Visualization of Visualization of Automated Trust Automated Trust NegotiationNegotiation

Danfeng YaoDanfeng Yao Michael Shin Michael Shin Brown University Goldman Sachs Inc.Brown University Goldman Sachs Inc.

Roberto Tamassia William H. WinsboroughRoberto Tamassia William H. Winsborough Brown UniversityBrown University University of Texas, San University of Texas, San

AntonioAntonio

Supported in part by NSF grants CCF–0311510, IIS–0324846, CNS–0303577 and CNS-0325951

OverviewOverview

Introduction to two-party Introduction to two-party automated trust negotiation (ATN)automated trust negotiation (ATN)– Trust target graph (TTG) Trust target graph (TTG)

Design of the visualization Design of the visualization frameworkframework– Prototype implementation Prototype implementation

Example of a visualization sessionExample of a visualization session– Demo of our visualization program Demo of our visualization program

Monitoring the release Monitoring the release of sensitive of sensitive credentialscredentials Accessing protected resources requires Accessing protected resources requires

releasing digital credentialsreleasing digital credentials Credentials may be sensitiveCredentials may be sensitive

– Need to control the release of digital credentialsNeed to control the release of digital credentials– Trust Negotiation is an incremental, bilateral Trust Negotiation is an incremental, bilateral

exchange of credentials and policies between exchange of credentials and policies between resource owner and requesterresource owner and requester

Visualization of automated trust negotiation – Gives teaching and learning support for ATN users – Enables users to visually examine the ATN process– The combination of interactive visualization and

ATN improves the security of protected resources– We demonstrate that Grappa and GraphViz (AT&T) We demonstrate that Grappa and GraphViz (AT&T)

are suitable graph drawing systems for visualizing are suitable graph drawing systems for visualizing ATNATN

A simple trust A simple trust negotiation examplenegotiation example

Request for discount

Request UID

Request BBB

Send BBB

Send UID

Grant the discount

PolicPolicyy

Releasing UID requires BBB

Cred.UID (student ID)

Alice

PolicPolicyy

Discount requires UID

Cred.

BBB (better business bureau)

A general trust A general trust negotiation Protocol negotiation Protocol

Request for resource

Request credential

Sensitive, request proof

Sensitive, request more credential

Send credential

Grant the resource

PoliciesPolicies

Credentials

Alice

PoliciesPolicies

Credentials

Send proof

Primary trust target

Trust target graphTrust target graph Trust target graph (TTG) is a directed graph Trust target graph (TTG) is a directed graph

representing the state of negotiation [Winsborough Li representing the state of negotiation [Winsborough Li ’02] ’02] – The negotiation succeeds when the primary trust target is

satisfied– Fails when the primary target cannot be satisfied, or when

neither negotiator changes the graph– TTG can have cycles and be non-planar

Construction of TTGConstruction of TTG– Each negotiator keeps a local copy of TTGEach negotiator keeps a local copy of TTG– Nodes are trust targets:Nodes are trust targets:

< < Amazon: Amazon.discount Amazon: Amazon.discount ? Alice? Alice > > The state of a node: unknown, satisified, or unsatisfiedThe state of a node: unknown, satisified, or unsatisfied

– Edges represent implication and control relationshipsEdges represent implication and control relationships Satisfied states propagate along the edgesSatisfied states propagate along the edges

– Negotiators take turns extending the TTG by adding new Negotiators take turns extending the TTG by adding new edges and nodes to the current graphedges and nodes to the current graph

At the beginning TTG contains only the primary trust At the beginning TTG contains only the primary trust targettarget

The new TTG is a supergraph of the previous oneThe new TTG is a supergraph of the previous one Associated credentials or policies are transmitted Associated credentials or policies are transmitted

TTG construction of TTG construction of the examplethe example

Amazon: Amazon.discount ? Alice

Amazon: Univ.Student ? Alice

Alice: BBB.member ? Amazon

Alice: Amazon ? Amazon

Alice: BBB.member ? Amazon

Amazon: Univ.Student ? Alice

Amazon: Amazon.discount ? Alice

Components of our Components of our ATN visualization ATN visualization frameworkframework

Visualization(View)

LogParser

ProtocolState &Update

text

text

Credentials,Policies,

Strategies

Logs

(1)

(2)

(3)

(4)

(5)

ATNEngine

(6)

(8)Modifier

User Inputs

Prototype Prototype implementationimplementation

The visualizer displays the construction of The visualizer displays the construction of TTG for negotiatorsTTG for negotiators

Uses Grappa system [Barghouti, Mocenigo, Lee. GD ‘97], a Java port of GraphViz system [Ellson, Gansner, Koutsofios, North, Woodhull et al] for graph drawing– Layout provided by dot in GraphViz– The upward drawing heuristics and

hierarchical (layered) drawing features are suitable for drawing directed graphs such as TTGs

– Layout algorithms try to avoid edge crossings and reduce edge length

Colors and shapes of nodes and edges represent different types in TTG and can be customized

Displays local credentials, remote credentials, and policies

Standard target

Intersection target

Trivial target

Linked role target

Edge typesEdge types

Edge name Color Meaning

Implication PurpleA parent node implies the child node

Linking monitor BlueForm a target with a linked role to a linking goal

Linking solution GoldFrom a linked goal to a standard target

Linking implication GreenFrom a target with a linked role to a linked role target

Control Sienna Used with ack and access policies

Intersection OrangeFrom an intersection target to standard targets

Demo Demo of a visualization of a visualization sessionsession

Requester: AliceRequester: Alice– Works at purchase department in Medix Fund Works at purchase department in Medix Fund

((MedixFund.purchasingAMedixFund.purchasingA))– She considers this credential sensitiveShe considers this credential sensitive

Resource owner: Medical Supply Company (Resource owner: Medical Supply Company (MedSupMedSup))– A member of ReliefNet (A member of ReliefNet (ReliefNet.memberReliefNet.member))

Requested resource: Discount from MedSupRequested resource: Discount from MedSup– MedSup.discountMedSup.discount

Delegation credentials transfer privileges between rolesDelegation credentials transfer privileges between roles– Role Role provisionerprovisioner at ReliefNet is delegated to at ReliefNet is delegated to

MedixFund.purchasingAMedixFund.purchasingA– cPartnercPartner at Medix Fund is delegated to at Medix Fund is delegated to ReliefNet.memberReliefNet.member– Discount is given toDiscount is given to provisioner provisioner at ReliefNetat ReliefNet

ATN-Vis DemoATN-Vis Demo

Example -- StartExample -- Start

Requester: Alice Provider: Medical Supply (MedSup)

Example -- 3% progressExample -- 3% progress

Example -- 16% Example -- 16% progressprogress

Example -- 19% Example -- 19% progressprogress

Example -- 23% Example -- 23% progressprogress

Example -- 29% Example -- 29% progressprogress

Example -- 42% Example -- 42% progressprogress

Example -- 45% Example -- 45% progressprogress

Example -- 52% Example -- 52% progressprogress

Example -- 61% Example -- 61% progressprogress

Example -- 71% Example -- 71% progressprogress

Example -- 77% Example -- 77% progressprogress

Example -- 74% Example -- 74% progressprogress

Example -- 84% Example -- 84% progressprogress

Example -- 97% Example -- 97% progressprogress

Example -- 100% Example -- 100% progressprogress

Related WorkRelated Work Graph drawing systemsGraph drawing systems

– Grappa [Barghouti, Mocenigo, Lee. GD ‘97] – GraphViz [Ellson, Gansner, Koutsofios, North, Woodhull

et al] Visualization of protocols

– [Hall, Moore, Pratt, Leslie. SIGCOMM Workshop ‘03]– [Zhao, Mayo. ICEE ’02]– [Koch, Parisi-Presicce. FASE ‘03]

Trust negotiationTrust negotiation– [Winsborough, Seamons, Jones. DISCEX’00][Winsborough, Seamons, Jones. DISCEX’00]– [Yu, Ma, Winslett. CCS’00] [Yu, Ma, Winslett. CCS’00] – [Winsborough, Li. POLICY ’02][Winsborough, Li. POLICY ’02]– [Li, Du, Boneh ‘03][Li, Du, Boneh ‘03]

Combination of visualization and automated protocols– Anomaly detection [Anomaly detection [Teoh, Zhang, Tseng, Ma, Wu.

VizSEC/DMSEC ‘04]]– Mining Mining geo-spatial datasets [Keim, Panse, Sips, North. CG

‘04]

Conclusions and future Conclusions and future workwork

We have described the architecture and data We have described the architecture and data model of an interactive visualization framework model of an interactive visualization framework for ATNfor ATN

We have presented a prototype of our ATN We have presented a prototype of our ATN visualization frameworkvisualization framework

Grappa and GraphViz are suitable tools for Grappa and GraphViz are suitable tools for drawing trust target graphs in ATNdrawing trust target graphs in ATN

For future work, we plan to bring more For future work, we plan to bring more interactive components into the implementationinteractive components into the implementation– Provide more interactive explanations of texts inside Provide more interactive explanations of texts inside

TTG nodesTTG nodes– Visualization and modification of negotiation strategiesVisualization and modification of negotiation strategies