Mutaciones asociadas a resistencia a los IP

3. Collaborate with the service provider with

maximum reputation level.

To illustrate trust-based service provider selection by the user let us give two examples. The mobile user selects an information provider (IP) to receive handover- related services such as information about neighbouring networks. The mobile node is able to communicate with its home network, but is interested in receiving critical information without delays caused by transmission latency. For this reason the mobile node is motivated to use services provided by one of the networks visible from its current point of attachment.

Visible networks • Serving network

• Neighbor network 1: received beacons

• Neighbor network 2: received beacons

• Home network – by default

Sorted list of IPs • R(net₁) • R(net₂) • R(net₃) • … • R(net_k)

Sorted visible IPs

• Neighbor network 2: R(net₁) • Serving network: R(net₂) • Neighbor network 3: R(net₃) R_L a Visible networks • Serving network

• Neighbor network 1: received beacons

• Neighbor network 2: received beacons

• Home network – by default

Sorted list of IPs • R(net₁) • R(net₂) • R(net₃) • … • R(net_k)

Sorted visible IPs • Neighbor network 2: R(net₁) • Serving network: R(net₂) • Neighbor network 3: R(net₃) R_L Home network b

Figure VI.24.Example of candidate service provider trustworthiness verification

We suppose that the user already has some experience with different service providers and he has a list of them sorted by trust score. The user extracts from this list networks visible from its current location and selects the provider with the best reputation (Figure VI.24, a). If there is no visible service provider with a sufficiently high trust score value (Figure VI.24, b), the user selects the home provider.

VI.9 TRUST-BASED ACCESS CONTROL FRAMEWORK

IMPLEMENTATION

VI.9.1 System architecture

The proposed trust model is applicable if a service provider can observe, record and analyze the activity of the user. To access the resources each user performs authentication and the network is able to recognize the same agent in different authentication sessions. The entity performing the trust evaluation communicates with the authentication database, the policies database, log files of applications or services, firewalls and intrusion detection systems.

We present a general overview of the components of a trust-based access-control framework and their interaction. Three agents may participate directly or indirectly in each interaction: a service provider, a user and an entity that recommends the user (usually, his identity provider or the home network).

Figure VI.25 depicts the generalized scheme of interaction between the Trust Evaluation Server and the Trust Data Storage. It also shows the influence of continuous observation of user behaviour on changing access policies. The risk level

is produced from the continuous observation of the behaviour of users and their recommenders.

In addition to the AAA server, each service provider has three new entities, a Trust Evaluation Server, a Trust Data Storage and an Observation Agent. Whenever a user wants to obtain access to services provided by the network, the AAA server authenticates the user. After that it communicates the user identity to the Trust Evaluation Server that performs a trust evaluation of the user based on information about his past behaviour and the current risk level in the environment taken from the Trust Data Storage. If the user is considered to be trusted, he is given access to a set of services according to the assigned trust level and the presence of a recommendation from a party trusted by the service provider. If the user is distrusted, service access is denied him. The Observation Agent records the behaviour of the user during the session held and transmits the data collected to the Trust Data Storage. The database of users contains information about the past behaviour of visitors and the database of operators contains information about the past behaviour of partners, whose subscribers have been served by this network. If the network provides services for a fee, other operators may be responsible for transfer of user payments for services accessed. In such a scenario, the partner will be considered a “bad” partner if it delays payments or does not transfer them. The trust values for the user and for his home network are calculated using information from corresponding databases.

When an agent has the role of recommender in a current interaction, it needs to decide whether it issues a recommendation for a user or not. To make this decision, the recommender calculates the trust value of the user based only on the user’s past behaviour recorded in the Subscribers data base with the help of the Trust Evaluation Server.

On the user’s side, the following elements are involved in a provider’s reputation evaluation: the Service Providers database, the Observation Agent and the Trust Calculation Engine. The database of service providers contains identifiers of service providers, sorted by the reputation value. The functionality of the Observation Agent is limited to measuring a certain parameter and comparing it with the required value. For example, the declared and the provided QoS or the price paid for services used may serve as a basis for reputation construction. Operations performed by the Trust Evaluation Engine on the user’s part, are limited to a simple comparison of the measured and desired values of evaluation criteria. Recommendations received from the home or other trusted authority may be stored locally and may be presented to the service provider with which the user wishes to collaborate.

Figure VI.25.General architecture of the trust-based access control framework

The proposed access control system relies on trust calculation and consists of static and dynamic components. We call a component static if it is not changed in an autonomous manner. The service sets and corresponding trust levels are static components because changes are performed by the system administrator. We consider that the proposed system is not able to add or remove services automatically.

Databases containing information related to users and to partner service providers change over time, causing development of the risk value observed, and as a consequence service access policies.

In the digital world it is very simple for a user to change its identity if it is an e-mail account. We assume that the proposed trust model is designed for access networks that implement strong authentication and identity or role-based access control. Anonymous access is the current practice for peer-to-peer or overlay networks or for web-services. The concept of user identity, adopted in this work, is that defined in the 3GPP. Each user has a pair of identifiers, public identity and private identity. The main requirement is that the identity must allow users’ traceability.

VI.9.2 A use-case scenario

This section describes the authentication and access control framework by putting together the components introduced earlier. A mobile user evaluates trustworthiness of each available access network using an approach presented in Section VI.8. In Section V.2 we provided an overview of the protocol for fast authentication in an inter-domain handover scenario. The optimized scheme for authentication tickets distribution is described in Section V.3. Authentication results in giving a user authorization to access a network, but usually an access network should decide what are the authenticated user’s access rights and privileges. After user identification the access network evaluates trust in this user by the method introduced in Chapter VI, parallel to authentication process execution.

Figure VI.26 demonstrates that a user can associate with access networks that may be based on different technologies and that are managed by different authorities. Let the user John be subscribed to the operator of network A as well as to the operator of network B. Operator C is a roaming partner of operator A and serves subscribers of its partners. Network D is a network managed by a non-profit operator, which may be a school or enterprise authority. Network D has no agreements with its neighbours. The mobile user John does not want to expose his identity to a non- home authority, which is why he is perceived as John@A (or John@B) by his identity providers, and as for example i_am_away@A and i_am_away@B) by non-home networks. John may use the “external” identity for network D or have a specific identity for it.

We assume that there are other access networks coexisting in the same geographical area, but the user has considered them unreliable, which is why he does not take their advertisements into consideration.

Figure VI.26: Handover scenario: four access networks managed by different authorities

Modern mobility management and fast authentication protocols allow fast transition to be performed only between partner networks A and C, which can exchange user- related security context in a secure manner. When associating with another network, the user must execute full authentication exchange.

If access networks are FAP-enabled, the user in the described use-case scenario can perform fast authentication with any network in a region. Each network issuing fast authentication tickets may issue them for itself. In that way the user may handover from network A to network B using a ticket issued by B and, being either in network B or network C, handover to network D using its own ticket.

If the user has demonstrated malicious or suspect behaviour in network C, which is a roaming partner of his home network, service provider C may restrict the user’s authorizations despite the presence of roaming and service level agreements with the user’s home network.

VI.9.3 Authentication and authorization

For illustration purposes we use IEEE 802.11 here to demonstrate the proposed authentication and authorization framework. To address fast handover requirements, the procedure of authorization rights definition must not increase authentication latency. In this regard, access policies enforcement should be made in parallel with user’s authentication and session keys negotiation.

Figure VI.27: Process of user authentication and authorization in a visited network

After receiving the user’s identity response, a RADIUS server typically searches for the corresponding user in its local database. If interaction history-related data is kept along with a username, the authentication server has all the information necessary for trust value evaluation at the end of the authentication process. Thus the calculation of the trust value may be started at the same time as the session keys negotiation process. Figure VI.27 shows the succession of actions performed by the authentication server within an access network in order to authenticate a user and to determine his authorization in the session to come. The first block of actions includes user identification and searching for information related to his past visits. If the user is not found, at least its recommender (identity provider) must be known to the serving network. The second block of actions includes fast authentication and the subsequent block serves to determine user’s authorizations, which are based on the trust value of the user, his recommender or both, as it is described in Section VI.5.

VI.10 CHAPTER SUMMARY

In different works trust is represented as the combination of the probability of future acceptable behaviour of a partner, competence, disposition, benefits, costs, witness, recommendation and past experience. In this work we design a trust model for access control in networks that provide services. We assume that service providers are motivated to serve users because of the profit received from interactions. Users need to have high quality access to and use of their preferred services. As the service provider does not know potential users it should make several hypotheses concerning user behaviour. It is natural for a service provider to accept users that are unknown but recommended by a business partner. It is also natural to stop serving a user, even recommended by a partner, if the former displays malicious behaviour. The service

provider can reserve the highest QoS for privileged clients that have demonstrated good behaviour (satisfy network policies) for a certain period of time.

To deal with an unknown user, recommendations from a trusted party have decisive influence on the decision making concerning the trustworthiness of this user. Over time personal experience becomes more important than the recommendation, because a recommender may consider the user to be a good one yet not be aware of his behaviour.

The proposed trust model may be implemented to improve access control in open environments such as wireless networks of Internet service providers that serve a large number of users. This model is also suitable for peer-to-peer environments such as grids or file-sharing systems. The generalized formalization of notions of trust, behaviour and risk allows the model to be suitable for various deployment scenarios. In such scenarios each peer is at one and the same time both a user and a service provider.

Trust formalization is different for the service provider and the user. This results from the fact that trust of the service provider in the user must be refined to allow or deny different kinds of actions within the same interaction, while the user has only a binary choice, to interact or not to interact with a service provider.

In this work we consider the aspect of trust development over time rather than different aspects of trust propagation. The main improvement made in this work consists of using a direct and clear relationship between network access policies and trust model parameters. The proposed memory model aims to reduce the space necessary to store long-term user behavioural history in a set of discrete variables, rather than using a time series or description language, as has been proposed in related publications. A linear trust model provides the best performance when compared with non-linear models described in the literature.

The main point of originality of the proposed model is the use of different sources of trust, the possibility of dynamic adaptation to the changing environment, and the ability to work with user history over a long timeframe.