SECURE: Secure Environments for Collaboration among Ubiquitous Roaming Entities

This result describes the architecture of an interaction monitor for trust-based collaborations. The architecture enables principal self-protection by allowing them to specify concerns with respect to the interaction and actions in response to concerns materializing. The architecture has been instantiated as a software prototype. The architecture and its software instantiation are of particular interest to the scientific community as one of the first approaches to trust-based self-protection. The use of the result is envisaged primarily in a scientific context as an experimental prototype for further investigation of trust-based self-protection policies. The result, although useful in any application domain for the collection of evidence during principal interaction, it is particularly useful in application domains where interactions between principals tend to involve series of actions and/or service provisioning contracts. The main innovative feature of the architecture and its instantiation is that it builds upon an event-based trust-model in which interaction histories are represented by event histories that allow the expression of principal concerns as event-condition-action rules over the current event configuration and outcome costs of the interaction. Although, this result has been presented to the scientific community as indicated by the associated document, it is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it. However, further research is underway for the development of this result.

The SECURE project is investigating the applicability of autonomous trust/risk-based security in the context of global computing, characterized by heterogeneity, uncertainty and a large number of previously unknown roaming entities. The SECURE framework that can be instantiated under different operating assumptions to implement trust/risk management for different application scenarios in a way that ensures compliance with the SECURE formal model of trust. The framework architecture is composed of a set of components where each component is responsible for a key aspect of the framework, and the interactions between these components is documented using UML sequence diagrams. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

This result provides a comprehensive theoretical and operational model addressing the issues of trust lifecycle management, namely trust formation, evolution and exploitation. The model is of general interest to the scientific community in general and trust management researchers in particular. Use of this result is envisaged primarily in a scientific context. More specifically, the model can be instantiated in a variety of ways to support trust-based decision-making in research projects targeting environments characterized by virtual anonymity and lack of complete information about potential collaborators. Consequently, we believe that this result can be utilized a variety of application domains as a basic framework for the exploration of targeted evidence collection and trust-based decision-making techniques. The main innovative feature of the model is that it supports trust formation, evolution and exploitation on the basis of evidence about the past behavior of principals collected by and communicated between decision-makers. All these process are founded on a formally founded computational model of trust. The model has been validated in a quite diverse collection of application scenarios, which indicates its general applicability. Although, this result has been widely publicized to the scientific community as indicated by the associated documents, it is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it. However, further research is pursued for the development of this result.

The result is an algorithmic technique for policy evaluation in trust- and reputation-based systems, with applications to history based access control. The result exploits techniques from model checking. The potential applications range over a number trust based security systems as part of ubiquitous computing. End-users are designers and programmers of trust based systems, and the main innovative features are the efficiency of the algorithmic techniques, in particular when applied to parameterised policy specifications. It is currently too early to estimate the commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

We have proposed that interacting computing entities can make decisions based on a computational model of trust. As the real world does not have a unique legitimate authority, computing entities are owned by multiple authorities and operated from multiple jurisdictions. As in real life, no administrator can be perpetually present to manage the interactions. A crucial element for the use of trust is to know with whom the entities interact, which corresponds to authentication in traditional computer security. However, this element has been disregarded in computational trust: this is ill fated given that virtual identities are the means for a number of attacks that are less possible in face-to-face settings. We use another parallel with human social networks, namely the notion of entity recognition (ER). When someone is introduced by a trustworthy recommender, the identity card of the recommended person is not used and it is sufficient to recognize this person. It provides dynamic enrolment and, in doing so, ad-hoc interactions are possible. It also underlines that the full curriculum vitae of the recommender is not required, which translates to a privacy improvement over trust engines that link all interactions to a real-world identity. Our resulting framework follows an ER approach: the virtual identities are, by default, pseudonyms - recognized, but without link to the real-world identities. It is sufficient to recognize a virtual identity in order to build trust based on evidence. The link to the real-world identity may be considered to be useful for security decisions and our framework does not forbid the use of this link. However, in global computing, the possibility to sue the real-world identities behind the virtual identities is not guaranteed since the jurisdictions of the interacting entities may be contradictory. In addition, most authentication schemes linking a real-world identity with a virtual identity do not achieve dynamic enrolment and their usability compromises security. Still, our framework takes into account the attacks at the level of virtual identity. Instead of authentication, a novel ER process is carried out. The outcome of ER is associated with a level of confidence in recognition rather than a binary authentication outcome: in doing so, weaker recognition schemes can be used. Recognition is a basis for trust computation, which starts the end-to-end trust, which emphasizes that the trust in the technical infrastructure must be taken into account when the trust in the virtual identity is computed. In addition, trust transfer is introduced to encourage self-recommendations without attacks based on the creation and use of a large number of virtual identities owned by the same real-world identity. Since privacy expectations vary, a privacy-trust trade model is introduced for real-world identities to disclose explicit links between their virtual identities. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

The result is a new and efficient algorithm for the distributed computation and approximation of fixed points, with special applications to the evaluation of distributed trust-based security policies within future ubiquitous systems. The potential applications range over a number trust based security systems as part of ubiquitous computing. End-users are designers and programmers of trust based systems, and the main innovative feature is the efficiency of the obtained algorithms. It is currently too early to estimate the commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

A SPAM filter was the main application developed over the SECURE framework. Each user has an email client that is configured to use an IMAP and SMTP proxy. The role of the proxy is to interpose on messages received from the server, and to declare the message as SPAM or as valid, based on a SECURE decision. Each SPAM message detected by the SECURE framework is marked. This is done through the addition of a message header field X-Spam-Value. The email client employs a filter to send SPAM messages to a special folder. In this application, a principal represents an email user, or more specifically, an email address. An email proxy runs as a separate process, on a machine that is specified by the email client configuration. In the case of a false positive or false negative, the user can move the message from or to the SPAM folder. This move request is intercepted by the proxy and interpreted as an observation of an outcome (of a message being SPAM or valid). This is why the SPAM filter acts as a proxy on the IMAP protocol -- used by clients to download messages from the email server -- since this protocol allows clients to create email folders on the server and to copy messages between them. The POP3 protocol, also used by email clients for downloading messages, does not have this possibility, so the best one could do is simply to mark the messages. All standard email clients today can be configured to use IMAP and SMTP proxies, i.e., the open source Mozilla clients, Netscape, as well as Microsoft's Outlook (Express). Thus, the SECURE filter is client-independent. The code that processes the IMAP commands and implements the policy components contains around 3000 lines of pure Java code. The trust-based SPAM filter can be used in addition to a content-based SPAM filter to improve SPAM detection. However, the current implementation is just a laboratory prototype. The result can be of use to the scientific community for the experimentation into trust-based email SPAM filtering. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

The result is an innovative general-purpose computational model for trust based security systems. The model introduces notions of information- and trust orderings on trust related information. The potential applications range over a number trust based security systems as part of ubiquitous computing. End-users are designers of trust-based systems, and the main innovative features are the general-purpose features of the model coupled with concrete implementation and reasoning techniques. It is currently too early to estimate the commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

This result describes a simple generic policy language for reasoning about risk in applications, particularly suited to resource-constrained devices common in ubiquitous computing environments. The policy language is based on a decision-theoretic view of risk taken from economics that enables us to quantify the uncertainty of global computing environments as risk. The ability to transform uncertain decision-making into risk-based decision-making within a trust-based access control policy is the primary innovation of this result. This result is of use to the trust management scientific community as a way of quantifying the uncertainty involved in interactions with little known or unknown principals. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

The implementation of a trust-based framework can be a challenge since it involves more than modelling the features of a framework, e.g., trust values and recommendations. The framework implementation must operate in an autonomous environment, with its associated problems, such as unreliable communication channels and lack of uniform naming scheme. Further, to ensure that the framework is usable, its implementation must come as a packaged solution that can be employed in, and customized for, a wide variety of application environments. The project examined the challenges of implementing a trust-based framework for an autonomous system, and uses the Secure model as a case study. The framework implementation is completely written in the Java programming language and has around 7000 lines of code. We evaluated it for a mail proxy SPAM filter that employs SECURE and that runs over the trust engine. This filter is also written in Java and contains around 3000 lines of code. The implementation of the framework is generic enough to be used in a number of application scenarios for the further evaluation of the overall approach. The result is primarily for the use of the scientific community as a platform for experimentation on trust-based security policies. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

This result defines a comprehensive methodology for the evaluation of trust-based security policies. The methodology includes a detailed threat analysis identifying a series of threats against which the effectiveness of any trust-based security policy should be assessed. Moreover, it also defines separate evaluation criteria for the decision-making system as whole and its individual components. Furthermore, it proposes alternative ways of dealing with the various threats. The whole methodology has been tested on a SPAM filtering application. So far, evaluation of trust-based security policies has been ad hoc, while the lack of a general evaluation methodology makes it very difficult to assess the relative merits of proposed approaches. As the area of trust-based security reach maturity the ability to evaluate the effectiveness of various proposed policies becomes crucial. In this respect, this result could provide a valuable tool for the whole scientific community. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

Emerging peer- to- peer (P2P) applications have a requirement for decentralized access control. Computational trust systems address this, achieving security through collaboration. This result focuses on the particular problem of distributing evidence for use in trust-based security decisions. It involves a system that solves this in a highly scalable way, and resists attacks such as false recommendations and collusion. The innovative feature of this result is that it exploits P2P technologies to address the evidence distribution problem in an attack-resistant manner. The result is of general use to the evidence-based trust management scientific community as a novel approach of handling evidence management and distribution accompanied by a fully comprehensive threat analysis. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.

The SECURE risk model views interaction as consisting of a number of potential outcomes, each characterized by the cost/benefit of it occurring. As a result, risk is viewed as combination of the likelihood of an outcome occurring combined with the cost/benefit it incurs. The innovative feature of this result is that it makes the risk of an interaction explicit during the decision making process. Moreover, it also makes a clear link between trust and risk by viewing the trustworthiness of a principal as indicative of the likelihood of each outcome during an interaction with this principal. This result is of use to the trust management scientific community as a way of both making risk in decision making explicit and combining it with trust. It is currently too early to estimate its commercial potential. As a result, no specific steps have been taken at this stage in order to protect any IPR emanating from it.