• No se han encontrado resultados

fact that agents in the system are likely to lose trust in the parties upon whom the blame falls. The identification of who to blame is outside the scope of this study2, however it is important to consider the way in which trust changes when blame is assigned (to an individual or group) and when it is unattributed. For example, a consumer of the service offered by a VO may reduce their trust in all the members of a VO if they cannot assign a blame for a fault in the service to a single or group of agents. Likewise, they may lose trust in only those that are assigned the blame for the fault.

From the analysis of the trust issues in the VO formation stage of the VO life cycle, we obtain the following requirements:

General Requirement 9

Maintaining interaction history — Regardless of an agent operating in a VO or

outside a VO (in the mix of free agents in the multi-agent system) it is necessary for the trust model to store the experiences of the agent for future trust calculations.

General Requirement 10

Use social information — Since social structures are present in VO environments,

and are important in calculating trust, it is important for the model to include social factors and information in the calculation of a trust value.

General Requirement 11

Dynamic trust value — The model should provide a means of changing a trust

2

value (that an individual agent calculates for another) based on the experience of an individual agent. More specifically it should dynamically change trust values based on the individual’s observations over time. Every observation should have a defined impact on trust.

2.3.6 Trust Issues in VO Restructuring

A VO may require restructuring due to a number of different reasons. For example, in the contract a service may become redundant, or the contract may be modified to reflect the changes in the user requirements which may then necessitate the addition of a new service.

In restructuring the VO there are many issues regarding trust that have to be addressed. Most of these are concerned with group-level decision-making, by which we mean that the VO as a whole must assess how much trust can be placed in an individual (that is to be eliminated from or added to the VO). There is a definite need for a mechanism that collates the distributed trust information from members of a VO about a single non-member agent, so that it may be used in making a group decision that affects the structure of the VO.

Similarly, it is necessary to be able to represent and evaluate the trustworthiness of groups of agents. Up until now trust has been discussed with respect to a single individual, but VOs introduce the need to represent trust and reputation of groups of individuals. When a VO is restructuring, the VO members may find that there is another smaller VO that they wish to incorporate into their own VO. In this case, the members must evaluate the smaller VO as a whole, since they will have to place their trust in the VO. The need for representing trust of a collective is further complicated by the fact that a VO is dynamic and may have a short lifespan. Therefore, in the context of VOs it is necessary to represent the trust of groups of individuals that form a VO, independent of the VO lifetime.

The restructuring stage in a VO’s life cycle provides us with two further requirements for a trust model:

General Requirement 12

Trust level consensus — The model should provide mechanisms that allow a group

of agents to come to a consensus about the trust they are all willing to put in a particular individual.

General Requirement 13

VO-level trust — In VO environments it may be necessary to evaluate the trustwor-

thiness of a VO and in such cases the model should provide mechanism to produce a VO-level trust values from the trust values of the individual members.

2.3.7 Trust Issues in VO Disbanding

VOs disband because they reach the end of the contract that binds them and the need that they fulfill no longer exists, or if the VO has to undergo such a radical restructuring that it may be more efficient to disband and reform again. In either case, during its lifetime, the VO as a whole acquires much information that can be used to assess an agent’s trustworthiness. This information is distributed across the members of the VO, and will be subjective to the owner of the information, introducing a further trust related issue regarding the fate of this information. Upon disbanding, the information might:

1. stay internal to the agent that acquired it;

2. get reported to a central repository, making it available to all agents; 3. get reported to all the members of a VO before disbanding.

In addition, the context in which the trust information was obtained may change so that it may have to be used differently when the VO has disbanded. For example an agent A may have recorded that agent B always delivers in time whilst in the VO, but this might not be the case outside the VO. This is because outside a VO there might not be a contract specifying that if B fails to deliver then it is penalised heavily.

Finally, from the last stage in the VO life cycle, we obtain the following requirements, which are concerned with the manner in which trust information (used in calculating trust values) is stored and accessed:

General Requirement 14

Effective exchange of opinions — The model should provide a means of recording

trust information (evidence used in the trust calculation) in a way that can be shared quickly and effectively.

General Requirement 15

Distributed trust information — Given Requirement 2 (decentralised model), the

model should not rely on the trust information being in a central place.

General Requirement 16

Context dependent — The model should store and use trust information in a way

that allows agents to factor in the context in which the information was obtained, in the trust calculation.

2.4

Computational Models of Trust

Having reviewed multi-agent systems and agent-based virtual organisations, we now turn to the notion of trust. First, we discuss some generic definitions of trust, and then we present a review of computational trust models in light of the general requirements developed in the previous section.

Many sociologists have carried out research on the idea of trust within human society (for exam- ple (Misztal, 1996), (McKnight and Chervany, 1996) and (Williams et al., 1988)), resulting in a number of definitions for trust. A brief review of the literature concerned with the philosophy of trust and the application of trust-related concepts in computer science reveals the need to define trust before attempting to create a trust model. To this end, Dasgupta (1990) defines trust as a “sense of correct expectations about the actions of other people that have a bearing on one’s

own choice of action when that action must be chosen before one can monitor the actions of those others”. This definition allows us to extract certain attributes of trust, which would help in

building a computational model of trust. Specifically we can see that trust is both an expectation and a value that is estimated and used for judgement. Dasgupta also states that trust has no “obvious units”, but it is measurable in its context. Identification of this attribute is essential, as it has an impact on a computational model of trust. Computationally it is better that we have explicit values (for example integer values) in place of vague measurements of trust, values that can be compared and calculated. Dasgupta’s definition is adequate to the study of trust in soci- ety; however, for use in a computer system we need a more formal definition of trust, because mathematical concepts are easier to transfer to a computational model.

To this end, Gambetta (1988) offers a more probabilistic definition of trust and summarises it as “a particular level of the subjective probability with which an agent assesses that another

agent will perform a particular action, both before he can monitor such action and in a context in which it affects his own action”. He defines trust as a probability that has a threshold value,

which can be “located on a probabilistic distribution of more general expectations, which can

take a number of values suspended between complete distrust and complete trust, and which is centred on a midpoint of certainty”. This definition clearly views trust as being a probability

distribution representing complete trust and distrust at the two extremes of the distribution, also explicitly embodying the certainty of the trust that it represents. This is the definition of trust that we adopt in this work.

Having reviewed the general definition of trust from a sociological perspective, we now examine state of the art of computational models of trust. The purpose of our review is to examine techniques that have been used to model the concept of trust and to examine whether any of the current models meet the requirements stated in the previous section. However, before we examine trust models, we consider the different ways in which the models can be classified. A simple way in which to do this might be to group them based on where they can be applied, but this approach is not valid as almost all the models seem to be aimed at different domains. Instead, Ramchurn et al. (2004a) propose a classification made up of two classes: individual-level trust

and system-level trust. The former contains models that allow agents to have beliefs about the behaviour and trustworthiness of others in the system, whereas the latter groups together models which enforce trustworthy behaviour through certain protocols and mechanisms. Classifying models in such a way allows one to see, as described in Ramchurn et al. (2004a), the parts of the trust puzzle that are solved and the gaps that exist between higher-level trust models (individual-level) and the lower level (system-level) trust protocols. As described in Section 2.3.1, we are concerned with developing a model of trust that is to be applied at the application layer of the Grid architecture, and one that is not aimed at enforcing trustworthy behaviour. For this reason, and according to this classification, we only consider the models which fall under the individual-level classification.3

Furthermore, the majority of trust models can be divided into two distinct categories based on the overall architecture of the model: centralised and distributed, reflecting the nature in which information used to calculate trust is stored. In the centralised approach trust information is stored in a central repository, whereas in the distributed approach trust information is distributed amongst the many entities in the system. The rest of this section is divided into two main parts, each discussing a specific architecture along with models that fit that architecture. In each case the description of a model provides a brief overview, the definition and composition of trust used, and an evaluation of the model.

2.4.1 Centralised Models of Trust

In centralised systems there is a particular entity that is responsible for the activities of gathering trust information from the community, performing calculations on this information (for exam- ple, calculating a reputation value from all opinions), and making the results of its calculations public to anyone in the community. In this context, trust information largely refers to opinions of individuals about the behavior of others. Often this architecture is used by online communi- ties such as eBay4and Amazon.com5. Figure 2.4 shows a centralised system, where a central authority known as a reputation centre which is updated by individuals when they provide their opinion of another (as a rating), after each interaction. After each update, the centre calculates new reputation values based on a function of the opinions stored. The reputation values are then provided to all who query the centre for reputation information.

In more detail, Jøsang et al. (2006) describe two key components of centralised trust systems:

1. Centralised communication protocols — These allow communication between individ- uals in the community and the central information repository. More specifically, they describe methods to provide opinions to and obtain reputation values from the central authority.

3Here, we are not stating that all system-level trust approaches are not valid, and where possible we will draw

inspiration from such models.

4http://www.ebay.com 5

A B

PAST INTERACTIONS Agents report their ratings (opinion) for each interaction to a central reputation centre.

POTENTIAL INTERACTION Before interacting with an- other, an agents is able to obtain scores from the centre.

C D

E F

REPUTATION CENTRE

A D

REPUTATION CENTRE

Ratings ReputationScores