Trust in Networks and Networked Systems
John S. BarasThe Institute for Systems Research,
Electrical and Computer Engineering Department,Applied Mathematics, Statistics and Scientific Computation Program
University of Maryland College ParkUSA
December 7, 2017ANU Workshop on Systems and Control
ANU, Canberra, Australia
Acknowledgments
• Joint work with: Peixin Gao, Tao Jiang, Ion Matei, Kiran Somasundaram, Xiangyang Liu, George Theodorakopoulos
• Sponsors: NSF, ARO, ARL, AFOSR, NIST, DARPA, Lockheed Martin, Northrop Grumman, Telcordia (ACS)
2
Networked Systems
Infrastructure / Communication Networks
Internet / WWWMANETSensor NetsRobotic NetsHybrid Nets: Comm, Sensor, Robotic and Human Nets
Social / Economic Networtks
Social Interactions
CollaborationSocial FilteringEconomic
AlliancesWeb-based
social systems
Biological Networks
CommunityEpiddemicCellular and Sub-cellularNeuralInsectsAnimal Flocks
3
Networks and Trust
• Trust and reputation critical for collaboration• Characteristics of trust relations:
– Integrative (Parsons1937) – main source of social order– Reduction of complexity – without it bureaucracy and
transaction complexity increases (Luhmann 1988)– Trust as a lubricant for cooperation (Arrow 1974) –
rational choice theory• Social Webs, Economic Webs
– MySpace, Facebook, Windows Live Spaces, Flickr, Classmates Online, Orkut, Yahoo! Groups, MSN Groups
– e-commerce, e-XYZ, services and service composition – Reputation and recommender systems
4
Indirect Network Trust
1 7
5
3
4
2
6
8
User 8 asks for access to User 1’s files.User 1 and User 8 have no previous interaction
What should User 1 do?Use transitivity of trust(i.e. use references to
compute indirect trust)
5
6
Indirect Trust: System Model
• System mapped to a weighted, directed graph– Vertices : entities/users– Edges : direct trust relations– Weights : w(i,j) = How much i trusts j
• Establish an indirect trust relation, between users that have not had direct interactions– We assume that trust is transitive (at least partially)
• Trust computation: path problem on a graph– Information about j that is useful to i
Directed paths from i to j
– Combine information along each path, and then aggregate across paths
7
Semirings-Examples
• Shortest Path Problem– Semiring:– is + and computes total path delay– is and picks shortest path
• Bottleneck Problem– Semiring:– is and computes path bandwidth– is and picks highest bandwidth
8
Trust Semiring Properties:Partial Order
• Combined along-a-path weight should not increase :
• Combined across-paths weight should not decrease :
2 31
b
a
a b
9
Trust Path Semiring
• 0 £ trust, confidence £ 1• is• is
10
Trust Distance Semiring
• Motivated from Eisner’s Expectation Semiring (2002) (speech/language processing)
(a1, b1) (a2, b2) = (a1b2+a2b1, b1b2)(a1, b1) (a2, b2) = (a1 + a2, b1 + b2)
• 0 £ trust, confidence £ 1, (t, c) (c/t, c)S = [0, ¥] x [0,1]
• is
• is
11
Computing Indirect Trust
• Path interpretation
• Linear system interpretation
• Treat as a linear system– We are looking for its steady state.
Indicator vector of pre-trusted nodes
1
i j i k k jUser k
n n
t t w
t W t b
12
Attacks to Indirect Trust
• ATTACK the trust computation!– Aim: Increase t1→8 to a level that would
grant access.
• How?– Edge attack: change opinion on an edge
(trick a node into forming false opinion)– Node attack: change any opinion
emanating from a node (gain complete control of a node)
13
Attacks to Indirect Trust
1 7
5
3
4
2
6
8
Edge Attack
14
Attacks to Indirect Trust
1 7
5
3
4
2
6
8
Node Attack
15
Edge Tolerances
• Upper (Lower) edge tolerance of an edge e, w.r.t. an optimal path p*, is the highest (lowest) weight of ethat would preserve the optimality of p*.
• In a shortest path problem (min, +), the most vital edge is the path edge whose weight has the largest difference with the upper tolerance.
• In a maximum capacity problem (max, min), the most vital edge is the path edge whose weight has the largest difference with the lower tolerance.
16
Upper Tolerance Example
• Upper Tolerances for the Shortest Path Problem
42
1 3 51
665 5
10
Most Vital Edge
10
∞ ∞∞ ∞
12
Upper Tolerances
Shortest Path
17
Lower Tolerance Example
• Lower Tolerances for the Shortest Path Problem
42
1 3 51
665 5
10
-∞
4 4-4 -4
-∞
Lower Tolerances
Shortest Path
“Smallest” required changes
18
Attacked Edge on the Path
1 7
5
3
4
2
6
8
Trust Edge Attack
Optimal Path p*, trust value: t*
RESULT: Decrease Trust!
19
Attacked Edge not on the Path
1 7
5
3
4
2
6
8
Trust Edge Attack
Optimal Path p*, trust value: t*
RESULT:Increase Trust!Change Path!
New Optimal Path p’, trust value: t’
20
Tolerances for any Optimization Semiring
• Optimization semirings: is min or max• -minimal (maximal) tolerance αe (βe) of edge e instead of lower
(upper) tolerance.• is the inverse of defined by: a x = b x = b a• w(e) is the weight of edge e. w(p) is the weight of path p.
If e p* If e p*
21
Tolerances for the Trust Semiring
• Assume (max, ·) semiring; essentially equivalent to our trust semiring.
• Tolerances:If e p* If e p*
Distributed Kalman Filtering and Tracking: Performance Improvements from Trusted Core
• Realistic sensor networks: Normal nodes, faulty or corrupted nodes, malicious nodes
• Hierarchical scheme – provide global trust on a particular context without requiring direct trust on the same context between all agents
• Combine techniques from fusion centric, collaborative filtering, estimation propagation
• Trusted Core– Trust Particles, higher security, additional sensing capabilities,
broader observation of the system, confidentiality and integrity, multipath comms
– Every sensor can communicate with one or more trust particles at a cost
22
Trust and Induced Graphs
23
Induced Graph G (V, A)
Weighted Directed Dynamic Trust Graph Gt (V, At )
tcV V
( , ) ( ( , ), ( , )[ ])w i j c i j t i j n
Trust relation
Goals of Trusted System
1. All the sensors which abide by the protocols of sensing and message passing, should be able to track the trajectories.
2. This implies that those nodes which have poor sensing capabilities, nodes with corrupted sensors, should be aided by their neighbors in tracking.
3. Those nodes which are malicious and pass false estimates, should be quickly detected by the trust mechanism and their estimates should be discarded.
24
[ 1] [ ] [ ]
[ ] [ ] [ ] [ ]
[ ] [ ] [ ]i i i
tc tc tc
x n Ax n Bw n
z n H n x n v n
z H n x n v n
Trusted DKF and Particles
25
• Can use any valid trust system as trust update component
• Can replace DKF with any Distributed Sequential MMSE or other filter
• Trust update mechanism: Linear credit and exponential penalty
Trusted DKF Performance
26
Open Loop Performance Closed Loop PerformanceTrust System Performance
Power Grid Cyber‐security
• Inter‐area oscillations (modes)– Associated with large inter‐connected power networks between clusters of generators
– Critical in system stability– Requiring on‐line observation and control
• Automatic estimation of modes– Using currents, voltages and angle differences measured by PMUs (Power Management Units) that are distributed throughout the power system
27
System Model
• Linearization around the nominal operating points– The initial steady–state value is eliminated – Disturbance inputs consist of M frequency modes defined as
oscillation amplitudes; damping constants;oscillation frequencies; phase angles of the oscillations
– Consider two modes and use the first two terms in the Taylor series expansion of the exponential function; expanding the trigonometric functions:
1 1 12
( ) exp( )cos( ) exp( )cos( )M
i i i ii
f t a t t a t t
:ia :i:i :i
1 1 1
2 2 2 2 2 2
( ) (1 )cos( )(1 )[cos cos( ) sin sin( )].
f t a t ta t t t
28
Distributed Estimation
• To compute an accurate estimate of the state x (k), using: – local measurements yj (k); – information received from the PMUs in its communication neighborhood; – confidence in the information received from other PMUs provided by the
trust model
PMUPMU
PMU
GPS Satellite
N multiple recording sites (PMUs) to measure the output signals
29
30
Trust Model
• To each information flow (link) j i, we attach a positive value Tij , which represents the trust PMU i has in the information received from PMU j ;
• Trust interpretation: – Accuracy– Reliability
• Goal: Each PMU has to compute accurate estimates of the state, by intelligently combining the measurements and the information from neighboring PMUs
Trust‐based Multi‐agent State Estimation
• Main idea: pick the weights wij to be trust dependent
• Does not require global information about the power grid topology
• Ensures greater robustness in computing the state estimate
31
Numerical Example
• 3‐generators, 9‐bus system:
32
Numerical example (cont.)
• We assume that a PMU is placed at each bus that measures the complex voltages and currents (in the case of adjacent buses).
• The state vector is formed by the voltages measured at buses, i.e., X = (Ui), where Ui is the complex voltage at bus i.
• Measurement model:In the case the buses (i, j) are adjacent
where the measurement vector Zi(k)′= (Ui(k), Iij(k)), Yij is the admittance of line (i, j) and Vi(k) is the complex measurement noise
Numerical Example (cont.)
• PMU network: Compromised node
34
Numerical Example (cont.)
• Estimates of the voltage at bus 1 using Algorithm 1, with agent 8 injecting false data
35
Numerical Example (cont.)
• Estimates of the voltage at bus 1 using Algorithm 3, with agent 8 injecting false data
36
Numerical Example (cont.)
• The evolution of agent 4’s weights
37
MANET Trust Aware Routing --Trust/Reputation Systems
• Components– Monitoring and Detection Modules– Reputation Control System– Response Modules
• Our approach is different: build and use a Trusted Sentinel Sub-Network (SSN), which is responsible for monitoring and flooding reputation measures
• Logically decouple the Trust/Reputation System from other network functionalities
• Demonstrate that logical constraints on the SSN translate to constraints on the communication graph topology of the network
• Trade-off analysis between security and performance38
Path problems on Graphs –Delay and Trust Semirings
Notions of Optimality: Pareto, Lexicographic, Max-Ordering, Approximation Semirings
i j(d(i,j), t(i,j))
( , )
( , ) ( , )
min ( ) min ( , )
max ( ) max min ( , ) min max( ( , ))
SD SD
SDSD SD
p p i j p
i j p pp p i j p
d p d i j
t p t i j t i j
P P
PP P
DelaySemiring
Trust Semiri
:( {0}, min, )
: ( {0}, minng , max)
R
R
2:( ) ( ( ), ( )),
SD
SD
f Rf p d p t p pP
P
39
Trust Aware Routing –Multi‐Criteria Optimization Problem
• Delay of a path “p”
• Trust of a path “p” –bottleneck trust
( , )
( ) ( , )i j p
d p d i j
( , )( ) min ( , )i j pt p t i j
j2
ij4
j3j1
j5
j7J6
Bi‐metric Network
40
Haimes Method –Two Stage Recipe
G (V,E)Source
1. G’ – reduced graph O(|E|) 2. G’SP – SP on reduced graph O(|V|.|E|)
41
What is a Network …?
• In several fields or contexts:
42
– social– economic– communication– control– sensor– biological– physics and materials
A Network is …
• A collection of nodes, agents, …that collaborate to accomplish actions, gains, …that cannot be accomplished with out such collaboration
• Most significant concept for autonomic networks
43
The Fundamental Trade-off
• The nodes gain from collaborating• But collaboration has costs (e.g. communications)• Trade-off: gain from collaboration vs cost of
collaborationVector metrics involved typicallyConstrained Coalitional Games
44
Example 1: Network Formation -- Effects on Topology Example 2: Collaborative robotics, communications Example 3: Web-based social networks and services
● ● ● Example 4: Groups of cancer tumor or virus cells
Gain
• Each node potentially offers benefits V per time unit to other nodes: e.g. V is the number of bits per time unit.
• Potential benefit V is reduced during transmissions due to transmission failures and delay
• Jackson-Wolingsky connections model, gain of node i
• rij is # of hops in the shortest path between i and j
• is the communication depreciation rate
1( ) ijr
ij g
w G V
0 1
if there is no path between and ijr i j
45
Cost
• Activating links is costly– Example – cost is the energy consumption for
sending data– Like wireless propagation model, cost cij of link ij as a
function of link length dij :
• P is a parameter depending on the transmission/receiver antenna gain and the system loss not related to propagation
• is path loss exponent -- depends on specific propagation environment.
ij ijc Pd
46
Pairwise Game and Convergence
• Payoff of node i from the network is defined as
• Iterated process– Node pair ij is selected with probability pij– If link ij is already in the network, the decision is whether to
sever it, and otherwise the decision is whether to activate the link– The nodes act myopically, activating the link if it makes each at
least as well off and one strictly better off, and deleting the link if it makes either player better off
– End: if after some time, no additional links are formed or severed– With random mutations , the game converges to a unique
Pareto equilibrium (underlying Markov chain states )
( ) gain cost ( ) ( )i i iv G w G c G
47
G
Coalition Formation at the Stable State
• The cost depends on the physical locations of nodes– Random network where nodes are placed according to a uniform
Poisson point process on the [0,1] x [0,1] square.• Theorem: The coalition formation at the stable state for n∞
— Given is a
sharp threshold for establishing the grand coalition ( number of coalitions = 1).
— For , the threshold is
less than
20
ln,
nV P
n
0 1 2
ln.
nPn
n = 20
48
Topologies Formed
49
50
Trust and Collaborative Control/Operation
Two linked dynamics• Trust / Reputation
propagation and collaborative control evolution
• Beyond linear algebra and weights, semirings of constraints, constraint programming, soft constraints semirings, policies, agents
• Learning on graphs and network dynamic games: behavior, adversaries• Adversarial models, attacks, constrained shortest paths, …
• Integrating network utility maximization (NUM) with constraint based reasoning and coalitional games
An example of constrained
coalitional games
51
Trust Dynamics and ‘Local’ Voting Rules
Initial “islands” of trusts
Trust spreads
Trust-connectednetwork
• Trust and mistrust spreading
● ‘Generalized consensus’ problems● Spin glasses (from statistical physics), phase transitions
( 1) , ( ) | i ji j is k f J s k j N
52
Results of Game Evolution
● Theorem: , there exists τ0, such that for a reestablishing period τ > τ0– iterated game converges to Nash equilibrium;– In the Nash equilibrium, all nodes cooperate with all their neighbors.
● Compare games with (without) trust mechanism, strategy update:
and
ii i ijj N
i N x J
Percentage of cooperating pairs vs negative links Average payoffs vs negative links
Future Directions
• Constrained coalitional games, constrained satisfaction problems and spin glasses – better algorithms?
• Dynamic hypergraphs over semirings – replace weights with rules (hard and soft constraints, logic)
• Time varying hypergraphs – mixing – statistical physics • Generalized constrained shortest path problems –
multiple semirings• Design of high integrity reputation systems, resilient trust • Network self-organization to improve resiliency/robustness• Role of trust in establishing composable security• Networks of agents with dynamic positive and negative trust
(recommendations)? 53
Top Related