A Behavioural Model for Client Reputation - A client reputation model ...

Introduction Related work Proposed solution Adversary model Future work and conclusion References

A Behavioural Model for Client Reputation A client reputation model based on behavioural history

A Basu, I Wakeman, D Chalmers and J R Robinson Software Systems Group, Department of Informatics University of Sussex

Trust in Mobile Environments workshop in IPIFTM 2008 17 June 2008 Trondheim, Norway

A Basu, I Wakeman, D Chalmers and J R Robinson

A Behavioural Model for Client Reputation


Outline 1

Introduction

2

Related work

3

Proposed solution Behaviour analysis Local reputation Reputation reporting mechanism Confidence matrix Global reputation

4

Adversary model

5

Future work and conclusion

6

References A Basu, I Wakeman, D Chalmers and J R Robinson



Introduction The problem: unauthorised or malicious activities performed by clients on servers while clients consume services (e.g. email spam) without behavioural history, clients behaviour is assessed on a case-by-case basis, which leads to chances of false positives no prior knowledge of malicious clients, hence more false negatives




Introduction (contd.)

Research question: Can a local and a global reputation scheme based on behavioural history of strong network identities (of clients) be used to enforce policies for network interactions in order to reduce or prevent unsolicited communications or transactions between clients and servers over a network?




Introduction (contd.)

Applicable scenarios: email spam control use of Web services other forms of non-anonymous network communication




Related work

Taxonomy: application scenarios (e.g. email spam control) trust and reputation systems (although mostly on provider/seller reputation) behavioural history ([WM07, ABP05])




Behaviour analysis Local reputation Reputation reporting mechanism Confidence matrix Global reputation

Network entities

Clients Servers Global Reputation Analyser (GRA) – implementation could be centralised or distributed which are conceptually represented in a diagram as follows





Conceptual overview





Proposed solution breakdown

Behaviour analysis – behaviour analyser with generalised input and quantised behaviour output Local reputation – the local response to change in behaviour as well as effect of no activity over time





Proposed solution breakdown (contd.)

Reputation reporting mechanism – how do servers report reputation of clients to the GRA Confidence matrix – ‘social network’ of servers and the confidences between themselves Global reputation – the calculation and interpretation of a global view of client reputations





Behaviour analysis An input tuple consisting of: client identifier a set of observed values the type of observation made timestamp of observation A policy specific analysis on the tuple to output quantised behaviour (positive or negative integral values) Could implement features, e.g. detection of repetition of behaviour





Behaviour analysis (contd.) An example of behaviour analysis on email spam could include observation of: volume of email traffic type of traffic (e.g. continuous or sporadic) compliance with regulations feedback from spamtraps ... [CH07]





Local reputation response

Good (positive) reputation gets better with good behaviour until it reaches a positive saturation Good reputation will decrease more rapidly with bad behaviour than it will improve with good behaviour Bad (negative) reputation gets worse with bad behaviour until it reaches a negative saturation Bad reputation increases with good behaviour at a slower rate than it worsens with bad behaviour





Local reputation response (contd.) 1.5 1.25 Theoretical positive saturation (rpsat)

1 0.75

Arbitrary positive reputation (rv ) p

Reputation score (r)

0.5 0.25 0 −0.25

Arbitrary negative reputation (r ) v

n

−0.5 −0.75 −1

Theoretical negative saturation (rnsat)

−1.25 −1.5 −1000

−800

−600

−400

−200


0 Behaviour (b)

200

400

600

800

1000




Time decay of local reputation

saturated reputation denotes too good or too bad often needs a decay with no activity over time helps a saturated bad reputation to recover slowly with time also questions a saturated good reputation if there has been no activity over time





Time decay of local reputation (contd.) 1.5 1.25 Theoretical positive saturation (rpsat)

1 0.75

Arbitrary positive saturation (rv ) p

Reputation score (r)

0.5 0.25

Positive default (rpdef)

0 Negative default (r

)

ndef

−0.25

Arbitrary negative saturation (rv ) n

−0.5 −0.75 −1

Theoretical negative saturation (r

)

nsat

−1.25 −1.5 0

100

200

300

400


500 Time (t)

600

700

800

900

1000




What happens prior to reporting

Identities of clients and servers must be known to the GRA All communications between a client or a server and the GRA are encrypted





What happens prior to reporting (contd.) A reputation report is a tuple (γ) consisting of: a context of reporting (sort of application type) recorded reputation slope parameters (λ and µ) timestamp of the report identifier for the server Any report in the same context from the same server overrides any previous report





The reporting sequence





Social network of servers

An asymmetric weighted digraph with nodes (servers) connected through directed edges with a confidence rating w in the range [0 1] on each edge (note that wi,j = 0 essentially means that the directed edge ei,j does not exist





Confidence matrix

W := (wi,j )n×n A matrix computed from the adjacency matrix of the social network graph using the given confidence ratings on existing edges Once computed, W can act as a lookup table for the direct confidence that any server node vi has in any other server node vj so long as they are connected in the social network graph





Global reputations of clients

act as opinion sharing between servers interpretation depends on the perspective of querying server reported reputations for a client are maintained in a set (Γ) in the GRA





Calculation of global reputation

the set Γ of γ tuples (reputation reports) is scavenged and old reports are removed; the size of the set does not grow indefinitely confidence matrix used to obtain the report from the server in which the querying server has highest confidence(s) What the querying server does with the reputation and the confidence is implementation and policy specific




Types of attack

Manipulation of global reputation Exploitation of reputation DoS (or DDoS) attack on the GRA DoS (or DDoS) attack on a server Man-in-the-middle attack and others to be investigated ([CH07])




Simulation

Using a multi-threaded Java-based discrete event simulator that I have coded, which essentially has a blocking priority queue for scheduling events prioritised by the event times and a dispatcher that uses a cached thread pool of different event handlers to simulate different types of events Helps simulate the model from an application level; network level activities such as failure of network link can be simulated




Simulation (contd.)

Detailed logging possible Snapshot facility, obtaining statistics, etc. – future work




Future work

Evaluate the performance using data synthetically generated from web spam traces Open issue: a feedback from the querying server on the global reputation of a particular client may be used to alter the querying server’s confidence on some of the other server, which have been used to build the response to the reputation query




Conclusion

An attempt to resolve some of the open issues with previous work on behavioural history Proposal for client reputation based on behavioural history A possibility to empower servers in decision making based on past history of clients A possible reduction of false positives as well as false negatives




References M. Allman, E. Blanton, and V. Paxson. An Architecture for Developing Behavioral History. In Proc. Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2005. E. Carrara and G Hogben. Reputation-based systems: a security analysis. Position paper no. 2 in European Network and Information Security Agency, 2007. S. Wei and J. Mirkovic. Building Reputations for Internet Clients. Electronic Notes Theoretical Computer Science, 179:17–30, 2007. A Basu, I Wakeman, D Chalmers and J R Robinson



Questions?

Thank you for listening

