Trust Management Issues for Ad Hoc and Self-organized Networks

Transcription

1 Trust Management Issues or Ad Hoc and Sel-organized Networks Vassileios Tsetsos, Giannis F. Marias, and Sarantis Paskalis Pervasive Computing Research Group, Dept. o Inormatics and Telecommunications, University o Athens, Panepistimiopolis, Ilissia, GR-15784, Athens, Greece Tel.: ; Fax: {b.tsetsos, paskalis}@di.uoa.gr, marias@mm.di.uoa.gr Abstract. Sel-organized and ad hoc communications have many undamental principles in common and also ace similar problems in the domains o security and Quality o Service. Trust management, although still in its irst steps, seems capable o dealing with such problems. In this paper we present an integrated trust management ramework or sel-organized networks. In addition, starting rom our experience with the presented ramework, we indicate and discuss important research challenges (among them interoperability and integration issues) or the uture evolution o the trust-based autonomic computing paradigm. We argue that ontologies can address many o these issues through the semantics they convey. Keywords: Trust management, ad hoc networking, ontologies, interoperability. 1 Introduction Pervasive Computing envisages computing environments with ubiquitous connectivity among the deployed devices and provision o advanced intelligent services. As this vision comes closer to realization, new computing and communication models are deemed as necessary or the eicient handling and perormance o the participating complex systems. Autonomic Communications may be one possible solution towards the next generation o large-scale networking. A case where the autonomic paradigm can be applied, is the well-known ad hoc networking paradigm. This is a special case, since ad hoc networks impose many more challenges (in all relevant computing domains) than the inrastructure-based ones. In act, there is strong relevance between mobile ad hoc networks (MANETs) and autonomic computing and communications (ACC) which is based on their undamentally dynamic nature. Thus, the issues addressed in this paper concern both MANET and ACC paradigms. Security, as well as Quality o Service (QoS), issues have been well studied in existing networked systems. Such issues also arise in ACC and MANET systems, however, their handling, in general, diers rom that o current systems. The special characteristics o ACC impose new security threats and risks that the uture security The original version o this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: / Corresponding author. I. Stavrakakis and M. Smirnov (Eds.): WAC 2005, LNCS 3854, pp , Springer-Verlag Berlin Heidelberg 2006

2 154 V. Tsetsos, G.F. Marias, and S. Paskalis mechanisms should take into account. In particular, the sel-optimization principle o autonomic systems, i applied in an entity/element- and not a system-basis, can lead to increased competitiveness and, thus, reduced reliability o the overall system s behavior. For example, such sel-optimization could dictate the individual communicating entities to behave maliciously or in a selish manner. In an open autonomic environment, entities, inormation assets, data communications and robustness are subject to the ollowing threats: Attacks on the authenticity o entities, such as impersonation and Sybil attacks [1]. Attacks on the privacy o communication lows, such as passive eavesdropping, or even sinkhole and wormhole [2], traic analysis, with an objective to disclose the exchanged data and the identity o communicating entities. Attacks on entities or resources availability, such as denial o service attacks, materialized through sleep deprivation torture, looding and active interering, or even attacks on the network perormance, through selish nodes. Attacks on the integrity o the inormation assets through unauthorized alteration o distributed IT resources and o stored or exchanged data. As it has already been identiied [3], one o the most promising, though challenging, mechanisms to address both security and QoS risks in ACC is the trust establishment, evaluation and management between the cooperating entities. One o the core processes involved in the trust evaluation process is the reputation management, where cooperating entities exchange their experiences and recommendations about third parties. Trust is a sot-security method in contrast to hard-security methods such as certiicate-based authentication and Public Key Inrastructures (PKI). The main advantages o sot-security are that it requires less ormal inormation about the cooperating entities and it does not assume any inrastructure to be available. Since these are undamental assumptions o the ACC and MANET paradigms, it seems quite reasonable to exploit trust mechanisms in such systems. Thus, rameworks that provide sel-protection o the distributed inormation assets, entities authenticity, and resource availability are considered essential. Since ACC speciies a sel-evolving paradigm such sel-protection rameworks will be situationdriven. Nodes and entities should react consistently and correctly to dierent situations [4] based on high level policies. In the irst part o this paper, we present ATF (Ad hoc Trust Framework), a lightweight ramework or trust management in selorganised networks, like MANETs. This ramework is designed so as to detect selish, malicious or unreliable behavior o communicating network nodes and provide eedback to the various services o each node on how to assess the trustworthiness o the corresponding services o other peers. ATF is lightweight in the sense that it does not perorm extensive risk and behavior analysis or trustworthiness assessment, nor does it include a reasoning service capable o adapting the systems behavior with respect to other nodes behavior and alternative strategies. Additionally, it does not involve computationally heavy security tasks, such as key generation, key agreement and cryptography. This simplicity allows its application in real systems with minor integration eort ( see also Section 4). In the second part o the paper, we discuss some design aspects o trust systems with respect to the ACC vision. Based on our experience with ATF design, we indicate some challenging research areas. Among them is the interoperability between heterogeneous trust-aware ACC entities, the design o trust policies and the semantics o trust. In addition, being amiliar with

3 Trust Management Issues or Ad Hoc and Sel-organized Networks 155 semantic knowledge representation and engineering we oresee many applications o ontologies in these areas and we outline some possible ways or their contribution. 2 Architecture o the ATF ATF is based on a distributed and modular architecture. Each o the modules resides in every node and perorms a well-deined set o actions to evaluate the reputation o another node or to inorm others about the trustworthiness o third nodes. ATF incorporates sel-evidences, recommendations, subjective judgment and historical data to evaluate the trust level o other nodes. These elements are the inputs to a trust computation model. The model also consolidates, among others, user s natural behavior, through the designation o a user-oriented Trust Policy. Such policy deines the parameters that will inluence the trust computation process. The ATF architecture is depicted in Fig. 1 and consists o the ollowing components: Trust Sensors (TS), Trust Builder (TB), Reputation Manager (RM) and Trust Policy (TP). Every node implements these components. Every node also provides a number o typical communication unctions (i.e., services) such as packet orwarding, routing, naming, etc. In general, as unction can be considered any service or application provided by a node. Moreover, every node implements a special virtual service, called Recommendation Function (RF), which provides recommendations or speciic nodes to third parties (this unction is implemented by RM). ATF adopts the deinition introduced in [5] or the reputation o a node s unction, which is deined through the triplet: Reputation = {NodeId, Function, Trust Value}. Thus, the reputation o a unction o node i is deined as R(i,)= {i,, TV i, } with TV i. being the Trust Value (TV) or the unction o node i. This value is updated through direct evidence, recommendations and subjective criteria. Beore proceeding, it is necessary to provide the nomenclature that will be used hereater (see Fig. 2). We use the term detector to denote a node that directly monitors the behavior o another node s unctions, called target. A requestor is a node that asks or recommendations, which are issued by recommenders. Neighborhood is the set o all adjacent nodes. Detector monitors unctions Target Trust Matrix Trust Builder Trust Policy (a) (b) Requestor about Target TS1 TS2 TSn Reputation Manager Requests recommendation monitors unctions Network Stack Fig. 1. ATF architecture Recommender Fig. 2. Trust entity model (a) direct monitoring scenario, (b) recommendation-based scenario

4 156 V. Tsetsos, G.F. Marias, and S. Paskalis Trust Sensors (TS). The majority o the proposed reputation systems agree that the most signiicant actor or trust building is the direct experience (or direct evidence). In the SECURE project [6], this evidence monitoring is perormed independently by each node through a Monitor [8] which logs every activity in an Evidence Store. In [8] a Watchdog mechanism is proposed as an observation device or routing behavior o nodes participating in ad hoc networks. The proposed mechanisms are usually unction-speciic. For example, monitoring the packet orwarding unction o an adjacent node is dierent, in terms o unctionality and semantics, rom monitoring the routing service. ATF is based on TSs to detect direct evidences. A TS operates similarly to common sensors: translates a physical phenomenon or behavior in a machine interpretable orm. In our case this phenomenon is the trustworthiness o a node. A TS monitors the behavior o an adjacent node, on behal o its housed node, and compares this behavior to a predeined reerence attitude, (i.e. expected unctionality). In that sense, the ATF scheme uses TSs to assist a node to deine the credibility o others. The proposed generic methodology consists o the ollowing: Deinition o a conceptual model o a node s expected unctionality. This model is, generally, in close relationship with the observation methods selected (as discussed below). For example, i the observation method is pattern recognition and analysis, the expected unctionality would be expressed in terms o acceptable patterns. Deinition o the observation methods/mechanisms. Possible realizations include the pattern analysis o logs, messages overheard through promiscuous mode o operation, return codes o remote procedures, etc. The observation method is dependent on the unction that a particular TS is supposed to monitor. Quantiication o the dierence between the observations and the expected unctionality. An intuitive and easy-to-implement approach to this issue is the categorization o observations to Successes and Failures relating to the expected unctionality. The number o successes and ailures eventually leads to the quantiication o the actual direct evidence. At this point we should mention a special-purposed trust sensor o ATF that evaluates the trustworthiness o a node regarding its recommendation unction. RFTS (Recommendation Function Trust Sensor), as any other TS, compares the observations, i.e., recommendations received or a target node, with the direct evidence o that node. I these values dier signiicantly the trustworthiness o the respective recommenders regarding their RF is decreased. In addition, a testing mechanism can decrease the impact o lying recommenders as ollows: in regular intervals a requestor requests recommendations or particular unctions o target nodes or which it maintains a large number o interactions in the recent past. The requestor increases or decreases the trustworthiness o the recommenders RF, according to the deviation between these two values (direct evidence and recommendation). Trust Builder (TB). This component computes the TV o other nodes unctions. In particular, it computes the TV o the nodes with which there is established interaction or intention or cooperation. All these TVs lie in the Trust Matrix, which is consulted by applications and other system/network services, and the role o the Trust Builder is to maintain and update this matrix. The actual TV computation depends on several actors and is described in Section 3.2. Factors such as, interaction history and direct

5 Trust Management Issues or Ad Hoc and Sel-organized Networks 157 evidence may introduce high certainty or a node s behavior, whereas recommendations might have less contribution. The weighting o these actors should be deined ater extensive simulations and expressed through a Trust Policy. Reputation Manager (RM). The RM role is to manage the recommendations exchange procedure (i.e., to provide recommendations rom other nodes to the TB in order the latter to compute the TVs, and to give recommendations about third parties). In an on-demand schema, originator requests recommendations or a target node when it has insuicient experience with it. Thereater, RM selects the nodes to contact (recommenders) in order to obtain requested values. These should be as close as possible to the originator in order to minimize communications overhead, but should also be rated as good recommenders (i.e., the originator has a high TV or their recommendation unction). When recommendations arrive, the RM aggregates them and returns a single value to the TB. When a recommender receives a request or recommendation, its RM contacts TB and obtains the DE (see Section 3.2) or the requested unction o target node, i any. Next, the recommender returns this value to the requestor node (see Fig. 2b). RM could be also responsible or inorming other nodes whenever the TV o a unction o a node is rapidly changing. In this eventdriven schema, TB triggers RM upon trust value changes and RM inorms the other nodes (e.g. through looding or multicasting). Trust Policy (TP). As already mentioned, each node maintains a Trust Policy (TP); a set o parameter values, which can ully deine the unctionality o its Reputation Manager and Trust Builder. In the current version o our model such policy is quite simple, but in the uture will be enriched with more advanced eatures that enable trust strategy deinition and enorcement. 3 Trust Computation Model 3.1 The Qualitative Perspective The majority o the trust computation approaches acknowledge that two main components should be taken into consideration: Direct Evidence (DE) and Recommendations (RECs) rom third parties. The DE is calculated based on TSs eedbacks and is useul or evaluation o adjacent nodes unctionality. RECs are communicated between the entities participating in the trust network, according to a reputation dissemination protocol, implemented in RM. The proposed scheme incorporates several user-deined time-dependent weights. Time-dependence is important, since it allows the modelling o temporal trust strategies, which can be ollowed by the participating nodes. Additionally, the weights are deined separately or each node in its Trust Policy (TP). For the ATF scheme, time is treated as a discrete sequence o direct interactions between the nodes. Thus, time elapses in a dierent rate or every separate node. We use only direct interactions as a time reerence, since they are generally regarded more important than the indirect ones (recommendations) or the trust building process. Moreover, interactions can be categorized to positive and negative (according to the success/ailure model incorporated by each TS) to enable lexible computation o trust.

6 158 V. Tsetsos, G.F. Marias, and S. Paskalis Socio-cognitive approaches to trust [9] imply that trust computation should also include a subjective component, since each node has a unique, subjective, way to trust others. Here, we adopt this approach, and a separate Subjective-actor component (SUB) is introduced in the trust computation model. This component is timedependent, as well, so as to enable time-variant trusting behaviour o nodes (e.g., a node may want to trust a newcomer node only up to a point, until it establishes a speciic number o successul interactions with it). SUB is deined in the TP o each individual node, and can model typical trust characters, such as unwary, suspicious, unbeliever, etc. This component provides lexibility in the trust strategy o a user, without imposing signiicant complexity in the overall trust computation. History is an additional concept that has drawn attention in the trust community. Several researchers use history as an implicit component in the trust computation. Some assign speciic weight to past observations or recommendations in order to provide stable and smoothed TV luctuation [10]. Others assign minor weights to evidence (direct or indirect) received in the past to allow or reputation ading [11]. Even i the irst approach seems more suitable or trust modeling, the scheme proposed here can support both policies. In the ollowing paragraphs a detailed description o how the TB manipulates all the aorementioned actors is provided. 3.2 The Quantitative Perspective This section describes the mathematical ormulae or the proposed trust computation model. The trust time (T), as already mentioned, counts the directly observable interactions. We monitor the temporal evolution o every unction and node, so this time scale is represented as matrix o size NxF, where N is the number o nodes in the network, and F corresponds to the overall number o supported unctions. T ( T ) N, where n = 1... N, = 1... F n, Each node should have at least one time matrix. Each time the outcome o an interaction (success or ailure) with a node s unction is captured, the corresponding element o the detector s time matrix is increased by one unit. Each detector maintains a NxF Trust Matrix (TM), representing the TV that the node computes per monitored unction o a target node. Each element TM n, (1 n N and 1 F) reers to a speciic unction o a particular node n, and it varies with time. The ormulae or TM and TV are: TV ( n,, t) = TV ' u(1 TV ') + u( TV ' 1) TV ' TV '( n,, t) = [ a DE + (1 a) REC ] SUB ( t), t = T DE n, n, n, n, TM ( TM ), TM = TV ( n,, t) [0,1] n, n, [0,1], REC [0,1] and SUB n, ( t) [0,2] n, n, Thus, TV [0,2], as well. In order to map the TV values within the [0,1] interval we use a unit step unction u(t) (see Eq. 1) to normalize TV into the inal TV. The range o TV(n,,t) is [0,1], where 0 declares distrust or a speciic unction o a target node n, and 1 declares complete trust in n or.

7 Trust Management Issues or Ad Hoc and Sel-organized Networks 159 0, t < 0 ut () = 1/2, t= 0 1, t > 0 DE n is the DE or a target node n and its unction, as observed by the corresponding TS o the detector. The elements o the DE matrix are deined as: DE t) = w TS ( n, ) + (1 w) A ( DE ) and TS( n, ) {0,1} n, ( H n, A 0 value o TS indicates Failure, while 1 denotes Success. The coeicient w adjusts the weights assigned to recent and historical DE values and the A H is an average o the last H DE values. REC n, stands or the aggregated recommendations we have or the unction on node n rom third parties. These recommendations are third parties DEs. We also keep the history o RECs received. Thus, each node has a NxF matrix, with elements: REC ( t) = w NEWREC ( n, ) + (1 w) AH ( REC n, n, NEWREC is the more recent REC. The SUB component o the TV computation ormula incorporates the node s subjectivity, as discussed in the previous subsection. SUB is a NxF matrix with elements in the { : T [0,2]} domain. Thus, its elements are time-unctions. The range [0,2] allows the detector to distrust (i.e. value 0) the target node, trust it (i.e. value 1), be enthusiastic about the target node (i.e. value 2) or develop any other intermediate orm o subjective trust strategy. We have chosen the value 2 as an upper bound to prevent enthusiastic nodes rom endangering the network s rationality. An example SUB time-unction could be deined as: SUB n, ( t) = u( t 20), t = Tn, This unction indicates that no matter what DEs or RECs a requestor node has or a target unction, it will not trust it until twenty direct interactions have been observed. We should remind that all parameters involved in the present model (including SUB) are deined in each node s trust policy. We have evaluated the perormance and quality o the proposed ramework in [25]. This evaluation showed that the on-demand recommendation requests and the corresponding responses introduce small communication overheads. Moreover, simulations showed that ATF enables peers to rapid identiy the trust values or unctions provided by peer nodes (e.g., orwarding). Thus, ATF provides suicient means to air nodes or rapidly identiying and isolating selish nodes. ) (1) 4 Integration and Interoperability Issues Trust management or ACC and MANET systems raises, as happens with every new computing paradigm, questions regarding its seamless integration with current network protocol stacks. In particular, one should deine how the introduction o trust aects the architecture and operation o current services and identiy potential diiculties or problems during such integration.

8 160 V. Tsetsos, G.F. Marias, and S. Paskalis In general, three types o modiications are needed or such integration (see Fig. 3): 1. Introduction o a trust plane. This is a vertical plane similar to the user/control and management planes o other networking speciications. It includes all the necessary components in order to assess trust o third entities: sensing mechanisms, policy-driven evolution o trust, interaction memory etc. Trust plane operates also as a broker since it disseminates to all other interested layers the observations o each speciic layer. For example, it may give eedback to the networking layer (i.e., routing) about the physical layer operation o peer entities. 2. Recommendation exchange through a trust protocol. Such protocol could be implemented in the application layer and is responsible or the request and receipt o recommendations (i.e., in ATF it would be part o the Reputation Manager). 3. Trust-aware versions o current protocols. The observations collected by the trust plane or the recommendations collected through the trust protocol should somehow aect the operation o the network stack. This can be only perormed i the protocols support trust-driven reconigurability. The trust plane is a distributed entity, residing in each node and dealing with trust management issues. It is similar in nature to the knowledge plane proposed in [24]. The similarities consist o the autonomic and distributed nature o the planes, and the subjective approach the proposed constructs ollow. The trust plane, however, imposes harder design requirements. In addition, the representation and reasoning o trust entities and relationships is strict and the operation o the whole autonomic systems network is very sensitive to any weak interpretation o trust. A good example o a trust-aware, sel-adapted and reconigurable protocol is the sotware radio [12]. Speciically, sotware radio serves as a radio communication system technology that uses sotware or the modulation and demodulation o the signal. The use o sotware is not only cost-beneicial; it releases the physical layer rom the tight hardware integration. That is, the interace to the physical layer is no more a ixed hardware interace, but a set o interaces provided by the deployed sotware. The net result is that the physical layer can be altered to any supported protocol by simple sotware redeployment triggered by the trust plane. In general, the protocol adaptations may be as minor as a parameter tweaking or as major as a complete operation protocol swap in cases o ully autonomic operation [13]. Application Layer TApplication Layer Trust Protocol TApplication Layer Transport Layer Network Layer Link Layer Trust Plane TTransport Layer TNetwork Layer TLink Layer TTransport Layer TNetwork Layer TLink Layer Trust Plane Physical Layer TPhysical Layer TPhysical Layer (a) (b) Fig. 3. (a) Traditional network stack (b) New stack elements imposed by incorporation o trust (bold text in igure)

9 Trust Management Issues or Ad Hoc and Sel-organized Networks 161 One problem o such extended reconigurability is the extensive management overhead required and the interoperability issues raised when nodes with dierent protocol conigurations wish to communicate. In general, an autonomic network may sooner or later evolve to a collaboration domain o heterogeneous nodes. This is in contrast to the traditional networking paradigm, where all nodes adhere to strict standards (e.g., SSL, RSVP) in order to stay connected. Such paradigm, although is typically simpler to implement, imposes a major restriction to the network: the nodes should not dierentiate regarding their interaces or protocols. This restriction aims, besides the obvious co-operation simplicity, at the preservation o service and protocol semantics that describe their messages, parameters and interaction sequences. Obviously, this way o inter-networking is not suitable or lexible autonomic networks. In such networks, the nodes in order to continue collaborating should adhere to some common interoperability rules. This is a sot-standardization approach in opposition to the abovementioned hard-standardization one. A good enabler or such interoperability rameworks are the ontology-based knowledge management acilities. These have recently met wide acceptance by the research community as a means to introduce Artiicial Intelligence techniques into practical applications. The most popular initiative in this discipline is the Semantic Web [15]. Ontology [16] is a terminology shared by all parties interested in an application domain (e.g., networking engineers, companies and orums). Apart rom the taxonomy o the concept model o interest, an ontology also contains restrictions and ormal axioms relevant to this model. Towards the vision or sot-standardized interoperability ontologies can be utilized as protocol hierarchies where a protocol is classiied under a class i it satisies its necessary (and suicient) conditions. Such conditions may, or example, involve existence o protocol parameters or restrictions on parameter values. In general, every discrete protocol coniguration can be mapped to an ontology class. The classiication perormed by reasoning engines on the ontology instances can iner compliance or not between the various protocols. Similar approaches or integration have been already exploited in other domains, such as network management [17]. 5 Other Issues Trust Semantics. Another aspect that is more technical but closely related to interoperability is the clear deinition o trust semantics. For example, autonomic systems developed in dierent domains may not represent their trust values using the same representation orms. As a simple scenario consider a system A that assesses trustworthiness using real numbers in the range [0,1] (i.e., what ATF does), a system B that uses integers in the range [1,12] and system C that uses uzzy set theory in order to translate its observations to symbolic values. Apparently, unless we map each system s values to a commonly-adopted trust value reerence system, these systems will not be able to communicate their trust-related inormation. Such mapping entails the careul speciication o semantics or each involved trust value system. This problem can be also addressed by ontology-based knowledge representation, since ontologies are the ideal candidate or playing the role o such reerence system.

10 162 V. Tsetsos, G.F. Marias, and S. Paskalis The interacting systems should align their trust models with the conceptual trust model o the reerence system. Furthermore, through such alignment, the semantics o the reerence system are assigned to each speciic trust model. This can be o great value, since the axioms and restrictions described in this reerence trust ontology are automatically inherited by the speciic models and can be exploited or advanced trust reasoning. Some interesting trust reasoning techniques utilizing semantic (web) technologies are presented in [18][23]. Trust Policies. From the initial research steps o ACC, policies have been recognized as a means or allowing sel-organization o systems adhering to some predeined rules. Modern policy management has become quite ormalized. Hierarchical policy architectures are proposed [21][22] that use distributed policies in hierarchical environments (grids, storage, ad hoc networks, etc.). The evolution o policy management divides the policy liecycle into separate building blocks, which can be modiied independently. This ability creates new opportunities to experiment and evaluate dierent policy schemes in the deinition stage, in the enorcement stage or in any other in-between stage. The introduction o multi-level policy architectures might play a signiicant role in the uture o autonomic computing. Multi-level policies may bear a hierarchical or even a mesh structure, depending on the complexity o the acility and the speciic need o the situation. In hierarchical policy architectures, a grand policy sets the basic rules and more speciic policies apply to speciic tasks. Ater speciying the policy architecture, the policy deinition will likely be a major ield o innovation and experimentation. For example, advanced tools such as stochastic processes could be involved to randomize and, thus, conceal the trust-based decision making processes rom potential enemies/attackers. Moreover, elements o game theory can be exploited to optimize the perormance in such environments, where conlict o interest is apparent (in [14] trust management is described as a strategy game). Nevertheless, the complexity o the solutions will be a major actor to the acceptance or not o the inal scheme. For the implementation and enorcement o rule- and logic-based policies Semantic Web technologies (i.e., ontology languages) can be used. In act many modern policybased trust systems [19][20] have adopted such technologies due to their rich expressiveness, tractability (i.e., low computational complexity) and developer community adoption. However, exploiting ontologies or expressing policy rules implies that we have already established well-deined semantics or trust itsel. Finally, regarding the reasoning behind policy enorcement and trust assessment, while cognitive-evolutionary approaches may seem suitable or construct with overwhelmingly many parameters, such as the trust plane and trust policy, their relaxed reasoning could lead to security compromises in any unoreseen lapses. On the other hand, a ull-knowledge, strict-reasoning approach is probably utopic given the complexity o the issue. Hence, the most likely path would be to accept the possible trust breach o a subset o the connected systems and put eort on isolating the identiied malicious systems. To accomplish this sel-healing task, eatures such as redundancy, anomalies detection and sel-reconiguration are necessary.

11 Trust Management Issues or Ad Hoc and Sel-organized Networks Conclusions Trust-based communications is a key element o sel-organized systems, as they enable advanced interaction models, even between unknown entities. We described a lightweight trust ramework, suitable or ad hoc communications that incorporates direct evidence, recommendations, history and subjective actors, in order to evaluate the trustworthiness o peer nodes. Such model requires several modiications to the current system architectures, which in their turn aect the interoperability o nodes. We discussed such integration and interoperability issues, as well as other issues related to trust-aware sel-adaptable systems. Finally, we believe that ontology-based knowledge representation can clariy the semantics o such systems and, thus, we outlined some options towards this direction. As a uture work, we aim to urther investigate the coupling o ontologies and trust rameworks in order to propose more speciic solutions to the issues discussed in this paper. Acknowledgement This work was perormed in the context o the project entitled "PYTHAGORAS: Support o Universities research groups co-unded by the Operational Programme or Education and Initial Vocational Training (O.P. "Education") and the European Social Fund. Reerences 1. Douceur, J.: The Sybil Attack. In Proceedings o the First International Workshop on Peerto-Peer Systems (IPTPS '02), Cambridge, MA (2002) 2. Perrig, A., Hu, Y-C., Johnson, D. B.: Wormhole Protection in Wireless Ad Hoc Networks, Technical Report TR Dep. O Computer Science, Rice University (2001) 3. EC Directorate F, IST Framework, Future and Emerging Technologies, Situated and Autonomic Communications (COMS) - Communication Paradigms or 2020, available at 4. Chess, D. M., Palmer, C. C., and White, S. R.: Security in an autonomic computing environment. IBM Systems Journal, Vol. 42, No 1 (2003) 5. Abdul-Rahman, A., Hailes, S.: A Distributed Trust Model. in Proc. New Security Paradigms Workshop, ACM (1997) 6. Marti, S., Giuli, T. J., Lai, K., Baker, M.: Mitigating routing misbehaviour in mobile ad hoc networks. in Proc. o Mobicom2000, Boston, USA (2000) 7. Cahill, V. et. al.: Using Trust or Secure Collaboration in Uncertain Environments. IEEE Pervasive Computing, 2(3) (2003) English, C., Terzis, S., Nixon, P.: Towards Sel-Protecting Ubiquitous Systems: Monitoring Trust-based Interactions. Journal o Personal and Ubiquitous Computing, (2005), to appear 9. Castelranchi, C., Falcone, R.: Trust is much more than subjective probability. Mental components and sources o trust. HICSS33, Hawaii (2000) 10. Michiardi, P., Molva, R.: CORE: A collaborative reputation mechanism to enorce node cooperation in mobile ad hoc networks, in Proc. 6th IFIP Communications and Multimedia Security Conerence, Portorosz, Slovenia (2002)

12 164 V. Tsetsos, G.F. Marias, and S. Paskalis 11. Buchegger, S., Le Boudec, J-Y.: A Robust Reputation System or P2P and Mobile Ad-hoc Networks. in Proc. Second Workshop on the Economics o Peer-to-Peer Systems (2004) 12. Sotware-deined radio orum, IST End-to-End Reconigurability Project E2R, Jøsang, A.: The right type o trust or distributed systems, in Proc. o Workshop on New Security Paradigms, Caliornia, USA (1996) 15. Berners-Lee, T., Hendler, J., Lassila, O.: The Semantic Web, Scientiic American (2001) 16. Gomez-Perez, A., Corcho, O., Fernandez-Lopez, M.: Ontological Engineering: with examples rom the areas o Knowledge Management, e-commerce and the Semantic Web, Springer (2004) 17. López de Vergara, J. E., et al.: Semantic management: Application o ontologies or the integration o management inormation models, IM th IFIP/IEEE International Symposium on Integrated Network Management, vol. 9, no. 1, March 2003, pp Golbeck, J., Parsia, B., Hendler, J.: Trust networks on the semantic web, Proceedings o Cooperative Intelligent Agents (CIA), Helsinki, Finland (2003) Kagal, L., Finin, T., Joshi, A.: A Policy Based Approach to Security or the Semantic Web, 2nd International Semantic Web Conerence (ISWC2003), Florida, USA (2003) 20. Tonti, G., et al.: Semantic Web languages or policy representation and reasoning: A comparison o KAoS, Rei, and Ponder. International Semantic Web Conerence (ISWC 03), Florida, USA, Verma, D. C.: Policy-Based Networking Architecture and Algorithms, New Riders (2000) 22. Neisse, R.: An Hierarchical Policy-Based Architecture or Integrated Management o Grids and Networks. Fith IEEE POLICY Workshop, New York, USA (2004) 23. Semantic Web Trust and Security Resource Guide, SWTSGuide/ 24. Clark, D., Partridge, C., Ramming, J.C., Wroclawski, J.: A Knowledge Plane or the Internet. SIGCOMM 03, Karlsruhe, Germany (2003) 25. Marias, G., Tsetsos, V., Sekkas, O., Georgiadis, P.: Perormance evaluation o a selevolving trust building ramework. IEEE SECOVAL Workshop, Athens, Greece (2005)