Trust Establishment Mechanisms for Distributed Service Environments

The aim and motivation of this dissertation can be best described in one of the most important application fields, the cloud computing. It has changed entire business model of service-oriented computing environments in the last decade. Cloud computing enables information technology related services in a more dynamic and scalable way than before – more cost-effective than before due to the economy of scale and of sharing resources. These opportunities are too attractive for consumers to ignore in today’s highly competitive service environments. The way to realise these opportunities, however, is not free of obstacles. Services offered in cloud computing environments are often composed of multiple service components, which are hosted in distributed systems across the globe and managed by multiple parties. Potential consumers often feel that they lose the control over their data, due to the lack of transparent service specification and unclear security assurances in such environments. These issues encountered by the consumers boiled down to an unwillingness to depend on the service providers regarding the services they offer in the marketplaces. Therefore, consumers have to be put in a position where they can reliably assess the dependability of a service provider. At the same time, service providers have to be able to truthfully present the service-specific security capabilities. If both of these objectives can be achieved, consumers have a basis to make well-founded decisions about whether or not to depend on a particular service provider out of many alternatives. In this thesis, computational trust mechanisms are leveraged to assess the capabilities and evaluate the dependability of service providers. These mechanisms, in the end, potentially support consumers to establish trust on service providers in distributed service environments, e.g., cloud computing. In such environments, acceptable quality of the services can be maintained if the providers possess required capabilities regarding different service-specific attributes, e.g., security, performance, compliance. As services in these environments are often composed of multiple services, subsystems and components, evaluating trustworthiness of the service providers based on the service-specific attributes is non-trivial. In this vein, novel mechanisms are proposed for assessing and evaluating the trustworthiness of service providers considering the trustworthiness of composite services. The scientific contributions towards those novel mechanisms are summarised as follows: • Firstly, we introduce a list of service-specific attributes, QoS+ [HRM10, HHRM12], based on a systematic and comprehensive analysis of existing literatures in the field of cloud computing security and trust. • Secondly, a formal framework [SVRH11, RHMV11a, RHMV11b] is proposed to analyse the composite services along with their required service-specific attributes considering consumer requirements and represent them in simplified meaningful terms, i.e., Propositional Logic Terms (PLTs). • Thirdly, a novel trust evaluation framework CertainLogic [RHMV11a, RHMV11b, HRHM12a, HRHM12b] is proposed to evaluate the PLTs, i.e., capabilities of service providers. The framework provides computational operators to evaluate the PLTs, considering that uncertain and conflicting information are associated with each of the PLTs and those information can be derived from multiple sources. • Finally, harnessing these technical building blocks we present a novel trust management architecture [HRM11] for cloud computing marketplaces. The architecture is designed to support consumers in assessing and evaluating the trustworthiness of service providers based on the published information about their services. The novel contributions of this thesis are evaluated using proof-of-concept-system, prototype implementations and formal proofs. The proof-of-concept-system [HRMV13, HVM13a, HVM13b] is a realisation of the proposed architecture for trust management in cloud marketplaces. The realisation of the system is implemented based on a self-assessment framework, proposed by the Cloud Security Alliance, where the formal framework and computational operators of CertainLogic are applied. The realisation of the system enables consumers to evaluate the trustworthiness of service providers based on their published datasets in the CSA STAR. A number of experiments are conducted in different cloud computing scenarios leveraging the datasets in order to demonstrate the technical feasibility of the contributions made in this thesis. Additionally, the prototype implementations of CertainLogic framework provide means to demonstrate the characteristics of the computational operators by means of various examples. The formal framework as well as computational operators of CertainLogic are validated against desirable mathematical properties, which are supported by formal algebraic proofs

Beyond the Hype: On Using Blockchains in Trust Management for Authentication

Trust Management (TM) systems for authentication are vital to the security of online interactions, which are ubiquitous in our everyday lives. Various systems, like the Web PKI (X.509) and PGP's Web of Trust are used to manage trust in this setting. In recent years, blockchain technology has been introduced as a panacea to our security problems, including that of authentication, without sufficient reasoning, as to its merits.In this work, we investigate the merits of using open distributed ledgers (ODLs), such as the one implemented by blockchain technology, for securing TM systems for authentication. We formally model such systems, and explore how blockchain can help mitigate attacks against them. After formal argumentation, we conclude that in the context of Trust Management for authentication, blockchain technology, and ODLs in general, can offer considerable advantages compared to previous approaches. Our analysis is, to the best of our knowledge, the first to formally model and argue about the security of TM systems for authentication, based on blockchain technology. To achieve this result, we first provide an abstract model for TM systems for authentication. Then, we show how this model can be conceptually encoded in a blockchain, by expressing it as a series of state transitions. As a next step, we examine five prevalent attacks on TM systems, and provide evidence that blockchain-based solutions can be beneficial to the security of such systems, by mitigating, or completely negating such attacks.Comment: A version of this paper was published in IEEE Trustcom. http://ieeexplore.ieee.org/document/8029486

Network entity characterization and attack prediction

The devastating effects of cyber-attacks, highlight the need for novel attack detection and prevention techniques. Over the last years, considerable work has been done in the areas of attack detection as well as in collaborative defense. However, an analysis of the state of the art suggests that many challenges exist in prioritizing alert data and in studying the relation between a recently discovered attack and the probability of it occurring again. In this article, we propose a system that is intended for characterizing network entities and the likelihood that they will behave maliciously in the future. Our system, namely Network Entity Reputation Database System (NERDS), takes into account all the available information regarding a network entity (e. g. IP address) to calculate the probability that it will act maliciously. The latter part is achieved via the utilization of machine learning. Our experimental results show that it is indeed possible to precisely estimate the probability of future attacks from each entity using information about its previous malicious behavior and other characteristics. Ranking the entities by this probability has practical applications in alert prioritization, assembly of highly effective blacklists of a limited length and other use cases.Comment: 30 pages, 8 figure

M-STAR: A Modular, Evidence-based Software Trustworthiness Framework

Despite years of intensive research in the field of software vulnerabilities discovery, exploits are becoming ever more common. Consequently, it is more necessary than ever to choose software configurations that minimize systems' exposure surface to these threats. In order to support users in assessing the security risks induced by their software configurations and in making informed decisions, we introduce M-STAR, a Modular Software Trustworthiness ARchitecture and framework for probabilistically assessing the trustworthiness of software systems, based on evidence, such as their vulnerability history and source code properties. Integral to M-STAR is a software trustworthiness model, consistent with the concept of computational trust. Computational trust models are rooted in Bayesian probability and Dempster-Shafer Belief theory, offering mathematical soundness and expressiveness to our framework. To evaluate our framework, we instantiate M-STAR for Debian Linux packages, and investigate real-world deployment scenarios. In our experiments with real-world data, M-STAR could assess the relative trustworthiness of complete software configurations with an error of less than 10%. Due to its modular design, our proposed framework is agile, as it can incorporate future advances in the field of code analysis and vulnerability prediction. Our results point out that M-STAR can be a valuable tool for system administrators, regular users and developers, helping them assess and manage risks associated with their software configurations.Comment: 18 pages, 13 figure

The global burden of cancer attributable to risk factors, 2010-19 : a systematic analysis for the Global Burden of Disease Study 2019

Background Understanding the magnitude of cancer burden attributable to potentially modifiable risk factors is crucial for development of effective prevention and mitigation strategies. We analysed results from the Global Burden of Diseases, Injuries, and Risk Factors Study (GBD) 2019 to inform cancer control planning efforts globally. Methods The GBD 2019 comparative risk assessment framework was used to estimate cancer burden attributable to behavioural, environmental and occupational, and metabolic risk factors. A total of 82 risk-outcome pairs were included on the basis of the World Cancer Research Fund criteria. Estimated cancer deaths and disability-adjusted life-years (DALYs) in 2019 and change in these measures between 2010 and 2019 are presented. Findings Globally, in 2019, the risk factors included in this analysis accounted for 4.45 million (95% uncertainty interval 4.01-4.94) deaths and 105 million (95.0-116) DALYs for both sexes combined, representing 44.4% (41.3-48.4) of all cancer deaths and 42.0% (39.1-45.6) of all DALYs. There were 2.88 million (2.60-3.18) risk-attributable cancer deaths in males (50.6% [47.8-54.1] of all male cancer deaths) and 1.58 million (1.36-1.84) risk-attributable cancer deaths in females (36.3% [32.5-41.3] of all female cancer deaths). The leading risk factors at the most detailed level globally for risk-attributable cancer deaths and DALYs in 2019 for both sexes combined were smoking, followed by alcohol use and high BMI. Risk-attributable cancer burden varied by world region and Socio-demographic Index (SDI), with smoking, unsafe sex, and alcohol use being the three leading risk factors for risk-attributable cancer DALYs in low SDI locations in 2019, whereas DALYs in high SDI locations mirrored the top three global risk factor rankings. From 2010 to 2019, global risk-attributable cancer deaths increased by 20.4% (12.6-28.4) and DALYs by 16.8% (8.8-25.0), with the greatest percentage increase in metabolic risks (34.7% [27.9-42.8] and 33.3% [25.8-42.0]). Interpretation The leading risk factors contributing to global cancer burden in 2019 were behavioural, whereas metabolic risk factors saw the largest increases between 2010 and 2019. Reducing exposure to these modifiable risk factors would decrease cancer mortality and DALY rates worldwide, and policies should be tailored appropriately to local cancer risk factor burden. Copyright (C) 2022 The Author(s). Published by Elsevier Ltd. This is an Open Access article under the CC BY 4.0 license.Peer reviewe

Cloud Computing Landscape and Research Challenges regarding Trust and Reputation

Cloud Computing is an emerging computing paradigm. It shares massively scalable, elastic resources (e.g., data, calculations, and services) transparently among the users over a massive network. The Cloud market is growing rapidly and bringing up numerous research challenges. This paper provides a landscape of Cloud Computing and its research challenges, especially considering the areas of service selection, quality assurance of Cloud services, and trust establishment in Cloud environments. As the latter is known to be one of the major challenges of Cloud Computing, We also provide an overview of the important aspects that need to be considered when integrating trust and reputation concepts into Cloud Computing