Trust based risk management for distributed system security - a new approach

Security measures alone are not sufficient for counteracting malicious behaviors in distributed systems. The new trend is to use economical models (mainly game-theoretic models) to characterize such malicious behaviors in the security context with the aim to mitigate the risk introduced by such malicious behaviors. However, there is a general lack in the integration of risk and security and this hinders the effectiveness of these existing economical models when applied in the security context for distributed systems. Recently, utility has become an important consideration for information security. We show that the decisions by security mechanisms, such as the authorization decisions in a distributed system can have a direct impact on the utility of the underlying system. However there is little work done on utility maximization when designing secure distributed systems. To address this gap, we present in this paper a new approach through integrating risk management into security with the help of a trust model. Furthermore, we show that the proposed trust based security model with risk management can be applied to maximize the utility of the underlying distributed systems. The new model possesses a unique feature - the ability to use trust evaluation to not only "weed out" malicious entities, but also allocate appropriate access permissions to the benevolent entities according to the risk levels. Using a mobile agent system as an example, we study the properties of the proposed model through simulation and present the experimental results which confirm the mew feature of the proposal.