trust metrics and models

8/6/2019 Trust Metrics and Models

1/44

Welcome


2/44

E-Commerce Trust

Metrics and Models


3/44

Traditional models oftrust between vendors

and buyers fall short ofrequirements for an

electronic marketplace, where anonymous

transactions cross territorial and legal

boundaries as well as traditional value-chain

structures.

Alternative quantifications oftrust may

offer better evaluations oftransaction.


4/44

As millions of customers begin to participate in

e-commerce, we can expectincreasedtran-

sactions of extremely variedquantityand value;

in addition, the goods and services transacted

will be subjectto verydifferentlegal regulation

andeconomic risk.

This emerging marketplace will require the

abilityto make distinctions thatthe credit-card

transaction model does not support.


5/44

Howdo we setmeasurement criteria to make

these distinctions?

One wayis to quantify trust.


6/44

Research on this problem in e-commerce has

focused on authentication thatis, associating apublic keywith its owner.

However, all their models are based on transi-

tive trustalong a transaction path of entities that

trust the key to different extents.

E-commerce, on the other hand, requires mutual

trustamong avendor, acustomer, andall transac-

tion intermediaries.


7/44

This article introduces a notion ofquantifiable trust

andthen develops models that can use these

metrics to verify e-commerce transactions in waysthat mightbe able to satisfythe requirements of

mutual trust.


8/44

RISK EVALUATION WITH TRUST METRICS

Although no single unit of measure is adequate to

the definition oftrust, several dependentvariables,

such as cost, can be usedto describe it.


9/44

Trust Variables

Transaction cost

First, riskis a function ofthe cost of goods and services: a careful

buyer gives more thoughtto expensive purchases. Similarly, a

vendor might notworryabout losing revenue on asingle micro-

transaction ofnegligible costvalue, butthe riskincreases with the

cost ofa single transaction orthe number of microtransactions, and

so does the vendors attention to revenues and expenses.


10/44

Transaction history

Transaction historyis similarto apersons credit history.In Internet commerce, transaction history couldinclude acustomers

profile oftransactions with several vendors andavendors profile of

transactions with several customers.

Indemnity

The trust level ofatransaction is increased when atrustedinterme-

diary guarantees against loss.

This is especiallytrue fornew customers or vendors without transac-

tion histories: they cannotperform expensive transactions unless

guaranteedbyatrustedintermediary.


11/44

Other trust variables

Spending patterns

Ifacustomers hostcomputer were compromised orthe customers

smart cardorcurrency were stolen, it mightbe possible to detect

suspicious activityby observing changes in spending patterns.

System usage

Increasing the number oftransactions increases the tax on systemresources.


12/44

Variable trust parameters

Time

The number oftransactions conductedduring a certain period of

time, in which the transaction frequency couldreflectachange of

trust state.

Location

The transactions routed through intermediaries that have perhapsbeen compromised in some waywould likelylowertrust.


13/44

Trust Actions

Once variables for quantifying trustare defined, a

transaction can be actedupon according to the

value oftrustso determined.The most common actions are

Verification - of eitherthe customers or vendors

Credentials.

Authorization.


14/44

Trust Metric Terms and Definitions

Transacting entityAnyentity thatengages itselfin an electronic commerce transaction

is atransacting entity. This entity couldbe acustomer, avendor, a

broker, an intelligentagent, apaymentserver, oranyintermediary.

Trustauthority

Trustmatrices are usedto evaluate the trust on a certain transaction

or on the next set oftransactions. Unless these trust matrices areprotected againstmanipulation andare maintained by certain

authorities, transacting entities cannottrustthem. These authorities

are calledtrustauthorities (TA).


15/44

Agreement Framework

A relationship binding all the transacting entities involvedin asingleset oftransactions. The relationshipusuallyincludes various policies

forconducting transactions andis usuallyplaced ataTA. Each set of

transactions is interpreted based on the policy, andthe results

are usedto update trustmatrices.


16/44

RISK ANALYSIS

USING TRUST MODELS

Trustvariables andactions are the basis forthe

Four differenttypes oftrustmodels.

Boolean Relationships

Fuzzy Logic

Transaction Processes

Transaction Automaton


17/44

Models Based on Boolean Relationships

Two or more trustvariables andparameters can be usedto

describe the level oftrust on aparticulartransaction.

These variables shouldbe meaningfullyrelatedto each

otherto provide asemantic definition ofthe model.

The relationship can be capturedbyatrust matrix, where

matrix actionsentitiesrelate to the rowand column

labels.


18/44


19/44

The above figure describes atrust matrix with a

single matrix action, V, which signifies thata

particulartransaction shouldbe verified.

Actions that need notbe verifiedare grouped

into atrust zone, the boundary of which zone is

atrust contour.


20/44

Models Based on Fuzzy Logic

Linguistic terms such as microcosttransaction or excellent transac-

tion history lettransacting entities such as vendors easilydescribe

their measurementunits.

The actions mayalso have to be weighted to distinguish the various

degrees of measurement.

For example, it makes little sense to verify atransaction for someone

with agood historyto the same extentas for someone who has apoor

history, even when making the same high-costtransaction.


21/44


22/44

Referring to the above figure, a customer with an excellent transac

tion history has one in 50 transactions verified (V/50), whereas the

customer with the worst transaction history has every transaction

verified through a variety of methods, including thorough consulta

tions with other vendors, trusted intermediaries, and reviews of

previous transactions. This might be represented in the matrix by

something like 20V.

The numbers in this trust matrix are difficult to determine, however,

anditis unclear how20V compares to, say, 10V.


23/44

One offuzzy logics benefits is thatusing linguistic terms (such as

normal, excessive, and worst) allows foreasier interpretation ofthe matrix entities bytrustintermediaries andauthorities.

These linguistic terms coverarange of values ratherthan asingle

discrete value, which enables theiruse in aknowledge processingsystem, such as a fuzzy logic expert system.

A fuzzy logic-based expert system allows these linguistic values to be

represented bymathematical functions called membership

functions.


24/44


25/44

Models Based on Transaction Processes


26/44

E-commerce transaction protocols in generalandsecurity protocols

in particularfollowa handshake procedure before delivering goods

ofanykindto the customer.This handshake procedure usually follows the authenticate-first, then

authorize, pay, anddelivertrust model (calledthe AAP model).

The AAP model does notsuitall e-commerce transactions forreasons

of efficiencyandredundancy.


27/44

When suspicious activityis noticed, the server orvendor shouldinsist

on properauthentication. Suspicious activities wouldinclude a spurt

in transaction activity oran unanticipated request foraccess to confi-

dential information. This is calledthe authorize-first, then pay and

deliver, orauthenticate-if-trust-violated (ATV) model.

A thirdtrust model is the pay-first (PF) model, which is useful for

customers interestedin anonymity or new customers who have no

trust relationship. Anonymous customers who wantto remain that

waypreferto payusing electronic currency(for example, Digicash) to

paybefore receiving goods.


28/44

Model Based on a Transaction Automaton

This trust model describes e-commerce trust on the basis ofthe

transactions state: fail, success, in-progress, attack.

A transaction is successfully completedwhen the trustauthority (TA)receives a complete acknowledgment from all entities involvedin the

transaction.

A transaction is in-progress ifthe TA has notreceiveda complete

acknowledgment from any ofthe transacting entities.


29/44

A transaction fails ifthe TA has notreceiveda complete message

during the time allocatedforthe transaction, as definedin the

agreement frameworkor contractto complete.

Ifthe failure results from acomplaint orsuspicion, however, the

transaction state changes from in-progress (or failure) to attack.


30/44

COMMERCE-RELATED ATTACKS

Byapplying trust models to examine e-commerce relatedattacks, we

can betterunderstand howto detect, prevent, correctandrecover

fromthem.

Stolen Token

Contour Discovery


31/44

Stolen Token

The thief can use the stolen password ortoken to impersonate the

genuine legitimate customerand make transactions overthe

Internet.

The impersonating customer can pay for goods, butthesepayments are not genuine since theywere stolen.

The following methods couldbe employedto detect :

Detection byanalyzing spending pattern

Prevention by timer-delay key recovery

Correction and transaction recovery


32/44

Detection byanalyzing spending pattern

Byobserving the purchase patterns, the trustedintermediaries or

authorities mightdetect such fraud before the genuine customer

realizes the theftandreports it. Forthe trustauthorities to detect

such activities, the basic Boolean Trust Model described earlier canbe enhanced byadding atrustparameter: time.


33/44


34/44

Prevention by timer-delay key recovery

Afterdetection ofa suspicious spending pattern, delaying the delivery

ofadecrypting keyto the impersonating customer can prevent

further loss.

This keyis usuallydeliveredafterthe customerpays the vendor, butthis step can be delayeduntil the customer (here, the Impersonator)

provides more secret or sensitive information such as biometrics

not containedin the stolen smart card or computer.


35/44

Correction and transaction recovery

Once identityis reestablished, the trustauthority issues the customer

anewtoken.

Losses to the customerand vendorare covered underan agreement

framework thatis similarto an insurance policy, though informationorservices confiscated bythe impersonator cannotbe easilyreco-

vered.


36/44

Contour Discovery

Contourdiscoverymeans thatthe boundary ofatrustzone has been

discovered byan impersonator, for example.

An impersonating customer mightpenetrate the trustzone by

watching several transactions between atrustedcustomer andthe

transacting vendor (thus exposing the persons privacy).

The impersonator needknow onlythe price, the customers name,

andthe transactions success orfailure. This information is available

outside the secured (confidential) portion ofthe transaction.

Combinedwith astolen token, the impersonator couldpretend to be

honestbyapplying techniques such as indemnity, prepayment, or

overpayment.


37/44

One technique forpreventing contourdiscoveryattacks is random

perturbation, using an auditedtrustzone; thatis, we can randomly

verify transactions within the trustzone instead of committing the

transaction withoutperforming adequate security checks forauthen-

tication, authorization, ortrust.


38/44

PROPAGATIONOF TRUST

Electronic commerce generallyrequires acustomer to interact with

several trustedintermediaries before actuallycontacting the vendor.

Some ofthese intermediaries may nothave hadatrustedrelationship

among themselves, in which case adefault relation is setbetweenthem. Otherwise, the existing relations are invokedto participate in

the commerce exchange.


39/44


40/44

Differing trustrelationships existamong the customers, interme-

diaries, andvendors. To calculate asingle trustvalue between the

customerand vendorrequires forming an overall trustrelationshipthat governs the transactions between them.


41/44


42/44

The variables in the left-hand matrix are transaction history and

number ofmicrotransactions. Variables in the right-hand matrix arethe number ofmicrotransactions andasatisfaction index.

Satisfaction index couldindicate the average transaction history of

the customers in a category, ora quantitythatthe trustedinterme-

diarydetermines based on the satisfaction reportit has from itscustomers.

A merge operatorin this case couldbe one thatuses the matrix on

the right-hand side to lessen the verification riskusedbythe matrix

on the left-hand side.


43/44


44/44

CONCLUSION

The alternative approach presented here offers awayto verify

transactions, while avoiding the unnecessary computation costs

of verifying every transaction.

Possibilities forfuture workalong these lines include the study of

attacks made viaanonymous operation andthe study ofcorrec-

tive andpreventive methods forrecovery andsurvival.

trust metrics and models

Documents