Daniele Quercia and Stephen Hailes
CS department
University College London
{d.quercia,s.hailes}@cs.ucl.ac.uk
Risk Aware Decision Framework for
Trusted Mobile Interactions
SECOVAL 2005
September 2005
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Outline
Mobile software concerns and
solutions;
Previous work on Trust
Management and Expected
Utility (EU);
Scenario;
Composing elements of the model;
Analysis of the model.
SECOVAL 2005
2
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Introduction
Mobile devices need to adapt to changing
context.
How? They load software (sw) components
from each other.
Problem: Security concerns when
loading sw components (e.g., viral
components and components not running
as expected).
SECOVAL 2005
3
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Conventional Solution
Devices accept only digitally signed sw
components. That’s acceptable as long as …
… #(sw providers) is low;
…  globally trustworthy Certification
Authority.
SECOVAL 2005
4
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Our Proposal
A device uses a local decision
framework to load software
components.
Such framework has desirable properties:
model decision-making under uncertainty;
integrate user’s risk attitudes;
compute risk probabilities from trust
mechanisms.
SECOVAL 2005
5
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Trust
Management Frameworks
Related Work –
Marsh: computational trust concept.
Abdul-Rahmal and Hailes: use of
recommendations.
Mui et al.: reputation concept.
formal trust model;
risk-based decision module.
SECOVAL 2005
6
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Related Work –
Expected Utility
(c) OUTCOME MATRIX
Take
Do not take
Umbrella
Umbrella
(a) ACTIONS
(b) STATES
No Rain Rain
No
Wet
No
Wet
No
Wet
(d) Probability Function:
State  Probability
(No Rain)
(Rain)
Wet
(f) Decision Rule
Max Overall Utility Function:
Action  Utility
SECOVAL 2005
(e) Elementary
Utility Function:
Outcome  Utility
u(Wet)
u(No Wet)
7
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Scenario: Secure Conference
While Alice conferences
on the move, her PDA
guarantees secure
communication across
1
all traversed space.
2
3
Abstract Situation
Alice
Component
Loader
Semantics, Timeframe
Details, Service Level
SECOVAL 2005
Bob
Component
Supplier
8
D. Quercia and S. Hailes
Scenario –
Elements
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Expected Utility
(c) OUTCOME MATRIX
(b) STATES
Do not
take C
(f) Decision Rule
Give up
Give up
Give up
Ask User
(e) Elementary
Utility Function
(a) ACTIONS
Take C
(d) Probability Function
CS
CS
CS
delivers C delivers C delivers C
within R1 within R2 within R3
Carry on
Carry on
with
Give up
seamleslimited
sly
disruptions
Alice
interacts
with GUI
Alice
interacts
with GUI
Alice
interacts
with GUI
SECOVAL 2005
9
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
D. Quercia and S. Hailes
(f) Decision Rule
Ask User
Do not
take C
Take C
IN: - actions
- nearby component suppliers.
OUT: max of expected utility.
 action a and component supplier h, the
expected utility is
state probability
outcome utility
SECOVAL 2005
10
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
D. Quercia and S. Hailes
(e) Elementary
Utility Function
o
value(o)
utility(o)
We determine the application dimensions (e.g.,
absence of disruptions, spared user time, security gap)
ith dimension importance factors:
• wi (user preferences);
• Di(o) (function of outcome and application).
Logarithmic elementary utility function (user
attitudes are risk-averse).
To enhance tractability, 2 order Taylor approximation
SECOVAL 2005
11
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
D. Quercia and S. Hailes
(d) Probability Function
h(s): component loader’s belief that a certain state
s will take place when interacting with the component
CS
CS
CS
provider h. delivers
C delivers C delivers C
within R1
within R2
within R3
Component loader
receives Service Level= (dp, Confidence Level (CL))
computes each state probability (for a given h):
 We need  and  :  Trust and  CL  
Uncertainty   
SECOVAL 2005
12
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Discussion
Uncertainty is …
…source of risks;
…reduced through assurance (e.g, devices load only
provable authored software) and trust (e.g., devices
rely on trustworthiness assessments to make informed
decisions).
Assurance-based approaches are preferable, but not
always possible!
SECOVAL 2005
13
D. Quercia and S. Hailes
Daniele
Quercia
Risk Aware Decision Framework for Trusted Mobile
Interactions
Conclusion
We have proposed a conceptual model of decisionmaking for software component loading, which…
…integrates trust mechanisms and risk
assessment;
…consider user risk attitudes.
Assumptions to be relaxed:
constant risk-averse preferences;
normal distribution for probability function.
SECOVAL 2005
14