Visualization of Visualization of Automated Trust Automated Trust NegotiationNegotiation
Danfeng YaoDanfeng Yao Michael Shin Michael Shin Brown University Goldman Sachs Inc.Brown University Goldman Sachs Inc.
Roberto Tamassia William H. WinsboroughRoberto Tamassia William H. Winsborough Brown UniversityBrown University University of Texas, San University of Texas, San
AntonioAntonio
Supported in part by NSF grants CCF–0311510, IIS–0324846, CNS–0303577 and CNS-0325951
OverviewOverview
Introduction to two-party Introduction to two-party automated trust negotiation (ATN)automated trust negotiation (ATN)– Trust target graph (TTG) Trust target graph (TTG)
Design of the visualization Design of the visualization frameworkframework– Prototype implementation Prototype implementation
Example of a visualization sessionExample of a visualization session– Demo of our visualization program Demo of our visualization program
Monitoring the release Monitoring the release of sensitive of sensitive credentialscredentials Accessing protected resources requires Accessing protected resources requires
releasing digital credentialsreleasing digital credentials Credentials may be sensitiveCredentials may be sensitive
– Need to control the release of digital credentialsNeed to control the release of digital credentials– Trust Negotiation is an incremental, bilateral Trust Negotiation is an incremental, bilateral
exchange of credentials and policies between exchange of credentials and policies between resource owner and requesterresource owner and requester
Visualization of automated trust negotiation – Gives teaching and learning support for ATN users – Enables users to visually examine the ATN process– The combination of interactive visualization and
ATN improves the security of protected resources– We demonstrate that Grappa and GraphViz (AT&T) We demonstrate that Grappa and GraphViz (AT&T)
are suitable graph drawing systems for visualizing are suitable graph drawing systems for visualizing ATNATN
A simple trust A simple trust negotiation examplenegotiation example
Request for discount
Request UID
Request BBB
Send BBB
Send UID
Grant the discount
PolicPolicyy
Releasing UID requires BBB
Cred.UID (student ID)
Alice
PolicPolicyy
Discount requires UID
Cred.
BBB (better business bureau)
A general trust A general trust negotiation Protocol negotiation Protocol
Request for resource
Request credential
Sensitive, request proof
Sensitive, request more credential
Send credential
Grant the resource
PoliciesPolicies
Credentials
Alice
PoliciesPolicies
Credentials
Send proof
Primary trust target
Trust target graphTrust target graph Trust target graph (TTG) is a directed graph Trust target graph (TTG) is a directed graph
representing the state of negotiation [Winsborough Li representing the state of negotiation [Winsborough Li ’02] ’02] – The negotiation succeeds when the primary trust target is
satisfied– Fails when the primary target cannot be satisfied, or when
neither negotiator changes the graph– TTG can have cycles and be non-planar
Construction of TTGConstruction of TTG– Each negotiator keeps a local copy of TTGEach negotiator keeps a local copy of TTG– Nodes are trust targets:Nodes are trust targets:
< < Amazon: Amazon.discount Amazon: Amazon.discount ? Alice? Alice > > The state of a node: unknown, satisified, or unsatisfiedThe state of a node: unknown, satisified, or unsatisfied
– Edges represent implication and control relationshipsEdges represent implication and control relationships Satisfied states propagate along the edgesSatisfied states propagate along the edges
– Negotiators take turns extending the TTG by adding new Negotiators take turns extending the TTG by adding new edges and nodes to the current graphedges and nodes to the current graph
At the beginning TTG contains only the primary trust At the beginning TTG contains only the primary trust targettarget
The new TTG is a supergraph of the previous oneThe new TTG is a supergraph of the previous one Associated credentials or policies are transmitted Associated credentials or policies are transmitted
TTG construction of TTG construction of the examplethe example
Amazon: Amazon.discount ? Alice
Amazon: Univ.Student ? Alice
Alice: BBB.member ? Amazon
Alice: Amazon ? Amazon
Alice: BBB.member ? Amazon
Amazon: Univ.Student ? Alice
Amazon: Amazon.discount ? Alice
Components of our Components of our ATN visualization ATN visualization frameworkframework
Visualization(View)
LogParser
ProtocolState &Update
text
text
Credentials,Policies,
Strategies
Logs
(1)
(2)
(3)
(4)
(5)
ATNEngine
(6)
(8)Modifier
User Inputs
Prototype Prototype implementationimplementation
The visualizer displays the construction of The visualizer displays the construction of TTG for negotiatorsTTG for negotiators
Uses Grappa system [Barghouti, Mocenigo, Lee. GD ‘97], a Java port of GraphViz system [Ellson, Gansner, Koutsofios, North, Woodhull et al] for graph drawing– Layout provided by dot in GraphViz– The upward drawing heuristics and
hierarchical (layered) drawing features are suitable for drawing directed graphs such as TTGs
– Layout algorithms try to avoid edge crossings and reduce edge length
Colors and shapes of nodes and edges represent different types in TTG and can be customized
Displays local credentials, remote credentials, and policies
Standard target
Intersection target
Trivial target
Linked role target
Edge typesEdge types
Edge name Color Meaning
Implication PurpleA parent node implies the child node
Linking monitor BlueForm a target with a linked role to a linking goal
Linking solution GoldFrom a linked goal to a standard target
Linking implication GreenFrom a target with a linked role to a linked role target
Control Sienna Used with ack and access policies
Intersection OrangeFrom an intersection target to standard targets
Demo Demo of a visualization of a visualization sessionsession
Requester: AliceRequester: Alice– Works at purchase department in Medix Fund Works at purchase department in Medix Fund
((MedixFund.purchasingAMedixFund.purchasingA))– She considers this credential sensitiveShe considers this credential sensitive
Resource owner: Medical Supply Company (Resource owner: Medical Supply Company (MedSupMedSup))– A member of ReliefNet (A member of ReliefNet (ReliefNet.memberReliefNet.member))
Requested resource: Discount from MedSupRequested resource: Discount from MedSup– MedSup.discountMedSup.discount
Delegation credentials transfer privileges between rolesDelegation credentials transfer privileges between roles– Role Role provisionerprovisioner at ReliefNet is delegated to at ReliefNet is delegated to
MedixFund.purchasingAMedixFund.purchasingA– cPartnercPartner at Medix Fund is delegated to at Medix Fund is delegated to ReliefNet.memberReliefNet.member– Discount is given toDiscount is given to provisioner provisioner at ReliefNetat ReliefNet
ATN-Vis DemoATN-Vis Demo
Example -- StartExample -- Start
Requester: Alice Provider: Medical Supply (MedSup)
Example -- 3% progressExample -- 3% progress
Example -- 16% Example -- 16% progressprogress
Example -- 19% Example -- 19% progressprogress
Example -- 23% Example -- 23% progressprogress
Example -- 29% Example -- 29% progressprogress
Example -- 42% Example -- 42% progressprogress
Example -- 45% Example -- 45% progressprogress
Example -- 52% Example -- 52% progressprogress
Example -- 61% Example -- 61% progressprogress
Example -- 71% Example -- 71% progressprogress
Example -- 77% Example -- 77% progressprogress
Example -- 74% Example -- 74% progressprogress
Example -- 84% Example -- 84% progressprogress
Example -- 97% Example -- 97% progressprogress
Example -- 100% Example -- 100% progressprogress
Related WorkRelated Work Graph drawing systemsGraph drawing systems
– Grappa [Barghouti, Mocenigo, Lee. GD ‘97] – GraphViz [Ellson, Gansner, Koutsofios, North, Woodhull
et al] Visualization of protocols
– [Hall, Moore, Pratt, Leslie. SIGCOMM Workshop ‘03]– [Zhao, Mayo. ICEE ’02]– [Koch, Parisi-Presicce. FASE ‘03]
Trust negotiationTrust negotiation– [Winsborough, Seamons, Jones. DISCEX’00][Winsborough, Seamons, Jones. DISCEX’00]– [Yu, Ma, Winslett. CCS’00] [Yu, Ma, Winslett. CCS’00] – [Winsborough, Li. POLICY ’02][Winsborough, Li. POLICY ’02]– [Li, Du, Boneh ‘03][Li, Du, Boneh ‘03]
Combination of visualization and automated protocols– Anomaly detection [Anomaly detection [Teoh, Zhang, Tseng, Ma, Wu.
VizSEC/DMSEC ‘04]]– Mining Mining geo-spatial datasets [Keim, Panse, Sips, North. CG
‘04]
Conclusions and future Conclusions and future workwork
We have described the architecture and data We have described the architecture and data model of an interactive visualization framework model of an interactive visualization framework for ATNfor ATN
We have presented a prototype of our ATN We have presented a prototype of our ATN visualization frameworkvisualization framework
Grappa and GraphViz are suitable tools for Grappa and GraphViz are suitable tools for drawing trust target graphs in ATNdrawing trust target graphs in ATN
For future work, we plan to bring more For future work, we plan to bring more interactive components into the implementationinteractive components into the implementation– Provide more interactive explanations of texts inside Provide more interactive explanations of texts inside
TTG nodesTTG nodes– Visualization and modification of negotiation strategiesVisualization and modification of negotiation strategies