation providers and consumers,Data objects, andQueries and answersTo describe relationshipsTo describe restrictionsTo reason over the information
Semantic languageDAML+OIL / DAML-S
http://mogatu.umbc.edu/ont/
-
MOGATU PROFILEProfileUser preferences, schedule, requirementsDevice constraints, providers, consumersData ownership, restriction, requirements, process model
Profiles based on BDI modelsBeliefs are factsabout user or environment/contextDesires and Intentions higher level expressions of beliefs and goals
Devices reason over the BDI profiles Generate domains of interest and utility functionsChange domains and utility functions based on context
-
MOGATU INFORMATION MANAGER (8)ProblemsNot all sources and data are correct/accurate/reliableNo common sensePerson can evaluate a web site based on how it looks, a computer cannotNo centralized party that could verify peer reliability or reliability of its dataDevice is reliable, malicious, ignorant or uncooperative
Distributed BeliefNeed to depend on other peersEvaluate integrity of peers and data based on peer distributed beliefDetect which peer and what data is accurateDetect malicious peersIncentive model: if A is malicious, it will be excluded from the network
-
MOGATU INFORMATION MANAGER (9)Distributed Belief ModelDevice sends a query to multiple peersAsk its vicinity for reputation of untrusted peers that responded to the queryTrust a device only if trusted before or if enough of trusted peers trust itUse answers from (recommended to be) trusted peers to determine answerUpdate reputation/trust level for all devices that respondedA trust level increases for devices that responded according to final answerA trust level decreases for devices that responded in a conflicting way
Each devices builds a ring of trust
-
A: D, where is Bob?A: C, where is Bob?A: B, where is Bob?
-
C: A, Bob is at work.D:A, Bob is home.B: A, Bob is home.
-
A:B: Bob at home,C: Bob at work,D: Bob at homeA: I have enough trust in D. Whatabout B and C?
-
A: Do you trust C?C: I always do.D: I dont.B: I am not sure.E: I dont.F: I do.A:I dont care what C says.I dont know enough about B, but I trust D, E, and F. Together,they dont trust C, so wont I.
-
A: Do you trust B?C: I never do.D: I am not sure.B: I do.E: I do.F: I am not sure.A:I dont care what B says.I dont trust C, but I trust D, E, and F. Together,they trust B a little, so will I.
-
A: I trust B and D,both say Bob is homeA:Increase trust in D.A:Decrease trust in C.A:Increase trust in B.A:Bob is home!
-
MOGATU INFORMATION MANAGER (10)Distributed Belief Model
Initial Trust FunctionPositive, negative, undecided
Trust Learning FunctionBlindly +, Blindly -, F+/S-, S+/F-, F+/F-, S+/S-, Exp
Trust Weighting FunctionMultiplication, cosine
Accuracy Merging FunctionMax, min, average
-
EXPERIMENTSPrimary goal of distributed beliefImprove query processing accuracy by using trusted sources and trusted data
ProblemsNot all sources and data are correct/accurate/reliableNo centralized party that could verify peer reliability or reliability of its dataNeed to depend on other peersNo common sensePerson can evaluate a web site based on how it looks, a computer cannot
SolutionEvaluate integrity of peers and data based on peer distributed beliefDetect which peer and what data is accurateDetect malicious peersIncentive model: if A is malicious, it will be excluded from the network
-
EXPERIMENTSDevicesReliable (Share reliable data only)Malicious (Try to share unreliable data as reliable)Ignorant (Have unreliable data but believe they are reliable)Uncooperative (Have reliable data, will not share)
ModelDevice sends a query to multiple peersAsk its vicinity for reputation of untrusted peers that responded to the queryTrust a device only if trusted before or if enough of trusted peers trust itUse answers from (recommended to be) trusted peers to determine answerUpdate reputation/trust level for all devices that respondedA trust level increases for devices that responded according to final answerA trust level decreases for devices that responded in a conflicting way
-
EXPERIMENTAL ENVIRONMENTHOW:Mogatu and GloMoSim
Spatio-temporal environment:
150 x 150 m2 field50 nodesRandom way-point mobilityAODVCache to hold 50% of global knowledgeTrust-based LRU50 minute each simulation run800 questions-tuplesEach device 100 random unique questionsEach device 100 random unique answers not matching its questionsEach device initially trusts 3-5 other devices
-
EXPERIMENTAL ENVIRONMENT (2)Level of Dishonesty0 100%Dishonest deviceNever provides an honest answerHonest deviceBest effortInitial Trust FunctionPositive, negative, undecidedTrust Learning FunctionBlindly +, Blindly -, F+/S-, S+/F-, F+/F-, S+/S-, ExpTrust Weighting FunctionMultiplication, cosineAccuracy Merging FunctionMax, min, avgTrust and Distrust ConvergenceHow soon are dishonest devices detected
-
RESULTSAnswer Accuracy vs. Trust Learning Functions
Answer Accuracy vs. Accuracy Merging Functions
Distrust Convergence vs. Dishonesty Level
-
ANSWER ACCURACY VS. TRUST LEARNING FUNCTIONSThe effects of trust learning functions with an initial optimistic trust for environments with varying level of dishonesty. The results are shown for ++, --, s, f, f+, f-, and exp learning functions.
-
ANSWER ACCURACY VS. TRUST LEARNING FUNCTIONS (2)The effects of trust learning functions with an initial pessimistic trust for environments with varying level of dishonesty. The results are shown for ++, --, s, f, f+, f-, and exp learning functions.
-
ANSWER ACCURACY VS. ACCURACY MERGING FUNCTIONSThe effects of accuracy merging functions for environments with varying level of dishonesty. The results are shown for(a) MIN using only-one (OO) final answer approach(b) MIN using {\it highest-one} (HO) final answer approach(c) MAX + OO, (d) MAX + HO, (e) AVG + OO, and (f) AVG + HO.
-
DISTRUST CONVERGENCE VS. DISHONESTY LEVELAverage distrust convergence period in seconds for environments with varying level of dishonesty.The results are shown for ++, --, s, and f trust learning functions with an initial optimal trust strategy and for the same functions using an undecided initial trust strategy for results (e-h), respectively.
-
*