Trusted Publish/Subscribe                                Stephen Naicken                            Foundations of Softwar...
Outline1   Why Apply Trust to Publish/Subscribe Systems?     Publish/Subscribe Security Issues     Securing Networks Using...
Publish/Subscribe OverviewWhat is Publish/Subscribe?     Publish/Subscribe is an event-based messaging paradigm.     Publi...
Publish/Subscribe Data Model   Topic-Based Publish/Subscribe           Publisher publishes each of its events to a topic o...
Publish/Subscribe in Ad Hoc Networks   In ad hoc networks, the presence of an ENS can not be assumed.   There may not be a...
Publish/Subscribe Tree                             P                                                                      ...
Publish/Subscribe Tree   PST abstraction can be used to model both publish/subscribe   using an ENS or in an ad hoc networ...
Publish/Subscribe Security   A plethora of research on publish/subscribe data models and   infrastructure.           Topic...
Publish/Subscribe Attacks   Denial of Service:           Flooding (Events and Subscriptions);           Fake unsubscribe &...
Impact of Attacks   Wun et al. [WCJ07] provide a taxonomy of DoS attacks and   results from DoS experiments.   Subscriptio...
RBAC and CPS  RBAC          Assign subjects to roles and permissions to roles.          Allows limitations on access to ev...
RBAC and CPS  RBAC          Assign subjects to roles and permissions to roles.          Allows limitations on access to ev...
The Problems with RBAC and CPS   RBAC requires a trusted organisation to assign roles to entities.   This is not feasible ...
Trust Management   We know that trust and reputation management can be used to   secure network communications.   Mitigate...
Trust Management   Is it possible to define a trust metric for PSTs?   Determine the trustworthiness of a network not a nod...
PST Overhead Metric   Defined by Huang and Garcia-Molina [HGM03].   At any node in the tree           it costs to receive a...
PST Overhead MetricDefinition (Inherent Subscription)The inherent subscription si of a subscriber i is given by itssubscrip...
PST Overhead MetricDefinition (Publish/Subscribe Tree Overhead)Let E be a set of events, r be some cost associated with rec...
The Problem - Tussles   Given two nodes, A and B, A can choose to trust B by using global   and/or local information. The ...
The Problem - Tussles   Given two nodes, A and B, A can choose to trust B by using global   and/or local information. The ...
Semiring Trust ModelDefinition(S, ⊕) is commutative semigroup with neutral element 0:                                   a⊕b...
Semiring Trust ModelInstantiation      The model provides a means to determine the trustworthiness of      a path [TB06].D...
Semiring Trust ModelExample    Path 1 (P1 ): (a, b), (b, c), (c, d).    Path 2 (P2 ): (a, e), (e, f), (f, d).    Let τ be ...
Individual PST Trust Functions   We have a means to determine the trust of a path and given two   paths we can determine w...
Trust Relationships in PSTs   There are many communication paths in a PST that should ideally   be trusted.   The publishe...
Terminal Subscriber Node                             P                                                                    ...
Terminal Subscriber NodeDefinition (Terminal Subscriber Trust Function)                 1τs (T ) =                 τs (Λη 1...
Publisher Trust Function   More complicated for the publisher, as there is path to each   subscriber.   Although the edges...
Publisher Trust FunctionDefinition (Publisher Trust Function)                    1τp (σp,s ) =                    τp (Λη 1 ...
Publisher Trust FunctionDefinition (Publisher Trust Function)The trust of T for p is a function of the trust of the paths t...
Publisher Trust Function   How to achieve the aggregation?   The number of subscribers for a given advertisement is consta...
Leximin Aggregation FunctionDefinition (Ordered Weighted Average)An ordered weighted average operator F of dimension n is a...
Leximin Aggregation FunctionDefinition (Yager’s Analytical Function [Yag97])The analytical leximin aggregation operator, Fl...
Internal Subscriber Trust Function   The internal subscriber trust function is a combination of the two   previous trust f...
Internal Subscriber Trust FunctionDefinitionFor each internal subscribe node s in a PST T , the trust of s in T isgiven by ...
And The Router Trust Function?   PST is a Steiner tree - it need not span the network.   The opinions of routers are ignor...
PST Trust MetricSocial Choice and Welfare     We now have a mechanism for each node to assess a tree and     come up with ...
PST Trust MetricDefinitionLet t = (Vt , Et ) be a PST where Vt = S ∪ R ∪ {p}. For eachi ∈ S ∪ {p}, there is a real-value τi...
Interpersonal Incomparability of Trust   Leximin requires interpersonal comparability.   This means trust values of differ...
The Maximum Trust PST with Overhead BudgetDefinitionGiven an overhead budget B > 0, an event distribution E, anundirected c...
Exhaustive Search Algorithm   Find all PSTs in the connectivity graph rooted at p and spanning   the subscribers S.   For ...
Spanning Tree Enumeration   A PST is a Steiner tree of the connectivity graph.   The set of feasible PSTs for an advertise...
Spanning Tree Enumeration   Char’s spanning tree algorithm [Cha68] enumerates all spanning   trees.   Uses DFS to find init...
Spanning Tree Enumeration   The tree test can be modified to also test if the subgraph is a PST.   A router can not be a te...
Tabu Search Algorithm   Given that the problem is in NP-Complete, the exhaustive search   will only be suitable for small ...
Tabu Search Algorithm   First we need to define a move structure.   Given a PST, a move is the addition or removal of a rou...
Tabu Search Algorithm   We use a surrogate objective function - essentially "guesstimate".   We know the node that had the...
Tabu Search Algorithm   This leaves us with a second problem, the application of the move   gives a graph not a PST.   We ...
Tabu Search Algorithm    Tabu search is designed for combinatorial problems of the    following form:DefinitionGiven a set ...
Tabu Search Algorithm   We investigated two approaches to tabu search for problems with   constraints.   The first a static...
Tabu Search Algorithm   Diversification potentially allows the Tabu search to explore   unvisited regions of the search spa...
Evaluation Environment   Experiments were performed using Amazon EC2 infrastructure,   with a 6.5 EC2 Compute Units (2x In...
Problem Data Set   A number of problem sets were considered, the results of two of   these will be presented.   A problem ...
Problem Data Set   Problem Set A.           Publisher: 1, Subscribers: 5, Routers: 1, 2, ..., 9.   Problem Set B.         ...
Exhaustive Search Results                                        1e+05                                                    ...
Exhaustive Search Results                             Pr.    Min. (s)       Max. (s)           Avg. (s)                   ...
Tabu SearchProblem Set A                                  PST                   Rel. Error                       Pr       ...
Tabu Search           Pr               τT    OT        Sec       Pr               τT     OT     Sec           B20-1       ...
Conclusions   It is possible to define a trust metrics for a network structure, the   PST, not just nodes.   Trust is inter...
Future Work   Is it possible to define a distributed algorithm to solve the   problem?           Tussle between trust relat...
J. Char.Generation of trees, two-trees, and storage of master forests.IEEE Transactions on Circuit Theory, 15(3):228–238, ...
INFORMS Journal on Computing, 16(3):241–254, 2004.Costin Raiciu and D.S. Rosenblum.Enabling confidentiality in content-base...
Mathematica Japonica, 24(6):573–577, 1980.Alex Wun, Alex Cheung, and Hans-Arno Jacobsen.A taxonomy for denial of service a...
Upcoming SlideShare
Loading in...5
×

Trusted Publish/Subscribe

732

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
732
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Trusted Publish/Subscribe

  1. 1. Trusted Publish/Subscribe Stephen Naicken Foundations of Software Systems University of Sussex stephenn@sussex.ac.uk 15th February 2012(University of Sussex) Trusted Publish/Subscribe 15/02/12 1 / 58
  2. 2. Outline1 Why Apply Trust to Publish/Subscribe Systems? Publish/Subscribe Security Issues Securing Networks Using Trust and Reputation2 Trusted Publish/Subscribe Trees Communication Overheads of PSTs A Trust Metric for Publish/Subscribe Trees PST Trust Maximisation Problem with Overhead Budget3 Algorithms Exhaustive Search Tabu Search4 Results5 Conclusions and Future Work (University of Sussex) Trusted Publish/Subscribe 15/02/12 2 / 58
  3. 3. Publish/Subscribe OverviewWhat is Publish/Subscribe? Publish/Subscribe is an event-based messaging paradigm. Publishers publish notifications. Subscribers issue subscriptions describing notifications of interest. Notifications are delivered only to interested subscribers. Event Notification Service (ENS) is responsible for the routing of notifications from publishers to interested subscribers. ENS may be centralised or it may be a network of brokers. (University of Sussex) Trusted Publish/Subscribe 15/02/12 3 / 58
  4. 4. Publish/Subscribe Data Model Topic-Based Publish/Subscribe Publisher publishes each of its events to a topic or subject. Subscribers subscribe to a topic to receive all events published to it. Content-Based Publish/Subscribe Publisher issues an advertisement - an intent to publish events. Any events published must be covered by the advertisement. Subscription is a function over the event contents. Greater expressiveness. Increased message state and processing complexity at brokers. (University of Sussex) Trusted Publish/Subscribe 15/02/12 4 / 58
  5. 5. Publish/Subscribe in Ad Hoc Networks In ad hoc networks, the presence of an ENS can not be assumed. There may not be any entities responsible for the network. If this is the case, publishers and subscribers will need to assume the responsibility of brokers where necessary. Publish/Subscribe in these environments may become more widespread due to smartphones (e.g. Android 4.0 ad hoc networking support). MANETs, Sensor networks, VANETs (University of Sussex) Trusted Publish/Subscribe 15/02/12 5 / 58
  6. 6. Publish/Subscribe Tree P Modification of Huang & Garcia-Molina [HGM03] definition. S2 R1 S7 For each advertisement, the PST is rooted at the publisher and spans all interested subscribers. S1 S3 S6 Steiner tree - the PST contains a subset of non-publisher & non-subscriber nodes R2 (brokers) to facilitate connectivity. There can be many possible S4 S5 S5 PSTs for a given advertisement. (University of Sussex) Trusted Publish/Subscribe 15/02/12 6 / 58
  7. 7. Publish/Subscribe Tree PST abstraction can be used to model both publish/subscribe using an ENS or in an ad hoc network. In ENS-based publish/subscribe: the internal vertices of the tree are broker nodes; the publisher is the root; all terminals are subscribers. (University of Sussex) Trusted Publish/Subscribe 15/02/12 7 / 58
  8. 8. Publish/Subscribe Security A plethora of research on publish/subscribe data models and infrastructure. Topic-based to Content-based Publish/Subscribe Centralised to decentralised ENS. Optimisation of routing and matching algorithms. But very little on security. Role-Based Access Control (RBAC). Computing on encrypted data. Why? ENS under the control of single or multiple cooperating entities. External contracts between publishers, subscribers and ENS. Implicit trust assumed, but if we break this... (University of Sussex) Trusted Publish/Subscribe 15/02/12 8 / 58
  9. 9. Publish/Subscribe Attacks Denial of Service: Flooding (Events and Subscriptions); Fake unsubscribe & unadvertise (API weakness); Selective & random message dropping. Publish/Subscribe Spam [Tar06] Blackhole advertisement - allows malicious publisher to acquire all subscriptions, if subscriptions are propagated to the publisher. Blackhole subscription - subscribe to all events to allow inference of the subscriptions of others. (University of Sussex) Trusted Publish/Subscribe 15/02/12 9 / 58
  10. 10. Impact of Attacks Wun et al. [WCJ07] provide a taxonomy of DoS attacks and results from DoS experiments. Subscription flooding attack - injecting malicious subscriptions at a high rate into the infrastructure (ENS). Reduction in free memory at the broker, increased processing time of approximately two orders of magnitude, & exponential growth in the response time. (University of Sussex) Trusted Publish/Subscribe 15/02/12 10 / 58
  11. 11. RBAC and CPS RBAC Assign subjects to roles and permissions to roles. Allows limitations on access to events given the subscriber’s role. Limitations on events a publisher can publish. Brokers can perform content-based routing only on attributes that they are permitted to access. CPS Subscriptions and events are encrypted using a shared key. Matching and routing functions are performed on the encrypted data by brokers. Raiciu and Rosenblum [RR06] have defined a number of techniques to implement CPS. RBAC and CPS address many of the security issues, so what’s the problem? (University of Sussex) Trusted Publish/Subscribe 15/02/12 11 / 58
  12. 12. RBAC and CPS RBAC Assign subjects to roles and permissions to roles. Allows limitations on access to events given the subscriber’s role. Limitations on events a publisher can publish. Brokers can perform content-based routing only on attributes that they are permitted to access. CPS Subscriptions and events are encrypted using a shared key. Matching and routing functions are performed on the encrypted data by brokers. Raiciu and Rosenblum [RR06] have defined a number of techniques to implement CPS. RBAC and CPS address many of the security issues, so what’s the problem? (University of Sussex) Trusted Publish/Subscribe 15/02/12 11 / 58
  13. 13. The Problems with RBAC and CPS RBAC requires a trusted organisation to assign roles to entities. This is not feasible in ad hoc environments. Absence of a monitoring component to detect misbehaviour. Both RBAC and CPS are difficult to adapt to stochastic behaviour. CPS requires issuing a new encryption key. RBAC requires issuing new policies. What happens if the shared key is leaked? (University of Sussex) Trusted Publish/Subscribe 15/02/12 12 / 58
  14. 14. Trust Management We know that trust and reputation management can be used to secure network communications. Mitigate against malicious and selfish nodes. EigenTrust in P2P, CONFIDANT in MANET routing. Can we use trust to mitigate attacks in publish/subscribe? (University of Sussex) Trusted Publish/Subscribe 15/02/12 13 / 58
  15. 15. Trust Management Is it possible to define a trust metric for PSTs? Determine the trustworthiness of a network not a node. Can we construct the most trusted PST for a given advertisement... And at the same time ensure efficient communications? We leave monitoring behaviour for future work. (University of Sussex) Trusted Publish/Subscribe 15/02/12 14 / 58
  16. 16. PST Overhead Metric Defined by Huang and Garcia-Molina [HGM03]. At any node in the tree it costs to receive an event (r ). it costs to forward an event on each outgoing edge, as required by the subscriptions of any descendants (f ). The overhead of a PST is the sum of the overheads at each node. The overhead at a node is given by the sum of: the cost to forward events of interest; the cost to receive and forward events not of interest. (University of Sussex) Trusted Publish/Subscribe 15/02/12 15 / 58
  17. 17. PST Overhead MetricDefinition (Inherent Subscription)The inherent subscription si of a subscriber i is given by itssubscription function sfi .Definition (Effective Subscription)The effective subscription Si of a subscriber i is given by thedisjunction of its inherent subscription si and its proxied subscriptionsi , Si = si ∨ si .Definition (Proxied Subscription)The proxied subscription si of a subscriber i is given bysi = j=1,...,n Sj for each child 1, . . . , n of i. (University of Sussex) Trusted Publish/Subscribe 15/02/12 16 / 58
  18. 18. PST Overhead MetricDefinition (Publish/Subscribe Tree Overhead)Let E be a set of events, r be some cost associated with receiving anevent, f be a cost associated with forwarding an event, si be theinherent subscription of node i and si be the proxied subscription of i.For a PST TAp for an advertisement Ap , its overhead is defined as: OTAp (E) = i∈VAp OTAp (E) where i OTAp (E) = (r + f ) · ΦE(¬si ∧ si ) + f · ΦE(si ∧ si ). i (University of Sussex) Trusted Publish/Subscribe 15/02/12 17 / 58
  19. 19. The Problem - Tussles Given two nodes, A and B, A can choose to trust B by using global and/or local information. The decision rests solely with A. This is not the case for PSTs. Node A and B are nodes in PSTs T1 and T2 . Node A considers PST T1 to be more trustworthy than T2 . Node B considers PST T2 to be more trustworthy than T1 . How do we decide upon the PST, which maximises trust for all PST’s nodes? (University of Sussex) Trusted Publish/Subscribe 15/02/12 18 / 58
  20. 20. The Problem - Tussles Given two nodes, A and B, A can choose to trust B by using global and/or local information. The decision rests solely with A. This is not the case for PSTs. Node A and B are nodes in PSTs T1 and T2 . Node A considers PST T1 to be more trustworthy than T2 . Node B considers PST T2 to be more trustworthy than T1 . How do we decide upon the PST, which maximises trust for all PST’s nodes? (University of Sussex) Trusted Publish/Subscribe 15/02/12 18 / 58
  21. 21. Semiring Trust ModelDefinition(S, ⊕) is commutative semigroup with neutral element 0: a⊕b =b⊕a (a ⊕ b) ⊕ c = a ⊕ (b ⊕ c) a⊕0=a(S, ⊗) is a semigroup with a neutral element 1 and an absorbingelement 0: (a ⊗ b) ⊗ c = a ⊗ (b ⊗ c) a⊗1=1⊗a=a a⊗0=0⊗a=0 (University of Sussex) Trusted Publish/Subscribe 15/02/12 19 / 58
  22. 22. Semiring Trust ModelInstantiation The model provides a means to determine the trustworthiness of a path [TB06].DefinitionThe trusted path semiring is a semiring, (S, ⊕, ⊗) where S = [0, 1] and⊕ and ⊗ are defined as: for all s1 , s2 ∈ S, s1 ⊕ s2 = max(s1 , s2 ) for all s1 , s2 ∈ S, s1 ⊗ s2 = s1 s2 No assumption is made upon the definition of the semiring operators. Alternatives are acceptable. (University of Sussex) Trusted Publish/Subscribe 15/02/12 20 / 58
  23. 23. Semiring Trust ModelExample Path 1 (P1 ): (a, b), (b, c), (c, d). Path 2 (P2 ): (a, e), (e, f), (f, d). Let τ be a trust function, τ : V × V → [0, 1]. τ (a, b) = 0.7, τ (a, b) = 0.7. τ (a, b) = 0.5, τ (a, b) = 1. τ (a, b) ⊗ τ (a, c) = 0.49. τ (a, e) ⊗ τ (a, f ) = 0.5. P1 ⊕ P2 = P2 . (University of Sussex) Trusted Publish/Subscribe 15/02/12 21 / 58
  24. 24. Individual PST Trust Functions We have a means to determine the trust of a path and given two paths we can determine which is more trustworthy. How can we use this to determine the trust of a PST. To do this, we need to identify the communication paths in a PST. (University of Sussex) Trusted Publish/Subscribe 15/02/12 22 / 58
  25. 25. Trust Relationships in PSTs There are many communication paths in a PST that should ideally be trusted. The publisher must have trust in all the paths to all the subscribers. The subscribers must trust the path to the publisher. Any internal subscribers must trust the paths to descendant subscribers and the publisher. To maximise the trust of a PST, we select the PST that maximises the trust of these paths. (University of Sussex) Trusted Publish/Subscribe 15/02/12 23 / 58
  26. 26. Terminal Subscriber Node P Subscriber trusts the publisher S2 R1 S7 sufficiently to receive its events, so it is not included in the metric. S1 S3 S6 It must trust the nodes on the path to the publisher, which route events to it. R2 Example Path: S5 , R2 , S6 , R1 , P. S4 S5 S5 (University of Sussex) Trusted Publish/Subscribe 15/02/12 24 / 58
  27. 27. Terminal Subscriber NodeDefinition (Terminal Subscriber Trust Function) 1τs (T ) = τs (Λη 1 ) ⊗ τs (Λη 2 ) ⊗ · · · ⊗ τs (Λη |σs,p |−2 ) ⊗ τs (Λη |σs,p |−1 ) s,v s,v s,v s,v τs is the trust function of subscriber s. Λη |σs,n | is the vector of trust information on n held by s. s,v 1 if s is adjacent to p, otherwise it is given by the product of the trust in the intermediate vertices. (University of Sussex) Trusted Publish/Subscribe 15/02/12 25 / 58
  28. 28. Publisher Trust Function More complicated for the publisher, as there is path to each subscriber. Although the edges may be shared between paths, each is considered individually. Reasoning is that there is "contact" to provide events to each and every subscriber. The publisher’s trust in the tree is given by the aggregation of the trust of all paths to all subscribers. (University of Sussex) Trusted Publish/Subscribe 15/02/12 26 / 58
  29. 29. Publisher Trust FunctionDefinition (Publisher Trust Function) 1τp (σp,s ) = τp (Λη 1 ) ⊗ τp (Λη 2 ) ⊗ · · · ⊗ τp (Λη |σ|−2 ) ⊗ τp (Λη |σ|−1 ) p,v p,v p,v p,v Similar to the terminal subscribe trust function. τp (σp,s ), the trust of the path from publisher p to subscriber s. 1 if p is adjacent to s, otherwise it is given by the product of the trust in the intermediate vertices. (University of Sussex) Trusted Publish/Subscribe 15/02/12 27 / 58
  30. 30. Publisher Trust FunctionDefinition (Publisher Trust Function)The trust of T for p is a function of the trust of the paths to eachsubscriber and is given by τp (T ) = α(τp (σp,s1 ), τp (σp,s2 ), . . . , τp (σp,s|S| )).where α is the aggregation function and τp (σp,s1 ) is the trust p has inthe path from p to subscriber s1 . (University of Sussex) Trusted Publish/Subscribe 15/02/12 28 / 58
  31. 31. Publisher Trust Function How to achieve the aggregation? The number of subscribers for a given advertisement is constant across all PSTs. All subscribers to be treated fairly. This means we can use the leximin aggregation. Similar to maximin, but breaks ties using the next least well off value until tie is broken. Motivation: The publisher’s trust in a PST is dominated by the least trusted path. (University of Sussex) Trusted Publish/Subscribe 15/02/12 29 / 58
  32. 32. Leximin Aggregation FunctionDefinition (Ordered Weighted Average)An ordered weighted average operator F of dimension n is a mappingF : Rn → R that has an associated vector of weightsW = [w1 , w2 , . . . , wn ] such that n wi = 1 and each wi ∈ [0, 1] and i=1where F (y1 , y2 , . . . , yn ) = n wj · zj where zj is the j-largest yi . j=1 (University of Sussex) Trusted Publish/Subscribe 15/02/12 30 / 58
  33. 33. Leximin Aggregation FunctionDefinition (Yager’s Analytical Function [Yag97])The analytical leximin aggregation operator, Fleximin , is an orderedweighted average where the weight vectorW = [w1 , . . . , wn−2 , wn−1 , wn ] is defined as follows: ∆n−1 w1 = , (1 + ∆)n−1 ∆n−j wj = for all 2 ≤ j ≤ n. (1 + ∆)n+1−jIf |a − b| < ∆ then a = b. If a > b then |a − b| > ∆. (University of Sussex) Trusted Publish/Subscribe 15/02/12 31 / 58
  34. 34. Internal Subscriber Trust Function The internal subscriber trust function is a combination of the two previous trust functions. An internal subscriber must trust the path to the publisher (similar to a terminal subscriber). In addition, it also distributes events to descendants that have a matching subscription. So it must also trust the paths to all descendants who are subscribers (similar to a publisher). (University of Sussex) Trusted Publish/Subscribe 15/02/12 32 / 58
  35. 35. Internal Subscriber Trust FunctionDefinitionFor each internal subscribe node s in a PST T , the trust of s in T isgiven by τs (T ) = β(τs (σs,p ), τs (σs,s1 ), . . . , τs (σs,sd−1 )) whereβ : Rd −→ R is some aggregation function of trust values, andd = |Vs ∩ S| + 1 where Vs is set of nodes in the subtree rooted at s. For a internal subscriber, the value d is variable across feasible PSTs. Therefore, the weights of the Yager’s leximin function will be different across PSTs So we use maximin here. (University of Sussex) Trusted Publish/Subscribe 15/02/12 33 / 58
  36. 36. And The Router Trust Function? PST is a Steiner tree - it need not span the network. The opinions of routers are ignored. Incentive compatibility can not be guaranteed. Routers have good reason to lie. A router in a PST contributes resources but has no interest in the content being shared. Declare the paths and consequently the tree to be of low trust. PST is less likely to be most trusted, so reduced possibility of being in this PST. (University of Sussex) Trusted Publish/Subscribe 15/02/12 34 / 58
  37. 37. PST Trust MetricSocial Choice and Welfare We now have a mechanism for each node to assess a tree and come up with a number that represents its belief of how trustworthy that tree is. How do we order the trees given these trust values from the participants? We assume that the trust values provide an ordering of how badly off a member would be, if that tree was chosen. Rawls’ principles of justice, that social and economic inequalities satisfy the condition that they are to be to the greatest benefit of the least advantaged members of society Leximin Define a lexical ordering on the participants, and in any pair of alternatives, pick the one that improves the lot of the worse off (University of Sussex) Trusted Publish/Subscribe 15/02/12 35 / 58
  38. 38. PST Trust MetricDefinitionLet t = (Vt , Et ) be a PST where Vt = S ∪ R ∪ {p}. For eachi ∈ S ∪ {p}, there is a real-value τi (T ) representing i’s trust value of t.The social trust value of t is given by Fleximin (τi1 (T ), τi2 (T ), . . . ,τi|S∪{p}| (T )). (University of Sussex) Trusted Publish/Subscribe 15/02/12 36 / 58
  39. 39. Interpersonal Incomparability of Trust Leximin requires interpersonal comparability. This means trust values of different entities must share the same trust continuum. Same origin and same unit of trust. This isn’t possible for mental states such as trust. Often assumed to be the case in existing trust models, so we do too.. (University of Sussex) Trusted Publish/Subscribe 15/02/12 37 / 58
  40. 40. The Maximum Trust PST with Overhead BudgetDefinitionGiven an overhead budget B > 0, an event distribution E, anundirected connectivity graph Gc = (Vc , Ec ), a publisher p that holdsan advertisement Ap , a set of subscribers S = {s | sfs (Ap ) = true}where sfs is the subscription function of s, a set of routers R = Vc Cwhere C = {p} ∪ Sfind a PST T that is rooted at p, spans S and maximises the trustvalue τ (T ) = Fleximin (τc1 (T ), . . . , τc|C| (T )) where τci (T ) is the trustevaluation of i th node in C, subject to OT (E) ≤ B. The PST Trust Maximisation Problem with Overhead Budget is NP-complete. (University of Sussex) Trusted Publish/Subscribe 15/02/12 38 / 58
  41. 41. Exhaustive Search Algorithm Find all PSTs in the connectivity graph rooted at p and spanning the subscribers S. For each PST: Find the trust value. Find the overhead value. Select the PST that has the highest trust value with the defined budget B. How to find all PSTs? (University of Sussex) Trusted Publish/Subscribe 15/02/12 39 / 58
  42. 42. Spanning Tree Enumeration A PST is a Steiner tree of the connectivity graph. The set of feasible PSTs for an advertisement is a subset of the set of all Steiner trees in the connectivity graph. The set of all spanning trees for all subgraphs of the connectivity graph is the set of all Steiner trees. Modify a spanning tree enumeration algorithm to enumerate all PSTs that span a graph. (University of Sussex) Trusted Publish/Subscribe 15/02/12 40 / 58
  43. 43. Spanning Tree Enumeration Char’s spanning tree algorithm [Cha68] enumerates all spanning trees. Uses DFS to find initial tree and label vertices. Representation of the tree is stored in an array. Index is node label, array[index] gives index of an adjacent node. Lexicographically alter the adjacent edges, "cycling" through subgraphs. Each subgraph found is tested to ensure that it is a spanning tree. (University of Sussex) Trusted Publish/Subscribe 15/02/12 41 / 58
  44. 44. Spanning Tree Enumeration The tree test can be modified to also test if the subgraph is a PST. A router can not be a terminal node - illogical. Test if each router in the tree is has two adjacent edges. (University of Sussex) Trusted Publish/Subscribe 15/02/12 42 / 58
  45. 45. Tabu Search Algorithm Given that the problem is in NP-Complete, the exhaustive search will only be suitable for small problem instances. Instead we choose to use the Tabu search metaheuristic. Similar to local search, but we store list of last n chosen moves (tabu list). To escape local maxima, we do not select moves from the tabu list. (University of Sussex) Trusted Publish/Subscribe 15/02/12 43 / 58
  46. 46. Tabu Search Algorithm First we need to define a move structure. Given a PST, a move is the addition or removal of a router from the PST. When a router is added to a PST, edges adjacent to nodes in the PST are added too. When a router is removed from the PST, edges from the connectivity graph between pairs of nodes in the PST are added to re-connect the graph. How do we choose the router to add or remove? (University of Sussex) Trusted Publish/Subscribe 15/02/12 44 / 58
  47. 47. Tabu Search Algorithm We use a surrogate objective function - essentially "guesstimate". We know the node that had the least trust in prior PST. So we evaluate the trustworthiness of the paths from this node to the publisher in the graph induced by the application of the move to the PST. The move that yields the greatest improvement in trust for this node is chosen. (University of Sussex) Trusted Publish/Subscribe 15/02/12 45 / 58
  48. 48. Tabu Search Algorithm This leaves us with a second problem, the application of the move gives a graph not a PST. We use the modified Char algorithm to find the PSTs in the graph. The tree that maximises the objective function is chosen. So what is the objective function? (University of Sussex) Trusted Publish/Subscribe 15/02/12 46 / 58
  49. 49. Tabu Search Algorithm Tabu search is designed for combinatorial problems of the following form:DefinitionGiven a set of feasible solutions F and a function F : F → R, find theoptimal solution x ∈ F for a minimisation problem such thatF (x) ≤ F (y ) for all y ∈ F, or F (x) ≥ F (y ) for a maximisation problem. But we have an overhead budget to consider. If a solution is overbudget, we penalise the objective value of the solution, i.e. its trust value. (University of Sussex) Trusted Publish/Subscribe 15/02/12 47 / 58
  50. 50. Tabu Search Algorithm We investigated two approaches to tabu search for problems with constraints. The first a static penalty function. Penalise all overbudget solutions by reducing their trustworthiness by 50%. The second is Near-Feasibility Threshold approach devised by Kulturel-Konak et al. [KKNCS04] However, as the results were often poor in comparison to the naive static approach, we shall dismiss it. The authors claim that the technique is sometimes not suitable where there are few constraints. We have one. (University of Sussex) Trusted Publish/Subscribe 15/02/12 48 / 58
  51. 51. Tabu Search Algorithm Diversification potentially allows the Tabu search to explore unvisited regions of the search space and escape cycles. Every 50 iterations of the Tabu search, the search diversify choosing a new solution from which the search continues. We investigated modified versions of the Takahashi-Matsuyama [TM80] and Shortest Path Tree algorithms to create PSTs. However, as both are subscription and trust unaware algorithms, little difference can be expected. (University of Sussex) Trusted Publish/Subscribe 15/02/12 49 / 58
  52. 52. Evaluation Environment Experiments were performed using Amazon EC2 infrastructure, with a 6.5 EC2 Compute Units (2x Intel(R) Xeon(R) CPU X5550 @ 2.67GHz), 17.1 GB RAM instance (m2.xlarge) running on a 64-bit Linux OS. The connectivity graph is constructed by power law graph generator [EW02]. The trust graph is generated using Klemm-Eguiluz [KE02] model so that it has both high clustering and power law properties. The Tabu search executed for 1500 iterations. (University of Sussex) Trusted Publish/Subscribe 15/02/12 50 / 58
  53. 53. Problem Data Set A number of problem sets were considered, the results of two of these will be presented. A problem set is identified using the following format <Problem Data set><Subset Number>-<Problem Number> : "<Problem Data set>" is the data set identifier (A and B), "<Subset Number>" indicates the value of |R| for each problem "<Problem Number>" is the problem identifier where 1 =⇒ B = 2000, 2 =⇒ B = 3000, 3 =⇒ B = 4000, 4 =⇒ B = 5000, 5 =⇒ B = 231 − 1. (University of Sussex) Trusted Publish/Subscribe 15/02/12 51 / 58
  54. 54. Problem Data Set Problem Set A. Publisher: 1, Subscribers: 5, Routers: 1, 2, ..., 9. Problem Set B. Publisher: 1, Subscribers: 5, Routers: 20, 30, 40, ... 90. (University of Sussex) Trusted Publish/Subscribe 15/02/12 52 / 58
  55. 55. Exhaustive Search Results 1e+05 q 8e+04 6e+04 Time (s) 4e+04 2e+04 q q q q q q q q q 0e+00 A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 Problem SubsetFigure: Average Execution Times of Exhaustive Search Results for ProblemSet A (University of Sussex) Trusted Publish/Subscribe 15/02/12 53 / 58
  56. 56. Exhaustive Search Results Pr. Min. (s) Max. (s) Avg. (s) A0 0.0153 0.0871 0.0339 A1 0.0239 0.1522 0.058 A2 0.1238 0.3774 0.1852 A3 0.8051 1.2791 0.9304 A4 1.7682 2.4166 1.9041 A5 19.5833 20.212 19.7224 A6 285.8669 287.4492 286.3381 A7 945.8277 949.9657 947.4963 A8 6149.868 6164.197 6158.712 A9 97672.93 97672.93 - Table: Execution Times of Exhaustive Search Results for Problem Set A (University of Sussex) Trusted Publish/Subscribe 15/02/12 54 / 58
  57. 57. Tabu SearchProblem Set A PST Rel. Error Pr τT OT ητ ηO Sec A1-4 0.0181 2398 - - 3.01 A2-4 0.0931 1850 - - 8.37 A3-4 0.0224 2917 - - 11.03 A4-4 0.1855 2224 - - 7.20 A5-4 0.0812 3580 - 0.1202 8.24 A6-4 0.0360 3846 5×10−7 0.1287 138.96 A7-4 0.0692 3570 - - 78.38 A8-4 0.0031 3657 1×10−6 0.0928 9.77 A9-4 0.2184 1885 - - 20.49 Table: Solutions for Problem Set A using the Tabu Search algorithm (University of Sussex) Trusted Publish/Subscribe 15/02/12 55 / 58
  58. 58. Tabu Search Pr τT OT Sec Pr τT OT Sec B20-1 0.1210 2948 42.00 B30-1 0.1329 2234 57.19 B20-2 0.1210 2948 41.97 B30-2 0.1329 2234 61.82 B20-3 0.1210 3254 36.33 B30-3 0.1329 2234 72.58 B20-4 0.1210 3254 33.76 B30-4 0.1329 2234 88.44 B20-5 0.1210 3254 33.73 B30-5 0.1329 2234 84.46 B40-1 0.0245 2564 56.52 B50-1 0.0124 2224 18.96 B40-2 0.0245 2564 60.04 B50-2 0.0124 2224 18.87 B40-3 0.0245 2564 50.73 B50-3 0.0124 2224 18.70 B40-4 0.0245 2564 50.77 B50-4 0.0124 2224 19.70 B40-5 0.0245 2564 50.81 B50-5 0.0124 2224 19.96 B60-1 0.0661 1630 9.86 B70-1 0.0381 2838 30.00 B60-2 0.0661 1630 9.98 B70-2 0.0381 2838 29.99 B60-3 0.0661 1630 9.82 B70-3 0.0381 2838 46.44 B60-4 0.0661 1630 9.89 B70-4 0.0381 2838 46.77 B60-5 0.0661 1630 9.91 B70-5 0.0381 2838 45.85 B80-1 0.1320 1962 17.84 B90-1 0.0354 1282 11.56 B80-2 0.1320 1962 13.54 B90-2 0.0354 1282 11.59 B80-3 0.1320 1962 13.56 B90-3 0.0354 1282 11.59 B80-4 0.1320 1962 13.55 B90-4 0.0354 1282 11.57 B80-5 0.1320 1962 13.57 B90-5 0.0354 1282 11.57 (University of Sussex) Trusted Publish/Subscribe 15/02/12 56 / 58
  59. 59. Conclusions It is possible to define a trust metrics for a network structure, the PST, not just nodes. Trust is interpersonal incomparable. Metrics should consider this. Tabu search efficiently solves the Maximum Trust PST with Overhead Budget Problem. (University of Sussex) Trusted Publish/Subscribe 15/02/12 57 / 58
  60. 60. Future Work Is it possible to define a distributed algorithm to solve the problem? Tussle between trust relationships in a PST. Nodes may be unwilling to share trust data. Possible using local information only? How do we implement monitoring of publish/subscribe services? Space decoupling conflicts with long-lived identity requirements. Are these techniques applicable to an Information-Centric Publish/Subscribe Internet? (University of Sussex) Trusted Publish/Subscribe 15/02/12 58 / 58
  61. 61. J. Char.Generation of trees, two-trees, and storage of master forests.IEEE Transactions on Circuit Theory, 15(3):228–238, 1968.David Eppstein and Joseph Yannkae Wang.A steady state model for graph power laws.ACM Computing Research Repository, April 2002.Yongqiang Huang and Hector Garcia-Molina.Publish/subscribe tree construction in wireless ad-hoc networks.In Mobile Data Management, volume 2574 of Lecture Notes inComputer Science, pages 122–140. Springer Berlin/Heidelberg,2003.Konstantin Klemm and V.M. Eguiluz.Growing scale-free networks with small-world behavior.Physical Review E, 65(5):57102, May 2002.Sadan Kulturel-Konak, Bryan A. Norman, David W. Coit, andAlice E. Smith.Exploiting tabu search memory in constrained problems.(University of Sussex) Trusted Publish/Subscribe 15/02/12 58 / 58
  62. 62. INFORMS Journal on Computing, 16(3):241–254, 2004.Costin Raiciu and D.S. Rosenblum.Enabling confidentiality in content-based publish/subscribeinfrastructures.In Proceedings of the Second IEEE/CreatNet InternationalConference on Security and Privacy in Communication Networks,Securecomm ’06, pages 1–11. IEEE, August 2006.S. Tarkoma.Preventing spam in publish/subscribe.In 26th IEEE International Conference on Distributed ComputingSystems Workshops, ICDCSW 2006, pages 21–21. IEEE, 2006.G. Theodorakopoulos and J.S. Baras.On trust models and trust evaluation metrics for ad hoc networks.IEEE Journal on Selected Areas in Communications,24(2):318–328, February 2006.H. Takahashi and A. Matsuyama.An approximate solution for the Steiner problem in graphs.(University of Sussex) Trusted Publish/Subscribe 15/02/12 58 / 58
  63. 63. Mathematica Japonica, 24(6):573–577, 1980.Alex Wun, Alex Cheung, and Hans-Arno Jacobsen.A taxonomy for denial of service attacks in content-basedpublish/subscribe systems.In Proceedings of the 2007 Inaugural International Conference onDistributed event-based systems, DEBS ’07, pages 116–127, NewYork, NY, USA, 2007. ACM.R.R. Yager.On the analytic representation of the Leximin ordering and itsapplication to flexible constraint propagation.European Journal of Operational Research, 102(1):176–192,October 1997.(University of Sussex) Trusted Publish/Subscribe 15/02/12 58 / 58
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×