Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
trust and access control papers from KHU (20070620)
Some of the papers published in 2006 and 2007 authored at the Ubiquitous Computing Laboratory of the Kyung Hee University in Korea (English) include
- "A Trust Model for Uncertain Interactions in Ubiquitous Environments" Le Xuan Hung, Hassan Jammeel, Seong Jin Cho, Yuan Weiwei, Young-Koo Lee, and Sungyoung Lee
The authors describe a formula for a metric of trust between two parties that wish to communicate with each other, based on peer recommendations, confidence based on the number of interactions, history of past interactions, and recentness of interactions. This formula has several 'weighting' control points by which it can be tuned for different environments.
- "A Dynamic Trust Model Based on Naive Bayes Classifier for Ubiquitous Environments" Weiwei Yuan, Donghai Guan, Sungyoung Lee, and Youngkoo Lee
This approach, for a service provider to determine whether to provide a service to another party, uses a Naive Bayes classifier twice: first, based on the service provider's prior knowledge, second, incorporating recommendations.
- "Finding Reliable Recommendations for Trust Model" Weiwei Yuan, Donghai Guan, Sungyoung Lee, Youngkoo Lee, Andrey Gavrilov,
"Filtering out Unfair Recommendations for Trust Model in Ubiquitous Environments" Weiwei Yuan, Donghai Guan, Sungyoung Lee, Young-Koo Lee, and Heejo Lee (Korea University)This approach adds a Cascade-Correlation neural network to
"...filter out randomly given irresponsible recommendations, individual unfair recommendations as well as unfair recommendations flooding no matter the recommendations are from recidivist (recommenders who always give malicious recommendations) or inside job (recommenders who acted honest suddenly give unfair recommendation on the benefit of themselves) ... differentiate doubtful recommendations due to different reasons: the changing behaviors of service requesters in front of different recommenders, the incorrect observations by recommenders, as well as malicious intention of recommenders, [and] detect the malicious recommendations when limited information is available for the recommenders which is usually the case in a real scenario."
- "Enforcing Access Control Using Risk Assessment" Nguyen Ngoc Diep, Le Xuan Hung, Yonil Zhung, Sungyoung Lee, Young-Koo Lee, and Heejo Lee
The authors propose a formula for calculating the cost of outcomes and of actions, for a model in which
"A request from principle p to perform an action is submitted to the access control manager. The access control manager looks up relevant outcomes that may occur due to this action and query risk assessment module for calculating risk value after sending it necessary parameters. The risk assessment module, after calculating cost of outcomes in term of availability, confidentiality, and integrity based on context of principle, environment and resource, evaluates risk value of the action. The decision is made at access control manager based on risk value from risk assessment module. The risk value is compared with the threshold, and then access control manager returns the decision."
- "A Flexible Trust-Based Access Control Mechanism for Security and Privacy Enhancement in Ubiquitous Systems" Pho Duc Giang, Le Xuan Hung, Sungyoung Lee, Young-Koo Lee and Heejo Lee
This paper leverages the trust metrics (with a sliding window for evaluating historical interactions) in an access control enforcer, in which access control policies are expressed with a minimum trust level threshold (e.g., a requestor needs only a low trust level for accessing a user's printer or fax machine, but a higher trust level for accessing a user's personal document store).
- "A Trust-Based Approach to Control Privacy Exposure in Ubiquitous Computing Environments" Pho Duc Giang, Le Xuan Hung, Riaz Ahmed Shaikh, Yonil Zhung, Sungyoung Lee,
Young-Koo Lee and Heejo Lee
This paper refines the mapping function of an access control decision to categorizing requestors into three zones: distrusted (parties the user does not wish to communicate with), public, and trusted (parties the user is willing to share privacy-sensitive information with).