Hauptnavigation

SFB 876 - News

About Us

Projects

Research Groups

Graduate School

A5  Exchange and Fusion of Information under Availability and Confidentiality Requirements in MultiAgent Systems


joachim.biskup.jpg
Prof. Dr. Biskup, Joachim
gabriele.kern-isberner.jpg
Prof. Dr. Kern-Isberner, Gabriele
Achieving both availability and confidentiality of information makes it necessary to develop and employ concepts and algorithms that handle conflicting security issues of actors and persons concerned in general. This should be possible even in situations with limited technical infrastructure in terms of time, memory, and communication. To achieve these goals, this project aims at extending data base techniques for multiagent systems, in particular, for the purpose of data mining in embedded systems.

Confidentiality Preserving Agent Interactions

The distinguishing feature of an agent in comparison to other computing systems is its ability of autonomous decision-making driven by internal goals. An agent's decision-making relies on its belief about its environment. Therefore an agent needs to keep its beliefs up to date by perceptions through sensors or information sharing in a collaborative multiagent environment. However, an agent might be concerned about the confidentiality of some beliefs (for example, motivated or obliged by privacy issues) so that it aims to hide some of its beliefs from another agent. To enforce confidentiality, the agent must monitor and appropriately restrict its interactions with other agents. As part of this research project, we develop control procedures that an agent can employ under varying parameters:
  • Belief Representation:
    • ordinal conditional functions focus on offering expressive semantics and can be thought of as qualitative probability measures, cf. the seminal work of (Spohn/88a).
    • logic programming focus on developing powerful and fast solvers, cf. the seminal work of (Gelfond/Lifschitz/88a).
    • logical databases have a long history of research in confidentiality preservation, cf. an overview in (Biskup/2010a).
  • Types of Agent Interactions:
    • query: the sender poses a query about the recipient's belief.
    • update: the sender provides information about a change in the environment which is processed by the recipient.
    • revision: the sender provides new evidence about the present state of the environment which is processed by the recipient.
    • Further types in a setting of negotiating agents are suggested in (Biskup/etal/2008a).
  • Adversary Model: control procedures are tailored to an adversary model. For different models see the section “Epistemic Adversaries” below.

Completed Work:

  • (Biskup/Tadros/2011a) defines query and update protocols for an agent employing a propositional database. Following these protocols, the agent may refuse requests from another agent for the sake of confidentiality, correctness and reliability of information. Confidentiality may depend on the timeliness of the information. Regarding availability of information, the update transaction protocol is shown to be as cooperative and to provide as much information as possible among a discussed class of transaction protocols.
  • (Biskup/Tadros/2012) gives procedures for an agent to control its reactions to revisions and queries requested by another agent. The reacting agent bases its belief about its environment in general on a ordinal conditional function (representing the agent's expertise). Under confidentiality considerations, the reacting agent assumes that the receiver may attempt to skeptically entail confidential beliefs.

Epistemic Adversaries

In computer security, a system (here a multiagent system and its environment) is analyzed for confidentiality leaks, or more generally information leaks, from a global perspective (Halpern/ONeill/2008a). From this perspective, an agent has full knowledge of the system specification and is capable of determining and reasoning about all possible system states from its runtime information. From the perspective of an agent, however, an agent usually is able to analyze the effect of its actions on confidentiality given only incomplete information about its environment, including other agents (potential attackers). From this perspective, the agent now faces the problem how to evaluate the risk of confidentiality, only given such incomplete information. This problem is related to the research area of non-monotonic reasoning which lays the foundations of reasonable conclusions in the face of incomplete information. In evaluating confidentiality-risks, an agent may assume another “curious” agent (a potential attacker) as rational and to show individual reasoning capabilities and behavior.

Completed Work:

  • (Biskup/Tadros/2010a) relates previous work on confidentiality preserving querying of a database system, cf. (Biskup/2010a), to the global perspective of (Halpern/ONeill/2008a). It defines the notion of policy-based secrecy where in a local policy an agent may declare properties of its own state not to be ruled out by another agent. Policy-based secrecy extends the less flexible notions of secrecy presented by (Halpern/ONeill/2008a) which are not sufficiently expressive for the confidentiality requirements in database systems.

Efficient Preprocessing for Resource-bounded Agents

In previous research on database systems, there are several approaches to reduce the time-consuming dynamic control of interactions with the database system where control enforces confidentiality of information:
  1. From a database instance a view may be precomputed for a particular user such that it reveals no confidential information and is consistent with the user's a priori knowledge about the database. The user then can query the view without any further control on part of the database system (Biskup/Wiese/2008a, Biskup/Wiese/2011a).
  2. On the schema level, a relation schema can be divided into
  3. fragment schemas (by a selection of attributes) in a way that breaks sensitive relations among attributes. Then, from a database instance of the original schema fragments are generated according to the precomputed fragment schemas. Finally, these fragments are published to different parties (e.g. public and owner). See (Samarati/Vimercati/2010a).
  4. A suitable restriction of the query language
    5. can disable a database user from combining results from different queries and thereby inferring sensitive information. See (Biskup/2010a).
  5. Mixed strategies
    6. use a suitable combination of (a) precomputation (b) dynamic protocols and (c) adaptation of a database user's privilege state (including the confidentiality policy and the interaction language permitted), cf. (Biskup/2011a). In multiagent systems, such strategies are apt to adjust an appropriate balance between competing goals of an agent, such as low consumption of different resources and high cooperativeness in the collaboration with other agents.
In this research project, we aim to improve upon the existing approaches by comparing and combining the different methods.

Completed Work

  • (Preuss/etal/2011a) shows that the approach to vertical fragmentation (Samarati/Vimercati/2010a) is inference-proof as long as a user only has some a priori knowledge in terms of arbitrary unirelational and typed semantic constraints belonging to the rather general classes of so-called Equality Generating Dependencies (EGDs) or Tuple Generating Dependencies (TGDs).
  • (Biskup/2011a) adapts the confidentiality policy for a database user such that it becomes more restrictive with increasing knowledge of this user. Policy adaptation can be seen as a precomputation of relevant steps in a deduction of confidential information from the user's available knowledge.

Implementations

CIE Prototype

The CIE Prototype is a prototypical implementation of controlled interaction execution (CIE) as a frontend to the Oracle database management system. The functionality of the frontend comprises the following components:
  • the management of client-specific parameters such as the confidentiality policy and a priori knowledge;
  • a large selection of confinement methods, which range from static preprocessing of a client-specific materialized view offered for later free access to dynamic analysis of the interaction history;
  • an optimizer, which can dynamically select a currently best applicable method.

Angerona Framework

The Angerona framework is a multiagent framework dealing with confidentiality preservation. It has a modular structure defining two types of Plug-ins:
  • an Operator Plug-in for changing the behavior of the agent,
  • a Belief Base Plug-in for employing different types of knowledge representation and operators of knowledge change.
An Operator defines a functionality of an agent. For example, there is a PolicyControl Operator which changes the answer behavior of the agent in order to enforce a confidentiality policy. A collection of operators defines a Skill which is an atomic action of an agent. Both each individual agent and the simulation of the multiagent system can be configured by XML files.

Project management:

Prof. Dr. Biskup, Joachim 
Prof. Dr. Kern-Isberner, Gabriele 

Project members:

Krümpelmann, Patrick 
Preuß, Marcel 
Tadros, Cornelia 

Publications:

Biskup/2011a Biskup, Joachim. History-dependent inference control of queries by dynamic policy adaption. In Li, Yingjiu (editors), Data and Applications Security and Privacy XXV - 25th Annual IFIP WG 11.3 Conference, DBSec 2011, Vol. 6818, pages 106-121, IFIP WG 11.3, Springer, 2011.


Biskup/Tadros/2011a Biskup, Joachim and Tadros, Cornelia. Inference-proof View Update Transactions with Minimal Refusals. In 6th International Workshop on Data Privacy Management, DPM 2009, 2011.


Preuss/etal/2011a Biskup, Joachim and Preuß, Marcel and Wiese, Lena. On the Inference-Proofness of Database Fragmentation Satisfying Confidentiality Constraints. In Xuejia Lai and Jianying Zhou and Hui Li (editors), Proceedings of the 14th Information Security Conference (ISC 2011), Vol. 7001, pages 246-261, Springer, 2011.



Preliminary work:

Biskup/2010a Joachim Biskup. Usability confinement of server reactions maintaining inference-proof client views by controlled interaction execution. In Databases in Networked Information Systems, DNIS 2010, Vol. 5999, pages 80-106, Springer, 2010.


Biskup/Tadros/2010a Joachim Biskup and Cornelia Tadros. Policy-Based Secrecy in the Runs & Systems Framework and Controlled Query Evaluation. In Isao Echizen and Noboru Kunihiro and Ryoichi Sasaki (editors), IWSEC 2010 (Short Papers), Information Processing Society of Japan (IPSJ), 2010.


Biskup/2009a Joachim Biskup. Security in Computing Systems -- Challenges, Approaches and Solutions. Springer, 2009.


Biskup/etal/2009a Joachim Biskup and Christian Gogolin and Jens Seiler and Torben Weibert. Requirements and Protocols for Inference-Proof Interactions in Information Systems. In European Symposium on Research in Computer Security, ESORICS 2009, Vol. 5789, pages 285-302, Springer, 2009.


Falappa/etal/2009a Marcelo Alejandro Falappa and Gabriele Kern-Isberner and Guillermo Ricardo Simari. Belief Revision and Argumentation Theory. In Simari, G.R. and Rahwan, I. (editors), Argumentation in Artificial Intelligence, pages 341--360, Springer, 2009.


Biskup/etal/2008a Joachim Biskup and Gabriele Kern-Isberner and Matthias Thimm. Towards Enforcement of Confidentiality in Agent Interactions. In Maurice Pagnucco and Michael Thielscher (editors), Proceedings of the 12th International Workshop on Non-Monotonic Reasoning (NMR'08), pages 104-112, Sydney, Australia, University of New South Wales, Technical Report No. UNSW-CSE-TR-0819, 2008.


Biskup/Weibert/2008a Joachim Biskup and Torben Weibert. Keeping secrets in incomplete databases. In Int. Journal of Information Security, Vol. 7, No. 3, pages 199-217, 2008.


Biskup/Wiese/2008a Joachim Biskup and Lena Wiese. Preprocessing for controlled query evaluation with availability policy. In Journal of Computer Security, Vol. 16, No. 4, pages 477-494, 2008.


KernIsberner/2008a Gabriele Kern-Isberner. Linking iterated belief change operations to nonmonotonic reasoning. In G. Brewka and J. Lang (editors), Proceedings 11th International Conference on Knowledge Representation and Reasoning, KR'2008, pages 166-176, Menlo Park, CA, AAAI Press, 2008.


Kruempelmann/etal/2008a Patrick Krümpelmann and Matthias Thimm and Manuela Ritterskamp and Gabriele Kern-Isberner. Belief Operations for Motivated BDI Agents. In Lin Padgham and David C. Parkes and Joerg P. Müller and Simon Parsons (editors), Proceedings of the 7th International Conference on Autonomous Agents and Multiagent Systems (AAMAS 2008), pages 421-428, Estoril, Portugal, 2008.


Thimm/KernIsberner/2008a Matthias Thimm and Gabriele Kern-Isberner. A Distributed Argumentation Framework using Defeasible Logic Programming. In Philippe Besnard and Sylvie Doutre and Anthony Hunter (editors), Proceedings of the 2nd International Conference on Computational Models of Argument (COMMA'08), No. 172, pages 381-392, Toulouse, France, IOS Press, 2008.


Biskup/Bonatti/2007a Joachim Biskup and Piero A. Bonatti. Controlled query evaluation with open queries for a decidable relational submodel. In Annals of Mathematics and Artificial Intelligence, Vol. 50, No. 1-2, pages 39-77, 2007.


KernIsberner/Fisseler/2004a G. Kern-Isberner and J. Fisseler. Knowledge Discovery by Reversing Inductive Knowledge Representation. In Proceedings of the Ninth International Conference on the Principles of Knowledge Representation and Reasoning, KR-2004, pages 34-44, AAAI Press, 2004.