2016-03-26

reputation-based trust management

2.12: news.cyb/sec/reputation-based trust management:
2.14: summary:
. even if the NSA keeps vulnerabilities in place
so that they may continue accessing their backdoors;
they do not want you pawned by other nation states.
. they recommended "reputation management",
which I believe refers to
reputation-based trust management.

NSA`Tailored Access Operations`Rob Joyce:
. admins need to lock things down as far as possible;
whitelisting apps, locking down permissions,
patching as soon as possible,
and using reputation management.
. when up against a new piece of malware
it will be missed by Signature-based antivirus
but could still be caught by reputation.

A Reputation-Based Trust Management System for P2P Networks:
Ali Aydın , Selçuk Ersin , Uzun Mark
The open and anonymous nature of a P2P network
makes it an ideal medium for attackers to spread malicious content.
In this paper, we describe a reputation-based
trust management protocol for P2P networks
where users rate the reliability of parties they deal with,
and share this information with their peers.
The protocol helps establishing trust among good peers
as well as identifying the malicious ones.
Results of various simulation experiments show that
the proposed system can be highly effective in preventing
the spread of malicious content in P2P networks.

Trust as a Service:
A Framework for Trust Management in Cloud Environments
Talal H. Noor and Quan Z. Sheng
Trust is one of the most concerning obstacles for the
adoption and growth of cloud computing.
Although several solutions have been proposed recently
in managing trust feedbacks in cloud environments,
how to determine the credibility of trust feedbacks
is mostly neglected. In addition,
managing trust feedbacks in cloud environments
is a difficult problem due to
unpredictable number of cloud service consumers
and highly dynamic nature of cloud environments.
. we propose the “Trust as a Service” (TaaS) framework
to improve ways on trust management in cloud environments.
In particular, we introduce an adaptive credibility model
that distinguishes between credible trust feedbacks
and malicious feedbacks by considering
cloud service consumers’ capability
and majority consensus of their feedbacks.
We propose a framework using the
Service Oriented Architecture (SOA)
to deliver trust as a service.
SOA and Web services are one of the most important
enabling technologies for cloud computing
in the sense that resources
(e.g., software, infrastructures, and platforms)
are exposed in clouds as services
[ Dillon, T., Wu, C., Chang, E.:
Cloud Computing: Issues and Challenges.
Proc. of AINA 2010, Perth, Australia (April 2010).
Wei, Y., Blake, M.B.:
Service-oriented Computing and Cloud Computing:
Challenges and Opportunities.
IEEE Internet Computing 14(6), 72–75 (2010).]
In the future, we plan to deal with
more challenging problems such as
the Sybil attack and the Whitewashing attack.

Credibility-Based Trust Management 
for Services in Cloud Environments
Talal H. Noor and Quan Z. Sheng
Conner et al. proposed a trust management framework for the SOA
that focuses on the service provider’s perspective
to protect resources from unauthorized access.
This framework has a decentralized architecture
that offers multiple trust evaluation metrics,
allowing service providers to have customized
evaluation of their clients (i.e., service requesters).
[Conner, W., Iyengar, A., Mikalsen, T., Rouvellou, I., Nahrstedt, K.:
A Trust Management Framework for Service-Oriented Environments.
Proc. of the 18th Int. Conf. on World Wide Web (WWW 2009),
Madrid, Spain (April 2009)]
. We also assume that cloud consumers have unique identities.
Attacks that use the notion of
multiple identities (i.e., the Sybil attack)
or Whitewashing attack that occur when
the malicious cloud consumers (i.e., attackers)
desperately seek new identities to clean their negative history records
are also beyond the scope of this work.
[ Douceur, J.R.: The Sybil Attack.
Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.)
IPTPS 2002. LNCS, vol. 2429, pp. 251–260.
Springer, Heidelberg (2002)
Lai, K., Feldman, M., Stoica, I., Chuang, J.:
Incentives for Cooperation in Peerto-Peer Networks.
Proc. of the 1st Workshop on Economics of Peer-to-Peer Systems,
Berkeley, CA, USA (June 2003)]

A Survey of Trust and Reputation Systems
for Online Service Provision.
Jøsang, A., Ismail, R., Boyd, C.:
Decision Support Systems 43(2), 618–644 (2007)
Trust and reputation systems represent a significant trend
in decision support for Internet mediated service provision.
The basic idea is to let parties rate each other,
for example after the completion of a transaction,
and use the aggregated ratings about a given party
to derive a trust or reputation score,
which can assist other parties in deciding whether or not
to transact with that party in the future.
A natural side effect is that it also provides
an incentive for good behaviour,
and therefore tends to have a positive effect on market quality.
Reputation systems can be called
collaborative sanctioning systems
to reflect their collaborative nature,
and are related to collaborative filtering systems.

Reputation-Based Trust Management 2003:
Vitaly Shmatikov And , Vitaly Shmatikov , Carolyn Talcott:
We propose a formal model for
reputation-based trust management.
In contrast to credential-based trust management,
in our framework an agent's reputation
serves as the basis for trust. For example,
an access control policy may consider the agent's reputation
when deciding whether to offer them a license for
accessing a protected resource. The underlying semantic model
is an event semantics inspired by the actor model,
and assumes that each agent has only partial knowledge
of the events that have occurred.
Restrictions on agents' behavior are formalized as licenses,
with "good" and "bad" behavior interpreted as, respectively,
license fulfillment and violation.
An agent's reputation comprises four kinds of evidence:
completely fulfilled licenses,
ongoing licenses without violations or misuses,
licenses with violated obligations,
and misused licenses. This approach enables
precise formal modeling of scenarios involving reputations,
such as financial transactions based on credit histories
and information sharing between untrusted agents.

A classification scheme for trust functions
in reputation-based trust management (2004)
Qing Zhang , Ting Yu , Keith Irwin:
Reputation is an important means to establish trust
in decentralized environments such as the Semantic Web.
In reputation-based trust management,
an entity’s reputation is usually built on feedback
from those who have direct interactions with the entity.
A trust function is used to infer one’s trustworthiness
based on such feedback.

2010 IEEE internet computing/
Reputation-Guided Data-Center Protection:
In the past, most reputation systems were designed for
P2P social networking or online shopping services.
[ L. Xiong and L. Liu, “PeerTrust:
Supporting Reputation-Based Trust 
for Peer-to-Peer Electronic Communities,”
IEEE Trans. Knowledge and Data Eng., July 2004, pp. 843–857.]
Reputation represents a collective evaluation
by users and resource owners.
To support trusted cloud services,
we suggest building a trust-overlay network.
[R. Zhou, and K. Hwang, “PowerTrust:
A Robust and Scalable Reputation System
for Trusted Peer-to-Peer Computing,”
IEEE Trans. Parallel and Distributed Systems,
Apr. 2007, pp. 460–473.]
In the future, we expect that security as a service (SECaaS)
and data protection as a service (DPaaS)
will grow rapidly.