Trust Management in Service Oriented Architectures

Damjan Kovač (2009) Trust Management in Service Oriented Architectures. PhD thesis.

PDF Download (3316Kb)

Abstract

Trust represents a significant aspect of human behavior and is often a precondition for mutual interactions and cooperation in a society. Decision making is trust-based and the trust is founded on experiences and assessments indicating beliefs about the relying party to perform a given task. Ultimately, trust may be considered a social and subjective phenomenon based on various factors, usually on personal experience or direct interactions. In the absence of personal experience, however, trust often has to be based on referrals from others that can be indicated as a reputation. In addition, trust is usually a precondition for interactions or transactions among parties in distributed computer environments. These are mostly considered to be environments and services of e-business where parties are generally separated in space thus making personal experience practically impossible. Information security does not assure trust in such environments; mostly, it is a required precondition although insufficient. Trust is not a security mechanism but a subjective concept that includes both social and psychological aspects. Various authors have denoted trust as a soft security mechanism that may, unlike traditional security mechanisms (e.g., authentication, access control), provide protection against the information and service providers who act deceitfully. This, in turn, improves the quality of services and the reliability of providers and other entities in the network. Therefore, trust and reputation management is an essential area when supporting consumers who apply e-business services. This dissertation examines the existing trust mechanisms in computing environments; most authors denote them as standard security mechanisms where the social and interactive components are lacking. This weakness is overcome by formalizing trust as a soft security mechanism and by taking numerous psychological and social factors into consideration. We define an abstract trust model ATM = (G, Ω, Τ, F, O, Γ, Π) with the appropriate components that allow different computational models to determine the degree of trust or trustworthiness. The trust degree represents a basis to make decisions about the future interactions among entities and also helps to identify malicious behavior. Next, the components of the trust model ATM are formally defined in order to present the quantitative approach of Jøsang's subjective logic and extend the qualitative approach with the appropriate qualitative algebra that models the behavior of agents. It must be stressed, however, that trust is not transitive in general. Assuming recommendation trust, different algorithms of the graph theory (e.g. transitive closures, depth first search) and the appropriate algebraic structures (e.g. semirings, distributive lattices), the method of how to compute the trust degree among the entities that have not interacted directly is presented. The trust requirements of the interacting entities (e.g. users, resources, services) are represented through the interaction trust polices that are based on the interaction history. Those policies are formally defined by the pure past temporal logic language PPLTL with suitable algorithms for compliance checking. Service-oriented architectures (SOAs) represent a new concept of building distributed e-business software solutions based on the composition of web services as autonomous functional units. The principle of the orchestration and choreography of web services is presented. The importance of the orchestration with BPEL language is stressed as it is a widely accepted and supported industrial standard. The BPEL language is mapped into the formal language of Petri Nets. The appropriate algorithms for trust degree computation of service composites are defined according to the trust model ATM. In this way, trust mechanisms are added not only to atomic, but also to composite services (i.e. BPEL business processes). The number of WS-* standards from OASIS and W3C organizations exist that mostly cover the interoperability and security of web services but none of them consider trust as a soft security mechanism. Consequently, the contribution of this dissertation is also an extension of open standards (WS-Trust, WS-Security) through which we incorporate a qualitative and quantitative trust model in the SOA infrastructure as standard building blocks. With them the architecture of trust and the reputation management system using SOA infrastructure is designed. A prototype called trustGuard using WCF (Windows Communication Foundation) and JEE (Java Enterprise Edition) technologies is also implemented.

Actions (login required)