Trust Assessment from Observed Behavior: Toward and Essential Service for Trusted Network Computing 1 Partha Pal, Franklin Webber, Michael Atighetchi and Nate Combs BBN Technologies, 10 Moulton Street, Cambridge, MA 02138 {ppal,fwebber,matighet}@bbn.com, ncombs@roaringshrimp.com 2 1 This research was supported by DARPA under contract No. F30602-02-C-0134 2 This work was done by the author when he was at BBN. This is his current email address. Abstract Modern distributed information systems handle increasingly critical data and computation, but there is no systematic way to assess whether a given part of the system can be entrusted with such data and computation on a continuous basis. In a highly interconnected networked environment, components with varying levels of trustworthiness must interact with each other. Occurrence and spread of attack induced failure imply that hosts once trusted cannot remain equally trusted all the time. System components and human operators can benefit from a scheme that assesses the trustworthiness of hosts i.e., the confidence that individual hosts are not corrupt, on a continuous basis by adjusting and adapting their behavior when a host’s trustworthiness diminishes. In this work in progress report we present an accusation based trust assessment scheme. 1. Introduction The notion of a Trusted Computing Base (TCB) [1] was conceived to provide a framework to perform security critical computation—a computing environment that can be trusted to satisfy the predefined security policies all the time. However, experience teaches us that a TCB is hard to build, prove and maintain. Any approximation of a TCB is thus usually found in a small but key part (of a larger system) that is perhaps built with more care and tested better. Information systems are becoming increasingly complex, geographically distributed and interconnected with other systems (and sometimes with public networks like the Internet), making it unlikely that a critical information system can ever be trusted in the TCB sense; and therefore, components with varying levels of trust must, by necessity, interact with each other. Distribution, interoperation and network connectivity further complicates the situation by making current networked information systems more vulnerable to cyber attacks, and more easily accessible to potential adversaries. This suggests that one must find an alternative means to decide whether components or subsystems can be entrusted with critical computation or data. Furthermore, trustworthiness can neither be black-and-white nor remain constant over time. A small custom-created component, e.g., a Network Intrusion Detection System (NIDS) appliance, may generally be more trusted than other components that are built upon or with products with known vulnerabilities (such as IIS or MySQL server). But, a component should become less trusted when it is under attack. Therefore, a trust management overlay is needed that observes the system, assesses trust values, and makes the assessed values available for system components and operators. A component may then decide to seek the service from a different peer because the current provider cannot be trusted as much, or the system operator may decide to temporarily isolate the untrusted host to investigate it further and to contain the spread of corruption. In the context of testing and evaluating a highly survivable distributed networked information system for US DoD, we have been developing such a trust management scheme, which we will describe in this paper. One of the innovative aspects of this work is that it presents a framework to use accusations about a host H as well as accusations made by H to decide whether H is corrupted and hence not to be trusted. The framework is flexible, i.e., the relative importance of how accusations from or about H is weighted in assessing the trust value. Our position is that such a service is essential for any trusted network computing environment or infrastructure. Results of preliminary evaluation, lessons learned and future work are also presented. 2. Background Information superiority is one of the key goals of the US military. Toward that end, a number of efforts have been under way to enhance the reach and capability of combat information management systems. The concept of the Joint Battlespace Infosphere (JBI) [2] is one such effort undertaken by the Air Force, which aims to enable