Trust & Reputation Management

Since their origins, trust management systems have been used in order to assist entities that have to interact with others in a system. It has been a very important tool for the decision-making process. Sometimes, the available information about the other entities is not enough for establishing a secure exchange of information, but still the interaction must take place. Trust management systems try to supply this lack of information. In the last years, due to the growth of electronic communications and transactions, reputation systems have been developed to aid trust management systems for assisting the trust decision process. 

In order to establish the trust relationship, a trust management system is usually composed of a symbolic language for representing trust and a way of measuring trust (trust metrics) that derives the trust assessment.

The research carried out at NICS in this topic has followed different approaches.

At the first stages we mainly concentrated on designing different trust models for different applications. We characterized the most suitable trust metrics to be used in each case, depending on its properties or the nature of the system and designed a trust model based on graph theory  [1]. Sometimes, the application case is dynamic and therefore the inclusion of time as a parameter for measuring trust is very convenient. We designed a trust model where besides trust and reliability as parameters time was also considered [2]. Other trust models designed at NICS included delegation privileges for access control. In this case, we tackled the problem of how to distribute privileges in a network considering the trust relationships among the different actors. We propose the use of a trust graph that keeps record of the trust relationships of the system and helps deciding on concurrent access requests. The information encoded in the graph will be used both in order to decide on access requests and to order granted requests in terms of their associated trust level [3][4]. We also developed a scale-based trust model where the context where the interactions among users take place plays a key role. The model we proposed takes into account the semantic side of trust and not only the computational side (usually a numerical value) allowing thus the users to possess a more meaningful concept of the information they are handling.

From the reputation point of view we also investigated how in the context of federated identity management trust perception can be exported by using a federated reputation system. We propose a model for deriving trust in online services. In this context, trust is defined as the level of confidence that the service provider holds on the subject interacting with it to behave in a proper way while using the service. Thus, we derive trust by using the reputation values that those users have gained for interacting with these services [5].

Then, our research considered the inclusion of trust and reputation management since the beginning of the development of software services by following the Software Development LifeCycle (SDLC). This work was carried out mainly within the scope of the NESSoS EU project, and which intersects with another research area: Secure Service Engineering. The first step towards the holistic inclusion of trust and reputation was the elicitation of a trust conceptual framework where we identified the underlying core concepts of most trust models, abstracting away from the particularities of concrete models [6]

Using the conceptual framework, our focus is on a development framework that allows building trust and reputation models in services and applications. We have thus designed different components that include trust and reputation for each of the different phases of the SDLC.  More specifically, we are exploring how trust can be used to make reconfiguration decisions in self-adaptive systems. For the requirements phase we have considered different ways to elicit them by designing an extension of UML [7], using extensions of SI* [8], patterns [9], [10]. A very related requirement  to trust is privacy. We have considered these relationship in the following works [11], [12]. These two last works considered a specific case of trust models which are negotiation models. Other works for these type of models considered also the languages needed in order to include them into the SDLC [13] and [14].

The development framework that we have proposed is based on the so-called models@run.time. We called our approach trust@run.time [15]. This framework integrates trust and reputation into a distributed component-model that implements the models@run.time paradigm, thus allowing the system to include trust in their reasoning process.

As the growth of the IoT paradigm is a fact and this paradigm is being largely used, lately, we have developed a framework for the inclusion of trust and reputation to the design and development of IoT scenarios [16]. In order to realise this framwork we have to develop each of the layers that it is composed of [17], [18][19][20]. Part of this work have been carried out in the scope of the projects NeCS  and PRECISE.


References

  1. I. Agudo, C. Fernandez-Gago, and J. Lopez, "A Model for Trust Metrics Analysis",
    5th International Conference on Trust, Privacy and Security in Digital Business (TrustBus’08), LNCS 5185, Springer, pp. 28-37, 2008. DOI More..

    Abstract

    Trust is an important factor in any kind of network essential, for example, in the decision-making process. As important as the definition of trust is the way to compute it. In this paper we propose a model for defining trust based on graph theory and show examples of some simple operators and functions that will allow us to compute trust.

  2. I. Agudo, C. Fernandez-Gago, and J. Lopez, "An Evolutionary Trust and Distrust Model",
    4th Workshop on Security and Trust Management (STM’08), ENTCS 224, Elsevier, pp. 3-12, 2008. DOI More..

    Abstract

    In this paper we propose a trust model, where besides considering trust and distrust, we also consider another parameter that measures the reliability on the stability of trust or distrust. The inclusion of this new parameter will allow us to use trust in a more accurate way. We consider trust is not static but dynamic and trust values can change along time. Thus, we will also take time into account, using it as a parameter of our model. There is very little work done about the inclusion of time as an influence on trust. We will show the applicability of our model in the scenario of the process of reviewing papers for a conference. Sometimes for these kind of processes the Chair of the conference should first find the suitable reviewers. He can make this selection by using our model. Once the reviewers are selected they send out their reviews to the Chair who can also use our model in order to make the final decision about acceptance of papers.

  3. I. Agudo, C. Fernandez-Gago, and J. Lopez, "Delegating Privileges over Finite Resources: A Quota Based Delegation Approach",
    5th International Workshop on Formal Aspects in Security and Trust (FAST’08), LNCS 5491, Springer, pp. 302-315, 2008. DOI More..

    Abstract

    When delegation in real world scenarios is considered, the delegator (the entity that posses the privileges) usually passes the privileges on to the delegatee (the entity that receives the privileges) in such a way that the former looses these privileges while the delegation is effective. If we think of a physical key that opens a door, the privilege being delegated by the owner of the key is opening the door. Once the owner of the key delegates this privilege to another entity, by handing over the key, he is not able to open the door any longer. This is due to the fact that the key is not copied and handed over but handed over to the delegatee. When delegation takes place in the electronic world, the delegator usually retains also the privileges. Thus, both users have them simultaneously. This situation, which in most cases is not a problem, may be undesirable when dealing with certain kind of resources. In particular, if we think of finite resources, those in which the number of users accessing simultaneously is finite, we can not allow that a user delegating his access privilege is also granted access when the delegation if effective. In this paper we propose an approach where each user is delegated an access quota for a resource. If further delegating of the delegated quota occurs, this is subtracted from his quota. That is, when delegating, part of the quota remains with the delegator and another part goes to the delegatee. This allows a more fairly access to the resource. Moreover, we show that this approach can also be applied to any kind of resources by defining appropriate authorization policies.

  4. I. Agudo, C. Fernandez-Gago, and J. Lopez, "A Scale Based Trust Model for Multi-Context Environments",
    Computers and Mathematics with Applications, vol. 60, Elsevier, pp. 209-216, July, 2010. DOI (I.F.: 1.472)More..

    Abstract

    When interactions among users of a system have to take place, for example, over the internet, establishing trust relationships among these users becomes crucial. However, the way this trust is established depends to a certain extent on the context where the interactions take place. Most of the time, trust is encoded as a numerical value that might not be very meaningful for a not very experienced user. In this paper we propose a model that takes into account the semantic and the computational sides of trust. This avoids users having to deal directly with the computational side; they instead deal with meaningful labels such as Bad or Good in a given context.

    Impact Factor: 1.472
    Journal Citation Reports® Science Edition (Thomson Reuters, 2010)

  5. I. Agudo, C. Fernandez-Gago, and J. Lopez, "A Multidimensional Reputation Scheme for Identity Federations",
    Sixth European Workshop on Public Key Services, Applications and Infrastructures (EuroPKI’09), LNCS 6391, Springer, pp. 225-238, 2009. DOI More..

    Abstract

    Deciding who to trust in the internet of services paradigm is an important and open question. How to do it in an optimal way is not always easy to determine. Trust is usually referred to a particular context whereas a single user may interact in more than one given context. We are interested in investigating how a Federated Reputation System can help exporting trust perceptions from one context to another. We propose a model for deriving trust in online services. In this context, trust is defined as the level of confidence that the service provider holds on the subject interacting with it to behave in a proper way while using the service. Thus, we derive trust by using the reputation values that those users have gained for interacting with these services.

  6. F. Moyano, C. Fernandez-Gago, and J. Lopez, "A Conceptual Framework for Trust Models",
    9th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2012), S. Fischer-Hübner, S. Katsikas, and G. Quirchmayr Eds., LNCS 7449, Springer Verlag, pp. 93-104, Sep 2012. DOI More..

    Abstract

    During the last twenty years, a huge amount of trust and reputation models have been proposed, each of them with their own particularities and targeting different domains. While much effort has been made in defining ever-increasing complex models, little attention has been paid to abstract away the particularities of these models into a common set of easily understandable concepts. We propose a conceptual framework for computational trust models that will be used for analyzing their features and for comparing heterogeneous and relevant trust models.

  7. F. Moyano, C. Fernandez-Gago, and J. Lopez, "Towards Engineering Trust-aware Future Internet Systems",
    3rd International Workshop on Information Systems Security Engineering (WISSE 2013), X. Franch, and P. Soffer Eds., LNBIP 148, Springer-Verlag, pp. 490-501, Jun 2013. DOI More..

    Abstract

    Security must be a primary concern when engineering Future Internet (FI) systems and applications. In order to achieve secure solutions, we need to capture security requirements early in the Software Development Life Cycle (SDLC). Whereas the security community has traditionally focused on providing tools and mechanisms to capture and express hard security requirements (e.g. confidentiality), little attention has been paid to other important requirements such as trust and reputation. We argue that these soft security requirements can leverage security in open, distributed, heterogeneous systems and applications and that they must be included in an early phase as part of the development process. In this paper we propose a UML extension for specifying trust and reputation requirements, and we apply it to an eHealth case study.

  8. F. Paci, C. Fernandez-Gago, and F. Moyano, "Detecting Insider Threats: a Trust-Aware Framework",
    8th International Conference on Availability, Reliability and Security, IEEE, pp. 121-130, Nov 2013. DOI More..

    Abstract

    The number of insider threats hitting organizations and big enterprises is rapidly growing. Insider threats occur when trusted employees misuse their permissions on organizational assets. Since insider threats know the organization and its processes, very often they end up undetected. Therefore, there is a pressing need for organizations to adopt preventive mechanisms to defend against insider threats. In this paper, we propose a framework for insiders identification during the early requirement analysis of organizational settings and of its IT systems. The framework supports security engineers in the detection of insider threats and in the prioritization of them based on the risk they represent to the organization. To enable the automatic detection of insider threats, we extend the SI* requirement modeling language with an asset model and a trust model. The asset model allows associating security properties and sensitivity levels to assets. The trust model allows specifying the trust level that a user places in another user with respect to a given permission on an asset. The insider threats identification leverages the trust levels associated with the permissions assigned to users, as well as the sensitivity of the assets to which access is granted. We illustrate the approach based on a patient monitoring scenario.

  9. F. Moyano, C. Fernandez-Gago, K. Beckers, and M. Heisel, "Engineering Trust- and Reputation-based Security Controls for Future Internet Systems",
    The 30th ACM/SIGAPP Symposium On Applied Computing (SAC 2015), pp. 1344-1349, 08/2015. DOI More..
  10. F. Moyano, C. Fernandez-Gago, K. Beckers, and M. Heisel, "Enhancing Problem Frames with Trust and Reputation for Analyzing Smart Grid Security Requirements",
    Smart Grid Security - Second International Workshop, J. Cuellar Eds., LNCS 8448, Springer, pp. 166-180, Aug, 2014. DOI More..
  11. R. Rios, C. Fernandez-Gago, and J. Lopez, "Privacy-Aware Trust Negotiation",
    12th International Workshop on Security and Trust Management (STM), vol. LNCS 9871, Springer, pp. 98-105, 09/2016. DOI More..

    Abstract

    Software engineering and information security have traditionally followed divergent paths but lately some efforts have been made to consider security from the early phases of the Software Development Life Cycle (SDLC). This paper follows this line and concentrates on the incorporation of trust negotiations during the requirements engineering phase. More precisely, we provide an extension to the SI* modelling language, which is further formalised using answer set programming specifications to support the automatic verification of the model and the detection of privacy conflicts caused by trust negotiations.

  12. R. Rios, C. Fernandez-Gago, and J. Lopez, "Modelling Privacy-Aware Trust Negotiations",
    Computers & Security, vol. 77 , issue August 2018, Elsevier, pp. 773-789, 2018. DOI (I.F.: 3.062)More..

    Abstract

    Trust negotiations are mechanisms that enable interaction between previously unknown users. After exchanging various pieces of potentially sensitive information, the participants of a negotiation can decide whether or not to trust one another. Therefore, trust negotiations bring about threats to personal privacy if not carefully considered. This paper presents a framework for representing trust negotiations in the early phases of the Software Development Life Cycle (SDLC). The framework can help software engineers to determine the most suitable policies for the system by detecting conflicts between privacy and trust requirements. More precisely, we extend the SI* modelling language and provide a set of predicates for defining trust and privacy policies and a set of rules for describing the dynamics of the system based on the established policies. The formal representation of the model facilitates its automatic verification. The framework has been validated in a distributed social network scenario for connecting drivers with potential passengers willing to share a journey.

    Impact Factor: 3.062
    Journal Citation Reports® Science Edition (Thomson Reuters, 2018)

  13. M. Kolar, C. Fernandez-Gago, and J. Lopez, "A Model Specification for the Design of Trust Negotiations",
    Computers & Security, vol. 84, issue July 2019, Elsevier, pp. 288-300, 04/2019. DOI (I.F.: 3.579)More..

    Abstract

    Trust negotiation is a type of trust management model for establishing trust between entities by a mutual exchange of credentials. This approach was designed for online environments, where the attributes of users, such as skills, habits, behaviour and experience are unknown. Required criteria of trust negotiation must be supported by a trust negotiation model in order to provide a functional, adequately robust and efficient application. Such criteria were identified previously. In this paper we are presenting a model specification using a UML-based notation for the design of trust negotiation. This specification will become a part of the Software Development Life Cycle, which will provide developers a strong tool for incorporating trust and trust-related issues into the software they create. The specification defines components and their layout for the provision of the essential functionality of trust negotiation on one side as well as optional, additional features on the other side. The extra features make trust negotiation more robust, applicable for more scenarios and may provide a privacy protection functionality.

    Impact Factor: 3.579
    Journal Citation Reports® Science Edition (Thomson Reuters, 2019)

  14. M. Kolar, C. Fernandez-Gago, and J. Lopez, "Policy Languages and Their Suitability for Trust Negotiation",
    32nd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy XXXII, 2018, vol. 10980, Springer, Cham, pp. 69-84, 07/2018. DOI More..

    Abstract

    Entities, such as people, companies, institutions, authorities and web sites live and exist in a conjoined world. In order to live and enjoy social benefits, entities need to share knowledge, resources and to cooperate together. The cooperation brings with it many new challenges and problems, among which one is the problem of trust. This area is also important for the Computer Science. When unfamiliar entities wish to cooperate, they do not know what to expect nor whether they can trust each other. Trust negotiation solves this problem by sequential exchanging credentials between entities, which have decided to establish a trust relationship in order to reach a common goal. Entities specify their own policies that handle a disclosure of confidential information to maintain their security and privacy. Policies are defined by means of a policy language. This paper aims to identify the most suitable policy language for trust negotiation. To do so, policy languages are analysed against a set of criteria for trust negotiation that are first established.

  15. F. Moyano, C. Fernandez-Gago, and J. Lopez, "A Model-driven Approach for Engineering Trust and Reputation into Software Services",
    Journal of Network and Computer Applications, vol. 69, Elsevier, pp. 134-151, 04/2016. (I.F.: 3.500)More..
    Impact Factor: 3.500
    Journal Citation Reports® Science Edition (Thomson Reuters, 2016)

  16. C. Fernandez-Gago, F. Moyano, and J. Lopez, "Modelling Trust Dynamics in the Internet of Things",
    Information Sciences, vol. 396, Elsevier, pp. 72-82, 2017. DOI (I.F.: 4.305)More..

    Abstract

    The Internet of Things (IoT) is a paradigm based on the interconnection of everyday objects. It is expected that the ‘things’ involved in the IoT paradigm will have to interact with each other, often in uncertain conditions. It is therefore of paramount importance for the success of IoT that there are mechanisms in place that help overcome the lack of certainty. Trust can help achieve this goal. In this paper, we introduce a framework that assists developers in including trust in IoT scenarios. This framework takes into account trust, privacy and identity requirements as well as other functional requirements derived from IoT scenarios to provide the different services that allow the inclusion of trust in the IoT.

    Impact Factor: 4.305
    Journal Citation Reports® Science Edition (Thomson Reuters, 2017)

  17. D. Ferraris, and C. Fernandez-Gago, "TrUStAPIS: A Trust Requirements Elicitation Method for IoT",
    International Journal of Information Security , Springer, pp. 111-127, 01/2020, 2019. DOI (I.F.: 1.494)More..

    Abstract

    The Internet of Things (IoT) is an environment of interconnected entities, which are identifiable, usable and controllable via the Internet. Trust is useful for a system such as the IoT as the entities involved would like to know how the other entities they have to interact with are going to perform.
    When developing an IoT entity, it will be desirable to guarantee trust during its whole life cycle. Trust domain is strongly dependent on other domains such as security and privacy.
    To consider these domains as a whole and to elicit the right requirements since the first phases of the System Development Life Cycle (SDLC) is a key point when developing an IoT entity.
    This paper presents a requirements elicitation method focusing on trust plus other domains such as security, privacy and usability that increase the trust level of the IoT entity developed. To help the developers to elicit the requirements, we propose a JavaScript Notation Object (JSON) template containing all the key elements that must be taken into consideration.
    We emphasize on the importance of the concept of traceability. This property permits to connect all the elicited requirements guaranteeing more control on the whole requirements engineering process.

    Impact Factor: 1.494
    Journal Citation Reports® Science Edition (Thomson Reuters, 2019)

  18. D. Ferraris, D. Bastos, C. Fernandez-Gago, F. El-Moussa, and J. Lopez, "An Analysis of Trust in Smart Home Devices",
    The 20th World Conference on Information Security Applications: WISA-Workshop 2019, Springer, In Press. More..

    Abstract

    In recent times, smart home devices like Amazon Echo and Google Home have reached mainstream popularity. These devices are intrinsically intrusive, being able to access user’s personal information. There are growing concerns about indiscriminate data collection and invasion of user privacy in smart home devices. Improper trust assumptions and security controls can lead to unauthorized access of the devices, which can have severe consequences (i.e. safety risks). In this paper, we analysed the behaviour of smart home devices with respect to trust relationships. We set up a smart home environment to evaluate how trust is built and managed. Then, we performed a number of interaction tests with different types of users (i.e. owner, guests). As a result, we were able to assess the effectiveness of the provided security controls and identify some relevant security issues. To address them, we defined a trust model and proposed a solution based on it for securing smart home devices.

  19. D. Ferraris, C. Fernandez-Gago, J. Daniel, and J. Lopez, "A Segregated Architecture for a Trust-based Network of Internet of Things",
    IEEE Consumer Communications & Networking Conference 2019, IEEE, 03/2019. DOI More..

    Abstract

    With the ever-increasing number of smart home devices, the issues related to these environments are also growing. With an ever-growing attack surface, there is no standard way to protect homes and their inhabitants from new threats. The inhabitants are rarely aware of the increased security threats that they are exposed to and how to manage them. To tackle this problem, we propose a solution based on segmented architectures similar to the ones used in industrial systems. In this approach, the smart home is segmented into various levels, which can broadly be categorised into an inner level and external level. The external level is protected by a firewall that checks the communication from/to the Internet to/from the external devices. The internal level is protected by an additional firewall that filters the information and the communications between the external and the internal devices. This segmentation guarantees a trusted environment between the entities belonging to the internal network. In this paper, we propose an adaptive trust model that checks the behaviour of the entities and, through this model, in case the entities violate trust rules they can be put in quarantine or banned from the network.

  20. D. Ferraris, C. Fernandez-Gago, and J. Lopez, "A Trust-by-Design Framework for the Internet of Things",
    2018 9th IFIP International Conference on New Technologies Mobility and Security (NTMS), IEEE, 04/2018. DOI More..

    Abstract

    The Internet of Things (IoT) is an environment of interconnected entities, that are identifiable, usable and controllable via the Internet. Trust is necessary in a system such as IoT as the entities involved should know the effect of interacting with other entities. Moreover, the entities must also be able to trust a system to reliably use it. An IoT system is composed of different entities from different vendors, each of them with a different purpose and a different lifecycle. So considering trust in the whole IoT system lifecycle is useful and necessary to guarantee a good service for the whole system. The heterogeneity and dynamicity of this field make it difficult to ensure trust in IoT. We propose a trust by design framework for including trust in the development of an IoT entity considering all the phases of the life-cycle. It is composed of the K-Model and transversal activities.