Model checking of robustness properties in trust and reputation systems

Highlights

• A model checking framework for verifying robustness of Trust and Reputation Systems.

• A Probabilistic Action and Reward based Computational Tree Logic and the algorithms.

• The proposed framework has been implemented as a tool named TRIM-Checker.

• Security of some Trust and Reputation Systems are verified and compared together.

Abstract

Trust and reputation systems (TRSs) are used in cooperative environments where an agent needs to make a decision for requesting or performing a service. However, TRSs can be abused by malicious agents who do sequences of dishonest actions (attacks). Although there are proposals on verification of TRSs against attacks, they are not comprehensive enough to evaluate various Trust Computation Models (TCMs) and/or do not provide sufficient expressive power to specify different required robustness properties. In this paper, we introduce a comprehensive framework for specifying and verifying various robustness properties in TRSs through model checking approach. The proposed framework includes three main parts: (1) a logic for specification of robustness properties of TRSs named Probabilistic Action and Reward based Computation Tree Logic (PARCTL), (2) an enhanced version of our previously proposed model for specifying TRSs in hostile environments named Trust and Reputation Interaction Model (TRIM), and (3) the required algorithms for quantitative and probabilistic model checking of PARCTL properties over the specified model. The proposed framework has been implemented as a tool named TRIM-Checker. Our experimental results on robustness analysis of famous eBay, Beta, and CORE TCMs using TRIM-Checker are presented and their robustness against attacks is evaluated and compared together.

Introduction

Trust and reputation systems (TRSs) are security mechanisms for giving incentives or applying sanctions to force community members to act based on the norms of the community [1]. In fact, TRSs evaluate trust and reputation based on ratings of the interactions recorded by agents (rate history) and opinions of other agents about members of the community (recommendations). More exactly, these systems do some calculations on the rate history and/or recommendations to find a score that can be used as a decision-making criterion. TRSs are considered to be a part of next-generation security mechanisms named soft security [1], [2], [3] which are based on social control norms rather than traditional security mechanisms (hard security) such as authentication and access control. TRSs can be used in many applications such as online market places [4], [5], [6], online service provisions [7], mobile ad-hoc networks [8], [9], [10], web service selection [11], and social networks [12]. In these systems normally an agent of the community needs to make a decision for requesting or performing a service using TRSs.

Although TRSs can improve the quality of decisions and hence the overall benefit of the agents, they may lead to the reverse outcome in the presence of malicious agents (attackers) who do misleading behaviors. More precisely, attackers can conduct trust attacks (i.e. some sequences of actions based on an attack plan) to achieve their misleading goals such as “increasing probability of selecting a malicious service provider”. Investigating the literature, it is revealed that there exist different trust attacks such as On–off, Re-entry, Slandering, Promoting, and Collusion [13], [14], [15]. Also, it has been shown that TRSs have different degrees of robustness against trust attacks [14], [16], [17]. Therefore TRSs should be designed robust enough to resist against malicious attackers. This is while most of the proposed TRSs are not comprehensively evaluated to check their robustness against trust attacks.

In practice, most of the proposed TRSs either left unevaluated or are evaluated using simulations and case study analysis [14], [16]. However, we know that simulation and case study analysis are not exact and comprehensive enough to check the robustness of TRSs against malicious attackers. Indeed verification methods are better candidates in this regard. Using simulation methods for assessment of TRSs does not encompass all state space of the system, while verification methods can do that. There are a small number of proposals for evaluating TRSs against trust attacks based on verification methods including [18], [19], [20], [21], [22], [23], [24], [25], [26], [27]. However, most of the proposed verification methods for TRSs suffer from inexpressive formalism and limited applicability or lack the ability to define different robustness criteria. In fact, the proposals for verification of TRSs like [22] that are based on a qualitative approach, do not provide any comparative robustness criterion at all. On the other hand, the robustness criteria offered by quantitative verification approaches such as [18], [19], [20], [21], [23], [24], [25], [26], [27] have some shortcomings because they are normally defined in terms of some vague parameters of the system.

Reviewing the works done on the evaluation of TRSs through formal verification or simulation, it is revealed that although formal verification is a more accurate and more complete assessment method than simulation, the formal verification methods presented so far yet suffer from a number of shortcomings:

• Lack of good infrastructure to specify a wide range of robustness properties based on attack goals,

• Using weak robustness measures which are incompatible with attacks,

• Absence of specification language and verification algorithms that are consistent with the nature of TRSs, and

• Lack of a user-friendly tool to model and verify TRSs.

Note that using an improper robustness criterion leads to inaccurate or incomplete TRS assessment. Indeed, the robustness criterion should be defined in such a way that it can show how much the employed TRS is suitable to prevent attackers from reaching their misleading goals.

In this paper, we present a framework for modeling and verification of TRSs against trust attacks using model checking approach. Model-checking is a formal verification approach that is used to check whether a model meets the given properties or not. The properties are normally specified through a well-formed logic. Then, the supplied algorithms check the satisfaction of the defined properties on the model. We consider TRS as part of an interacting agent system, so we adopted and extended our previously proposed Trust and Reputation Interaction Model (TRIM) [28] that comprises a comprehensive model for formalizing agents of the community and their trust-based interactions. We need also a well-formed logic to be able to coherently specify a wide range of robustness properties over TRIM. Because trust attacks are conducted to achieve a variety of goals, a language with sufficient expressive power for defining different robustness properties is required. Due to the nature of trust attack goals, using a language that supports probabilistic and reward-based primitives is required to specify the robustness properties. In addition, since trust attacks are sequences of system-allowed actions, in the definition of the robustness criterion, the system actions should also be addressed. For example, to show how much TRS is able to force attackers to perform max-quality services, the following robustness measure might be used: “What is the probability of providing a max-quality service by an attacker service provider in the 10th epoch of the system?” This, in fact, shows how much the TRS is robust against attackers who want to provide poor quality services. Therefore, we introduce Probabilistic Action and Reward based Computation Tree Logic (PARCTL) for the specification of the robustness properties. The proposed logic has the ability to specify a wide range of robustness properties which might be defined based on probability, reward, actions, or a combination of them. To the best of our knowledge, there is not any probabilistic, action and reward-based logic to specify robustness properties of TRSs in previous works. For model checking PARCTL properties over the specified model, the required on-the-fly probabilistic and quantitative model checking algorithms are also introduced. The on-the-fly model-checking algorithms help us to build a dynamic model of the TRIM during verifying the PARCTL properties. This partially simplifies the state-explosion problem caused by building the whole model before the model-checking phase.

The proposed framework has been implemented as a tool named TRIM-Checker [29]. The tool has the ability to model various environments, attacks, TRSs, and robustness properties through a user-friendly interface. TRIM-Checker provides a simple and comprehensive environment to define TRS verification projects.

To show the applicability and the results of the proposed framework and the tool, we conducted a number of experiments on three famous eBay, Beta and CORE reputation models as samples to verify and compare the robustness of these systems based on some specified robustness criteria. The evaluation results indicate that the robustness of different TRSs against each attack is varied based on the goals of the attack and the robustness criteria defined in accordance with the goals. For example, considering a so defined “Sanctioning robustness measure (SRM)”, we found that the eBay is the least (the most) robust TCM against collusion slandering (Re-entry) On-off dishonest service attack.

The paper is organized as follows: Section 2 reviews the related work on verification of TRSs. Section 3 shows how an adopted and extended version of TRIM can be used for modeling TRSs in hostile environments. Section 4 presents an updated view of the TRIM run-time behavior. Section 5 introduces both PARCTL and on-the-fly model checking algorithms for evaluating the satisfaction of quantitative and probabilistic formulas of PARCTL over the specified TRS model. Section 6 exhibits the experimental evaluation of the proposed framework using the TRIM-Checker tool, and finally, Section 7 concludes the paper.