Formalization of Trust, Fraud, and Vulnerability Analysis

1. Formalization of Trust, Fraud,and Vulnerability Analysis Bharat Bhargava, Leszek Lilien, Yuhui Zhong, Yi Lu, Yunhua Lu Department of Computer Sciences Purdue University http://www.cs.purdue.edu/homes/bb/NSFtrust.html

2. Trust-related research questions • Formalization of trust • Formalization of evidence • Evidence identification for trust evaluation and prediction • Design of evidence collection mechanisms • Trust evaluation based on multiple types of evidences • Mechanisms to build trust • How to motivate trustor? • Insurance mechanisms and escrow services • How to motivate trustee? • Monitor-and-punish and incentive-based mechanisms • Evaluation methods for trust

3. Progress and results • Developed an evidence model that accommodates credentials of different formats and supports evaluation of reliability of evidence [1] • Designed a classification algorithm for building user-role profiles in a trust environment [2] • Proposed a framework for adaptive trust assessment [3] • Developed and implemented four trust production rules [3] • Proposed a user behavior models to evaluate trust assessment approaches [3] • Designed and partially implemented a trust-enhanced role mapping server that cooperates with RBAC mechanisms to solve authorization problems in open environments [1]

4. Fraud-related research questions • Fraud formalization • Categorize fraudsters • Formalize deceiving intentions • Fraud prevention • Is the issue of resistance of biometric authentication to attack an important question for fraud prevention? • Analyze fraud scenarios to construct states and transition actions for state transition analysis • Hinder transitions from normal states to potential fraud states • Fraud detection • Behavior patterns to profile and monitor • Identify patterns classified as anomalous • Avoid false alarms, especially as patterns evolve over time • Design rule generation algorithms to automatically discover fraud rules and to select fraud rule sets with comprehensive coverage, small size, and the required level of accuracy

5. Progress and results • Modeled three deceiving intentions [4] • Developed a deceiving intention prediction algorithm [4] • Proposed an approach for swindler detection and an architecture realizing the approach [4] • Derived an equilibrium bidding strategy for honest bidders in an English auction existing multiple bidding and shill bidding [5] • Developed a token-based model for fraud detection and prevention [6] • Shown experimentally that false alarm rate is reduced in token-based model compare to cost-based model [6]

6. Vulnerability-related research issues • Vulnerability and threat analysis • Analyze vulnerabilities and threats in database systems • Solutions for threat avoidance • Solutions for threat tolerance • Analysis of computer security paradigms and effectiveness of methods and tools based on them • Interplay of vulnerabilities, trust, and fraud • Use trust to avoid/tolerate vulnerabilities and threats • Reciprocally, use vulnerability and threat avoidance or tolerance to increase trust among peers • Use analysis of trust, vulnerabilities and threats to reduce fraud (via prevention, detection and tolerance)

7. Progress and results • Searched vulnerability databases (ICAT, CERT/CC, SecurityFocus, MITRE/CVE, CIRDB, MS, Oracle) [7] • Identified vulnerabilities impacting database integrity (MS, Oracle) [7] • Performing analysis of the vulnerabilities [7] • Performing analysis of computer security paradigms (identifying, classifying, etc.) [8] • Working on a new security paradigm for information security based on trust [8]

8. References • B. Bhargava and Y. Zhong, "Authorization Based on Evidence and Trust,” in Proc. of Data Warehousing and Knowledge Discovery Conf. (DaWaK), Sept. 2002. • E. Terzi, Y. Zhong, B. Bhargava, Pankaj, and S. Madria, "An Algorithm for Building User-Role Profiles in a Trust Environment,” in Proc. of Data Warehousing and Knowledge Discovery Conf. (DaWaK), Sept. 2002. • Y. Zhong, Y. Lu, and B. Bhargava, "Dynamic Trust Production Based on Interaction Sequence," Technical Report, CSD-TR 03-006, Dept. of Computer Sciences, Purdue University, March 2003. • B. Bhargava, Y. Zhong, and Y. Lu, "Fraud Formalization and Detection,” in Proc. of Data Warehousing and Knowledge Discovery Conf. (DaWaK), Sept. 2003. • B. Bhargava, M. Jenamani, and Y. Zhong, "Impact of Privacy Violation on the Fairness of Internet Auctions," submitted for publication. • Y. Lu, L. Lilien, and B. Bhargava, "A Token-based Model for Fraud Detection and Prevention,” Working Paper, Dept. of Computer Sciences, Purdue U., Sept. 2003. • L. Lilien, T. Morris, and A. Savoy, “Analysis of Data Integrity Vulnerabilities,” Working Paper, Dept. of Computer Sciences, Purdue University, Sept. 2003. • L. Lilien and A. Bhargava, "From Vulnerabilities to Trust: A Road to Trusted Computing ,” to appear in Proc. of Intl. Conf. on Internet, Processing, Systems, Interdisciplinaries (IPSI), Sv. Stefan, Serbia and Montenegro, Oct. 2003.