A Trust Management A Trust Management Framework for Service-Framework for Service-Oriented EnvironmentsOriented Environments

William Conner, Arun Iyengar, Thomas Mikalsen, Isabelle Rouvellou, and Klara Nahrstedtwconner@uiuc.edu

18th International World Wide Web Conference

1

OutlineOutlineBackground and motivationTrust management frameworkPerformance evaluationRelated workConclusion

2

Distributed Computing Distributed Computing PlatformsPlatformsMany options available for

deploying distributed applications◦P2P systems

Gnutella for file sharing PPLive for media streaming

◦Computational grids Open Science Grid for scientific research

◦Computing clouds IBM Blue Cloud, Google App Engine, and

Amazon Web Services for web applications

3

Trust ManagementTrust ManagementParties in distributed transactions

often concerned with trust◦Client perspective: server selection◦Server perspective: access control

Client Server

Buying / Selling (eBay)

Download / Upload (P2P)

Request / Response (Web)

INVITE / OK (SIP)

4

Trust ManagementTrust ManagementCredential-based trust management

◦Exchange credentials prior to transaction◦Suitable when parties are known directly

or indirectly◦Not our focus

Reputation-based trust management◦Gather feedback ratings on prior

transactions◦Suitable for open environments when

parties are unknown to each other

5

Trust Management Service Trust Management Service (TMS)(TMS)Reputation-basedServer-side access control for

distributed infrastructuresEnable sharing of reputation

feedback from many sourcesEnable simultaneous use of

different reputation metrics

6

Target EnvironmentTarget EnvironmentService-hosting infrastructure

◦Computing cloud would be an example

◦Many external clients sending requests

◦Many different services fulfilling requests

7

Security AssumptionsSecurity AssumptionsNo Sybil attacks

◦XRep and PeerTrust share this assumption

Secure communications within infrastructure◦Public key cryptography

Attacks characterized by negative feedback◦Other Web-based attacks outside scope

Bad feedback implicitly handled by reputation metrics

8

Collecting Reputation Collecting Reputation FeedbackFeedback

External Client C Hosted Service S TMS

REQUEST

REPLY

H1 = (C,S,Fdbk1,Attrs1)

TMS Records(C,S,Fdbk1,Attrs1)TMS Records(C,S,Fdbk1,Attrs1)(C,S,Fdbk2,Attrs2)

H2 = (C,S,Fdbk2,Attrs2)

H = service invocation history recordC = client invoking serviceS = invoked serviceFdbk = feedback value between -1 and 1Attrs = trust-related attributes 9

Feedback ExampleFeedback Example

10

Assessing TrustAssessing Trust

External Client C Hosted Service S TMS

REQUEST

REPLY

TMS RecordsH1 = (C,S,Fdbk1,Attrs1)H2 = (C,S,Fdbk2,Attrs2)

(C,FS)

RepC,S = FS({H1,H2})

GRANT if RepC,S ≥ TS

DENY, otherwise

C = client invoking serviceS = invoked serviceFS = reputation scoring function for SRepC,S = reputation of C according to STS = minimum trust threshold for S 11

Custom Reputation Custom Reputation MetricsMetricsTMS supports flexible reputation

metrics◦Select from library of available

scoring functions◦Define user-specific scoring function

eBay reputation metric◦Summation of feedback ratings

PeerTrust reputation metric

satisfactioncredibility transactioncontext

communitycontext

12

Distributed TMSDistributed TMSMultiple TMS nodes organized

into DHT◦Consistent hashing used for load

balancing◦Replication on successor nodes for

availability

Hosted Service S TMS 1

TMS 0

TMS 2

13

Consistent HashingConsistent HashingApply cryptographic

hash function to client identifier to get hash value hashC

◦ Example hash functions: SHA-1, MD5

Assign hashC to numerically closest TMS identifier ≥ hashC

◦ Similar to Chord DHT

14

0

4

8

12

14

10 6

2

hashC

node

crash

ReplicationReplicationTMS nodes might crash

◦Stored records unavailable◦Reports reassigned based on

consistent hashEnhance availability of TMS

records◦Replicate TMS records on up to k

nodes where k = 0,…,N-1◦Similar to successor replication on

Chord15

ReplicationReplicationProbability of losing record

◦ Assume nodes fail independently with probability p

◦ Assume replication factor k◦ Prob = pk

16

0

4

8

12

successor

node

8

12

0

4

Trust Value CachingTrust Value Caching

External Client C Hosted Service S TMS

REQUEST

REPLY

(C,FS)

RepC,S = FS({H1,H2})

Additional processingand round trip

17

Trust Value CachingTrust Value CachingObservation

◦Q: Is it necessary to re-evaluate trust each time?

◦A: Depends on scoring function and client activity since last evaluation

Example◦eBay is scoring function used◦Client has 5 transactions since last

evaluation◦If RepC = 100, then always grant◦If RepC = -100, then always deny

18

Trust Value CachingTrust Value CachingTMS periodically updates services

on client activity levels◦Maintain frequency count for each

client◦Create Bloom histogram to

approximate frequency countServices estimate upper and

lower bound on client reputationTMS only contacted if re-

evaluation necessary19

Trust Value CachingTrust Value Caching

20

Performance EvaluationPerformance EvaluationIntegrated TMS into Supply Chain

Management application◦Retailers◦Warehouses◦Manufacturers

Measured latency and throughput through experiments◦Trusted ILLIAC (LAN environment)◦PlanetLab (WAN environment)

21

Performance EvaluationPerformance Evaluation

22

LatencyLatency

23

ThroughputThroughput

24

Related WorkRelated WorkOnline auctions

◦Buyers and sellers rate each other◦eBay is best known example

P2P file sharing◦Avoid bogus or malicious content◦XRep [Damiani et al. ‘02], EigenTrust

[Kamvar et al. ‘03], and PeerTrust [Xiong and Liu ‘04]

Web service selection◦Clients send requests to most reputable

services◦Examples include [Zeng et al. ‘03, Kalepu et

al. ‘04, Park et al. ‘05]25

ConclusionConclusionTrust management framework

◦Reputation-based◦Server-side access control◦Enable sharing of feedback◦Enable flexible trust assessments◦Reasonable latency and throughput

overhead

26