# trust propagation using cellular automata for ubicomp 28 th may 2004 —————— dr. david...

Post on 13-Jan-2016

212 views

Embed Size (px)

TRANSCRIPT

Trust Propagation using Cellular Automata for UbiComp

28th May 2004

Dr. David Llewellyn-Jones, Prof. Madjid Merabti, Dr. Qi Shi, Dr. Bob Askwith

School of Computing and Mathematical StatisticsLiverpool John Moores UniversityJames Parsons BuildingByrom StreetLiverpool, L3 3AF, UK

{D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@livjm.ac.ukhttp://www.cms.livjm.ac.uk/PUCsec/

ProblemTraditional security applied toIndividual computers

Domains of computers

Improved by allowing multiple computers to work togetherParticularly relevant in a UbiComp environment

TrustHow can a large number of loosely affiliated devices trust each other?We propose a simple, scalable method for propagating trust in a UbiComp environment

Example using direct connections

TrustIf a does not trust b, it is useful to propagate this informationDeveloped to allow distributed analysis of components for maintaining securityCould be usedto ensure correct analysis of components (is b returning correct results?)to prevent viruses spreading (does b have a virus?)to improve privacy through encryption (is b encrypting data?)

SolutionWe use a system of cellular automata to maintain and propagate trust information around the network

What are cellular automata?Studied mathematically, e.g. by John von Neumann (1949), Stephen Wolfram (1983)Used to discretely model differential equations and real world systems

Each cell has a state and transition functionA cell applies its transition function to its state and the state of the cells around itEvery cell does this at each step

Cellular AutomataImportant properties:Cells only need to know about a small neighbourhood e.g. adjacent cellsTransition functions are very simpleWith many cells, produces complex emergent behaviourThe whole is more than the sum of its partsExample: Conways Game of Life

Cellular AutomataImportant properties:Cells only need to know about a small neighbourhood e.g. adjacent cellsTransition functions are very simpleWith many cells, produces complex emergent behaviourThe whole is more than the sum of its partsExample: Conways Game of Life

Cellular AutomataImportant properties:Cells only need to know about a small neighbourhood e.g. adjacent cellsTransition functions are very simpleWith many cells, produces complex emergent behaviourThe whole is more than the sum of its partsExample: Conways Game of LifeCreated by John Conway in 1970Studied by mathematicians and computer scientistsVery simple rules, but complex result

Cellular AutomataHow can we use cellular automata?Each node in the UbiComp environment represents a cell of the cellular automatonEach node executes a simple transition functionWe want to harness the complex emergent properties to manage and distribute the trust information

The Game of Life network

Cellular AutomataFor an effective system, we must choose the correct transition functionThis will determine the emergent behaviour

Emergent BehaviourA security breach causes a reduction of the trust in the nodeThe effect is like pulling down on an elasticated blanket This localises the effect of a security breach

Generating NetworksNetworks are normally far more complex than nodes arranged in a gridFor an effective system, more complex structures must be consideredTransition function is updated to handle such structuresExperiments used the Klemm-Eguluz method for generating a network topologySmall-World graphSmall average distance between nodesHigh clustering coefficientScale-free networkSatisfies power-law connectivity distribution

Experimental resultsMalicious code propagation experimentMalicious code reproduces itself to neighbouring nodesSome nodes are able to detect the malicious codeNodes only spend a certain proportion of time checking for malicious codeIf detected, the nodes trust is adversely affectedExperiment details19600 node Klemm-Eguluz networkControl experiment: same network but no Cellular Automata effectInitially malicious code added to five random nodesExperimental run of 2000 cycles

Experimental results100% enabled, fast propagation

Experimental results85% enabled, fast propagation

Experimental results85% enabled, fast propagation, 20% active

ConclusionInitial tests show that trust can be effectively propagated using cellular automata techniques

The process relies on the emergent properties of the systemThere is little theory properly relating transition functions with emergent properties in a network environment

We hope to use the system described to allow distributed code analysis in a UbiComp environment

The EndThankyou for your time

www.cms.livjm.ac.uk/PUCsec

This is a different game of life!This is a photograph of John Conway. Hes also a Liverpudlian!Like most cellular automatons, the Game of Life takes place on a grid. Each cell on the grid has its own individual state.In the game of life the state is a binary variable: the cell is either alive or dead.At each discrete time step, the state is updated using a transition function.In Life, the transition function takes the form of three simple rules. We will look at these rules in the next few slides.

This is a close up of the grid. In the above image, live cells are depicted using colour (either red or green) whilst dead cells are left white.We will consider how the rules for Life apply to the cell in the centre of the image.Rule 1: If a cell is dead, but is surrounded by exactly 3 live cells, then it will become alive...

Rule 1: If a cell is dead, but is surrounded by exactly 3 live cells, then it will become alive.Rule 2: If a cell is alive, but is surrounded by 1 or fewer live cells, then it will get lonely and become dead...

Rule 2: If a cell is alive, but is surrounded by 1 or fewer live cells, then it will get lonely and become dead.Rule 3: If a cell is alive, but is surrounded by 4 or more live cells, then it will get claustrophobic and become dead...Rule 3: If a cell is alive, but is surrounded by 4 or more live cells, then it will get claustrophobic and become dead.Thats all of the rules that define the transition function for Life.Now well look at what happens when you apply these rules on a larger grid.We run the pattern shown over a number of steps. Starting with this simple pattern......we find that a much more complicated pattern emerges. The simple rules of life can create very complex results.However, the result here looks somewhat random. Other patterns produce clearer results.This pattern is called a Glider. When the Game off Life rules are applied, it will appear to move diagonally across the grid......here we see it a little later on.Obviously you dont get the full effect with screenshots. You need to download the executable version of these slides!This is a very famous pattern known as a Shooter. When the rules are applied, it produces a continuous stream of gliders, as if they are being shot. This is an important pattern, since it disproved a conjecture by Conway that every pattern -- if run for a sufficiently long time -- would eventually become cyclic.This is the shooter a little later. You can see that a glider has appeared in the top right of the pattern. It will move diagonally up and to the left......and now another glider has appeared. Left to its own devices, itll carry on like this forever, producing more and more gliders.The equations determine the transition function that we are going to use. The section outlined in red constitutes the state for each of our cells. It is made up of three rational numbers (floating point values).The three equations marked in red constitute the actual transition function.We consider the effect of this transition function.Unlike the Game of Life which was placed on a grid with cells, we consider our function applied to a grid of nodes with links between them.The nodes oscillate up and down. Green nodes are considered active whereas the blue nodes are inactive. To use the example of a virus checker, an active node would be a node currently running its virus check software. An inactive node would not be checking for viruses.Active nodes cause an upward force to be applied to the node. Inactive nodes cause a downward force to be applied.Nodes that are below the zero mark become active, so that the node moves upwards again. After a certain point it will then become inactive and the node will begin to descend.This can be seen more clearly from the side. Except that this is just a screenshot, so you cant see the movement here.If a node detects a security breach (for example, it might discover a virus) it will lose trust in the surrounding nodes.If the level of trust manifests itself as a downward force on the node......so that if a node does not trust its neighbours, it will cause itself and the nodes around it to be pulled downwards.Notice that, because they are all below zero, all of the nodes around the breached node are active. This causes a security barrier around the node.Over time, if there are no more security breaches, the node will gradually regain trust and so will return to its original position......until everything is back to normal again.This is the effect again, taken as a screenshot from our simulation.Converting the nodes back into a grid again (the right hand picture) shows how a barrier of active nodes is formed.Here, all of the nodes are capable of becoming active (e.g. they all have virus checkers).The results show how the trust enabled simulation was successful compared to the control.Here, only 85% of the nodes are capable of becoming active (e.g. 15% do not have any virus checker).The results show how the trust enabled simulation was successful even when some nod