Trust negotiation protocol support for secure mobile ... - CiteSeerX

Context awareness in network selection for dynamic environments∗ Daniel D´ıaz Sánchez, Andrés Mar´ın López, Florina Almenárez Mendoza Celeste Campo Vázquez , Carlos Garc´ıa-Rubio Telematic Engineering Department, Carlos III University of Madrid Avda. Universidad, 30, 28911 Leganés (Madrid), Spain {dds, amarin, florina, celeste, cgr}@it.uc3m.es June 1, 2009

Abstract Mobile devices of new generation are able to connect to multiple networks and to constitute new infrastructureless networks. These dynamic environments require new security paradigms and automatic mechanisms to minimize user intervention. Our goal is the definition of a new concept of distance that considers the current domain constraints and the user preferences. This paper addresses some of the problems of these complex environments by using Multidimensional Scaling (MDS) techniques. We also propose collaborative mechanisms for automatic environment marking. Based on these ideas we have developed Pervasive Interaction Manager (PervsIM), a decision mechanism that selects the most appropriate network or peer to interact with. Besides we have defined an embedded access control module which ensures that PervsIM decisions are followed by all applications. Furthermore, several simulation results and implementation details outline how these results can be incorporated in today’s mobile devices.

1

Introduction

Wireless network technologies are evolving providing more coverage, speed and quality of service. Moreover, the cost of the technology is decreasing so This work has been partially supported by EveryWare (MCyT N2003-08995-C02-01) and by grant UC3M-TEC-05-056 of the Program to Support the Creation and Consolidation of Universidad Carlos III Research Groups. ∗

1

The original publication is available at http://www.springerlink.com

1

INTRODUCTION

that it benefits the deployment. As a consequence, the number of mobile devices increases. Mobile devices are also enhancing their network support, being usually shipped by manufacturers with different network interfaces, like IrDA, bluetooth, WiFi and or UMTS/HSDPA. This enables them to connect to multiple networks and to constitute new infrastructureless networks. In dynamic environments it is desirable that devices can be grouped defining domains. Grouping devices in domains makes it easier to determine, where we are, how closer the devices of a domain are, and what we can do within a domain. In this paper we outline a mechanism to determine “where we are” by collecting context information and the unique IDs of access points and static devices. Currently, mobile devices require human input either from end users or providers to mark networks, access points, or peers. The marking information helps the mobile device to select among the (growing) list of preferred networks. In this paper we propose an automatic mechanism of collaborative marking, which allows setting up marking information without user intervention for devices in a domain. We also depict “what we can do” by defining policies. The mark given to domain devices, used together with the policies, parameterize the behavior. We also propose to embed the access control mechanisms in the operating system so even legacy applications can be controlled. Moreover, when a mobile device switches on, or moves to other places, it is necessary to select the appropriate network or peer to interact, in order to satisfy user needs. For example, if it is roaming, to reduce handoff delay (make-before-break). Deciding the peer, network, or entity to interact with, may be conditioned by multiple factors. Humans tend to consider multiple factors when deciding but, as a last resort, tend to simplify problems. Thus, why do not implement decision engines that simplifies such decisions?. This paper addresses the problem of selecting the most appropriate network or peer to interact with, defining a new concept of distance that considers the current domain constraints and the user preferences. Section 2 introduces the problem domain, and the previous works are described in section 3. Section 4 outlines the prototype: domain definition and marking, policy manager and finally, the decision engine where it will be shown how multidimensional scaling, a psychometric algorithm, helps to alleviate decision problems. Section 5 gives implementation details, and finally section 6 present the conclusion and future work.

2 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


2

2

MOTIVATION

Motivation

Marc Weiser stated that “the most profound technologies are those that dissapear” [1], meaning that the user is not aware of them. Context awareness and processing is definitely needed to operate under the consciousness human level. Moreover, intuitive ways of displaying context information, even mimicking human thinking are desirable capabilities for the technologies described by Weiser. Satyanarayanan said that interactions in pervasive computing environments decay with the square of distance [2]. This statement applies to every interaction since the energy of signals decays in the same fashion. The goal of Satyanarayanan is to establish a way to measure what can be called interaction distance. But, what about other metric or non metric attributes as trust, economic cost, type of service and any other defined by the user? Shall them be taken into account when selecting an appropriate peer to interact with? How can we assist the user in selecting the network with the least interaction distance, and is this invisible to the user? There are other works that focus on network services, providing security and service continuation for wireless communications [3], and [4], but do not take into account the network selection problem. MDS data analysis techniques have been used for several problems with good results. [5] shows how MDS can be used to determine the distance among elements of sensor networks that takes O(n3 ) time to find a solution. A mechanism based in MDS is described in [6] to classify music, browse it and generate playlists. Limited devices, specially personal devices, are very rich in context information. They can hold information on user location, and user personal information like the agenda, or the contacts list. This work presents a solution for assisting users to select the best network according to their preferences. From the point of view of applications using the network, the selection process is part of the access control protecting the resource network access. In this paper we are focusing on network access as the resource to be protected: we want to ensure that applications use the most appropriate network available at each moment. We will introduce the context information available for personal devices into the access control. For the selection process, we will take into account valuable context information including location, trust, and cost, process it according to the user preferences, and take the decision or alternatively present the context information to the user in a comprehensive way using MDS.



3 3.1

3

PREVIOUS WORK

Previous Work Pervasive Trust Manager

The Pervasive Trust Manager (PTM) allows to manage ad-hoc relationships with other peers in a secure way (see [7]). PTM approach uses Public Key Infrastructure (PKI) while the device is in a connected environment, with access to its corresponding Certificate Authority (CA). When the device enters in disconnected state, with no access to the trust roots, PTM allows for a much more decentralized trust management. In such open, dynamic environments, the model enables personal devices, potentially belonging to different trust domains, to act as autonomous peers, to protect their own resources, and to securely communicate among them. In PTM, trust in an entity is represented by a number: 0 represents distrust, and 1 absolute trust. Trust in unknown entities is usually initialized to 0.5, representing ignorance about the entity. PTM benefits from the common knowledge in the environment. Such knowledge is obtained from close peers, which recommend other peers known to them. This information is exchanged using the Pervasive Recommendation Protocol (PRP). Devices can derive their initial opinion about third peers from received recommendations. Such opinions are calculated taking into account both recommendation data and the trust data about the recommenders. Users can be grouped in fuzzy sets according to the trust degree on the user, ranging from highly trusted to distrusted users. PTM maintains certificates and trust data about third peers. Both trust and distrust information is stored for trust modelling. After the formation of an initial opinion, PTM supports the notion of trust being dynamic, taking into account the behaviour of entities to vary the trust data, and therefore the opinion. A generic action monitor is defined to protect from general attacks like DoS, while other misbehaviours can be identified by the application designer specifying action patterns to be tracked. Some parts of PTM have been implemented in Java, but PTM is based on OpenSSL, and so it can be used both in Linux and in Windows (including windows mobile) through a set of native libraries and JNI interfaces.

3.2

Multidimensional Scaling

Multidimensional Scaling [8], MDS, is a set of techniques widely used in behavioral, psychologic and econometric sciences to analyze similarities of



3

PREVIOUS WORK

entities. From a pairwise dissimilarities matrix, usually m-dimensional Euclidean distances [5], MDS can be used to represent the data relations faithfully providing a geometrical representation of these relations. MDS is used to reduce the dimensionality of a problem to a small value. MDS can consider not only Euclidean distances but also any other evaluation of the dissimilarities of the entities. Dissimilarities can be classified according to whether the data is qualitative or quantitative. The dissimilarities from attributes of data can be weighted (weighted MDS), thus, assigning a different weight to each attribute allows to obtain more particular results depending on the problem. So, a complex m-dimensional problem can be simplified preserving the essential information using MDS. There exists a multitude of variants of MDS with slightly different cost functions and optimization algorithms. The first MDS for metric data was developed in the 1930s and later generalized for analyzing nonmetric data [9]. In classical scaling the proximities are treated as distances, however, any (di)similarity can be derived from data attributes in order to obtain a metric, but it is necessary to hold the properties of non-degeneracy (diagonal elements should be zero, di,i = 0) and triangular inequality that states that di,j + di,k ≥ dj,k for every i, j, k. The distance between two points i and j in a m-dimensional Euclidean space is defined as follows:

di,j

m X 1 = [ (xi,a − xj,a )2 ] 2

(1)

a=1

For Euclidean distances, distances di,j are related to the observed proximities pi,j by an appropriate transformation di,j = f (pi,j ), depending on the measurement characteristics. A linear transformation, di,j = a + bpi,j , can be assumed for unique distances with b < 0 for similarities and b > 0 for dissimilarities. If the solution is derived using least-squares, a linear transformation of proximities I(P ) can be defined as I(P ) = D + E, with D the distances matrix (that is a function of the coordinates) and E the residual error. The solution obtained is the X such the sum of squares of E is minimized. The double centered matrix of scalar products, B, can be defined as B = XX T where X is the coordinate matrix. The value of B is: 1 1 1 B = − [I − iiT ]D 2 [I − iiT ] 2 n n . 5 Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx

(2)


3

PREVIOUS WORK

where n is the number entities, I an n × n identity matrix and i a unity vector of length n. Decomposing the matrix B into its singular values, 1 B = V AV T , the coordinate matrix X can be calculated as X = V A 2 . To reduce the complexity of a m-dimensional problem, we can choose l < m eigenvalues and eigenvectors. Taking only the largest l eigenvalues and eigenvectors the problem is simplified to a l-dimensional problem. However, in case of ordinal data, another procedure has to be followed than the use of singular value decomposition since we want to recover the order of the proximities and not the proximities or a linear transformation of the proximities. A solution to this problem was given by Shepard [10] and refined by Kruskal [11]. These solution iteratively minimize a fit measure called Stress by an iterative algorithm, which is suitable for processing. We have used an algorithm called ALSCAL [12], which uses alternate least-squares, combined with weighted (di)similarities, for simulation and implementation. ALSCAL finds a local minimum and can be used for both metric and nonmetric analysis. Furthermore, the ALSCAL algorithm can also deal with spare proximity matrixes so it is suitable for simplify problems in the absence of some data.

3.3

DNS-based service discovery in ad hoc networks

DNS Service Discovery (DNS-SD) [13] provides support for service discovery over DNS, without making any change to the DNS protocol. With DNSSD, devices can obtain a list of servers offering a given service type as a response to a DNS query. At the time of writing this paper, this proposal is in Internet Draft state. DNS-SD works over DNS, so it may use the classical centralized architecture, based on a hierarchy of servers, or any of the DNS modifications for name resolution in infrastructureless networks, Multicast DNS or LLMNR, with a fully distributed architecture. Both proposals start from the DNS protocol but do out with the centralized architecture, replacing it by a fully distributed approach in which all the devices in the network have their own DNS server, and all DNS queries are multicast. Both Multicast DNS and LLMNR keep the DNS message format, syntax and resource record format, although Multicast DNS introduces some changes in the way some of the fields of the DNS message are used (specifically, the use of the answer section in the queries). Multicast DNS [14], as DNS-SD, is fruit of a joint initiative of the Zeroconf and DNSEXT groups of the IETF, with Apple Computer as the prime



3

PREVIOUS WORK

mover. Multicast DNS defines a new top-level domain, .local.. All the names under this domain have meaning only in the local network in which they have been defined. There is no naming authority in charge of managing this domain, but any user or software may create their own names with the .local. suffix, provided that they don’t clash with names chosen by other users in the same local network. When the resolution of a name with .local. suffix is requested, the Multicast DNS protocol must be used. All devices in the network must have a “Multicast DNS client” that issues multicast resolution queries, and a “Multicast DNS server” that resolves these queries. Servers send multicast answer messages, so all devices in the network receive all of them, and this way they keep their caches updated. Linklocal Multicast Name Resolution (LLMNR) [15] is an initiative from the DNSEXT group of the IETF, with Microsoft as the prime mover. Its way of approaching the problem of name resolution in ad hoc networks is much more conservative than Multicast DNS, with no modification in the use DNS message fields, and without defining any new domain name for the local scope LLMNR clients transmit their queries using multicast, and wait for answer messages to arrive. Servers which have one or more authoritative resource records that match the query, reply using unicast. Information from the caches cannot be included in the replies. Regarding the use of these protocols together with DNS-SD to support service discovery, the main differences between both proposals are the following • Multicast answers: in LLMNR, servers answer using unicast, while in Multicast DNS they answer using multicast. • Resource records caches: LLMNR recommends using TTL values of zero for ad hoc environments; therefore, no resource records are cached. Multicast DNS recommends using a TTL value of 120 seconds, and caches are used to improve the operation of the protocol. • “Goodbye” message: The goodbye message is defined in Multicast DNS. LLMNR does not define an equivalent message. Since a TTL value of zero is recommended in LLMNR for ad hoc networks, no resource records will be stored in caches, and so no false or stale entries are possible. In [16], some improvements to these protocols when used in ad-hoc neworks are presented. These improvements reduce the traffic generated, especially of the most limited, battery powered, devices. 7 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx

The original publication is available 4 PERVASIVE INTERACTION MANAGER at http://www.springerlink.com

4

Pervasive Interaction Manager

The Pervasive Interaction Manager (PervsIM) is the solution we propose to address the aforementioned problems. PervsIM is composed by four modules: the domain definition module, the collaborative domain marking module, the policy manager and decision engine. The prototype is described through this section. A brief description of some concepts may help the reader to understand better what is addressed in this section. Devices are grouped together in domains. The closest set of devices that surround us is considered the current domain. Devices within a domain are divided in static devices, called anchors and moveable devices called peers.

4.1

Domain Definition Module

This module is in charge of determining the current environment and grouping devices together in domains. The major constraint of interaction is the physical distance [2] since the energy of signals decays with the square of its value. So, the nearest set of devices define the current domain. The module uses the mentioned relative localization and neighbor information to define a domain. Given a domain, the static wireless devices within that domain, for instance, network access points, printers, and screens can be uniquely defined by their MAC address or some cryptographical identifier, and considered as anchors or reference points. The anchors of a domain help the mobile device to recognize the domain as known. For every element of the domain, the module finds out the attributes that will be used to compute the interaction distance. The attributes represent context information (quantitative, ordinal or category membership information) that depend on the user preferences (see section 4.4). The type and number of attributes are user-defined, but at least, two should be considered: physical distance and trust value. Besides, other attributes like service information from discovery protocols [17], required credentials, or economic cost, can be considered. In section 4.4 we will demonstrate how extensible, lightweight can be considered our decision engine. The extensibility and the ability to work in the absence of some data are the major goals of the algorithm. Thus, is not necessary to find a common data model to describe any connection or peer, been possible to add service discovery information and others, and to select a peer to interact with depending on the its network parameters as 8 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


QoS or just by the services it offers, Figure 1 shows the idea, the number of attributes may vary from one peer to another. Our module can describe any peer using different service discovery protocols, as DNS based discovery or Pervasive Discovery Protocol (see section 3.3 and [17]).

Figure 1: Domain module Physical distance is derived using received signal strength measures. The module takes values for the received signal strength from each network access point or anchor. Once out of bound anchors are deprecated, the signal strength is scaled by a factor, that depends on the network interface technology, in order to provide a normalized value within 0 and 1. Furthermore, localization techniques using signal strength provide good privacy and are inexpensive: radio hardware is used not only to establish communications, but also to determine the relative position. The accuracy of signal strength localization techniques is limited and decrease even more in indoor environments [18] [19], however, network interfaces are enough to uniquely determine the current domain by using unique identifiers and to determine if the mobile node is approaching or moving away from that domain. The trust value for each element of the domain is handled by PTM (section 3.1), for ad-hoc elements, and by the collaborative domain marking module (section 4.2) for anchor elements. Obviously, the domain borders are rough, but combining all the attributes, a useful measure of interaction distance can be derived and used 9 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


to take decisions (section 4.4). Finally, the aforementioned attributes are stored as XML elements. These elements contains, at least, the necessary information to identify that domain (anchors) and a time-to-live value.

4.2

Collaborative Domain Marking Module

The aim of this module is to automatically give marks to domain anchors, instead of asking the user for that information, other peers are asked for opinion. User preferences determine which anchors and attributes are used by devices to define domains. Different attributes may appear at different peers, and they should be ignored when peers exchange information. In general, several attributes can be exchanged among peers to compute a mark. Currently information exchange is restricted to trust values, but the model can be extended. The process is simple, trust values are exchanged securely among peers, and scaled by a factor that depends on the trust value assigned by PTM to the recommender peer. The peer i uses the received information from peer k to compute a value, βi,j , which is the trust value that peer i has for an anchor j. The peer i quantify its trust to another peer k with a value among 0 and 1, αi,k , and it only accepts recommendations from peers with a trust value higher than αmin . The trust value βi,j increment for the nth recommendation is calculated using the following expression: ∆βi,j =

αmin (βk,j − βi,j )αi,k ∀ (αmin < αi,k ) n log n ∆βi,j = 0 ∀ (αmin > αi,k )

(3) (4)

The marking module uses a scale factor that permits an initial fast increment of the trust value for an anchor, avoiding collaborative attacks since its value decreases with the number of recommendations. This scale factor can be customized by the user. Fig. 2 shows the evolution of the trust value min for an anchor using a scale factor of nαlog n. As can be seen in Fig. 2, the results are conditioned to the value of αmin . This is a very conservative approach like used in reputation systems, which tend to protect against malicious recommendations. The higher the value of αmin is, the higher trust value can be reached but the less recommendations are taken into account (αi,k should be grater that αmin ). Besides this model, others have been considered. A less conservative approach will be using αi,k n log n , so that recommendations coming from high trusted recommenders influence more our final trust value. 10 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


Figure 2: Anchor trust value evolution. Recommended value 1.0 This mechanism allows to automatically derive a trust value for new environments that helps the mobile device to identify trusted or distrusted environments and behave in consequence as depicted in section 4.3.

4.3

Policy Manager Module

Limited devices host resources subject of protection, in this way, we use a policy manager to make access decisions based on policies. Access control policies allow defining a dynamic and semi-automatic mechanism of protection, in order to adapt our applications to the context and to minimize the user intervention. A generic access control system has been previously defined in [20]. In this work, we include a specific application for controlling the access to the network interfaces. Such system is based on the XACML standard [21] to define the policies and the exchange of information. XACML defines an architecture for access control in web systems comprising PCs and servers. It is a flexible approach which allows to specify different policies and rules which can be later evaluated by the Policy Decision Point (PDP) to permit or deny access to resources. Requests to resources should be trapped by the Policy Enforcement Point (PEP), to avoid malicious entities from bypassing the access control. The collaboration among PEP and PDP ensures the access control is performed. Regarding the PEP there are two main approaches: either the PEP is included in the applica11 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


tions, or the applications access the PEP via an API to ensure correct access control. Nevertheless, non-cooperating applications or even malicious like virus, trojan horses, and the like, could circumvent the PEP and access the resources directly. One possible solution we propose here is to implement the PEP at the operating system (kernel) level, making unauthorized access more difficult to such kind of applications. Besides, it ensures that the applications shipped by the manufacturer also comply with the access control. We benefit of the flexibility of XACML, extending the attributes to include trust data, and external context information. So, the decisions are made based on the trust assigned to other peers and available context information such as location, user preferences, or even cost.

4.4

Decision Engine Module

Humans usually try to simplify problems when deciding among multiple choices. Multidimensional scaling techniques (section 3.2) are used in this module to find an ordered sequence of peers (including access points) to interact with, depending on the user preferences. The problem of deciding which is the best network or peer in complex environments is addressed by using techniques that allows the mobile device to simplify problems as humans do. Thus, a simple measure of what can be called interaction distance is derived for every peer using all the available information. Consider an environment with many anchors and peers (elements). (Di) Similarities between pairs of elements can be derived as follows: |ui,α − uj,α| f or quantitative data max(uα ) − min(uα ) |rank(ui,α ) − rank(uj,α )| f or ordinal data δi,j,α = max(rank(uα )) − 1 0 : ui,α = uj,α ={ f or category membership data 1 : otherwise δi,j,α =

δi,j,α

(5) (6) (7)

where ui,α is the αth attribute value of the peer i. We consider data of different nature: quantitative data is used, to describe trust relations (section 3.1) and distances [5]; ordinal data for QoS classes, and to distinguish among different services; membership data help to classify elements, for example, ad-hoc peer or infrastructure network access point. Once the (di)similarities are calculated they are weighted with the user preferences in order to obtain an unique weighted (di)similarities matrix. 12 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


Ideal(1)

2

3

4

5

6

Trust

1.0000

0.9429

0.8430

0.9573

0.8344

0.0206

Distance

0

0.5259

0.5048

0.4633

0.5270

0.4757

Cost

0

0.2054

0.2738

0.8636

0.8931

0.8461

7

8

9

10

11

Trust

0.0464

0.0075

0.0597

0.0191

0.0935

Distance

0.5635

0.2540

0.2587

0.2509

0.2670

Cost

0.8513

0.8424

0.8416

0.0

0.0

Table 1: Attribute values in a possible decision scenario

These weighted (di)similarities are defined for a set of n objets with q attributes as follows:

δi,j = (

Pq

α=1 P q

λ wi,j,α wα δi,j,α

α=1 wi,j,α wα

1

)λ

(8)

where wi,j,α takes value 0 if objects i and j can not be compared on the αth attribute and 1 otherwise, wα is the weight given by the user to attribute α and δi,j,α is the (di)similarity between objects i and j on the αth attribute. Although the model can include any other context relevant information, Table 1 shows a possible scenario for a user that measure the interaction distance in terms of trust (a value between 0 and 1), distance (derived from received signal strength) and economic cost. The first element represents the ideal element that will be used to measure the interaction distance: it has a trust value of 1, is very close to the device (distance 0) and interactions are free. Using the MDS ALSCAL algorithm, solving for one dimension and setting λ = 2 to handle attributes as distances, it is possible to derive a value for the interaction distance between the ideal element and the others, and also classify the elements. In the example above, we consider three different policies characterized by different weight vectors: 1. Weights vector {T rust, Distance, Cost} = {0.8, 0.1, 0.1} (Fig. 3). The decision engine provides an ordered list of elements that meet this . 13 Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


criteria and the distance to the ideal element 1. In Fig.3 there is a pair of representations of this decision for one and two dimensions. The axis of the figure do not represent any criteria, the figure just represent how closer elements are from each others. The result of this decision is {1, 4, 2, 5, 3, 11, 9, 7, 6, 10, 8}. Examining the results it can be seen that peers can be divided in two groups, the peers of the first group {4, 2, 5, 3}, since are close to the ideal element 1, are eligible. The others, are grouped together far from the ideal element, so are not eligible peers.

Figure 3: Access point (anchor) selection favoring trust (0.8) 2. Weights vector {T rust, Distance, Cost} = {0.1, 0.8, 0.1} (Fig. 4). The result, {1, 10, 11, 8, 9, 6, 4, 3, 2, 5, 7}, shows that the distance between the ideal element 1 and the closest group {10, 11, 8, 9} is very high. The mobile device may decide not to interact.

Figure 4: Access point (anchor) selection favoring distance



3. Weights vector {T rust, Distance, Cost} = {0.1, 0.1, 0.8} (Fig. 5). The best elements are {10, 11} which could be, for example, free access points. The second closer group of peers {2, 3} are near enough to be considered as an option but the rest are very far to be considered.

Figure 5: Access point (anchor) selection favoring cost Weights vectors for the example have been exaggerated for a better understanding. In general, other more reasonable criteria can be easily considered. Table 2, shows a set of attributes considering category membership data. Besides the quantitative attributes, this example contains category membership data as: • Open authentication: 0 for no authentication (network is open) and 1 for authentication (link layer based authentication). • Supported mobility: 0 for static position or for very little movements, 1 for technologies that allows to walk, 2 for technologies that supports movement at car speed, and 3 for full mobility (limited only by doppler) • Emergency call: allows to know whether is possible to perform an emergency call using that network or not, 1 implies “yes”. • Roaming facility: the network supports roaming. Cellular technologies always allows roaming and some WiFi providers also. • Home/Work : In this case, among the discovered networks within the domain there are two that can be used for work. The company of the user pays for a GPRS link to read mail and discontinued traffic and also 15 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


Ideal(1)

2

3

4

5

6

Trust

1

0,026

0,589

1

1

1

Distance

0

0,5259

0,5048

0,4633

0,5270

0,8461

Cost (kByte)

0

NaN

NaN

0,004878

NaN

0,004878

Cost (s)

0

0

0,01197

NaN

0

NaN

Open authentication

x

1

1

0

0

0

Link speed

x

11000

6000

40

11000

130

Supported mobility

x

1

1

3

1

3

Emergency call

x

0

0

1

0

1

Roaming facility

1

0

1

1

1

1

Home/Work

x

0

0

2

1

0

Network type

x

802.11b

802.11b

GPRS

802.11b

EDGE

7

8

9

10

11

Trust

1

0,874

1

0,191

0,843

Distance

0,5635

0,2540

0,2587

0,2509

0,2670

Cost (kByte)

0,001953

NaN

0,004878

NaN

NaN

Cost (s)

NaN

0

NaN

0

0,01197

Open authentication

0

0

0

1

0

Link speed (kbps)

320

54000

700

54000

54000

Supported mobility

3

0

3

0

0

Emergency call

1

0

1

0

0

Roaming facility

1

0

1

0

0

Home/Work

1

0

2

0

0

Network type

UMTS

802.11g

HSDPA

802.11g

802.11g

Table 2: Decision scenario including category membership data

. 16 Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


for a high speed HSDPA network for more constrained applications. This variable can take three different values: 2 (network provided by the company), 1 (networks paid by the user), and 0 (others). The value NaN or not a number is a IEEE arithmetic representation for Not-a-Number. The x value present in some of the attributes of the Ideal element indicate that are variable. For this example we consider four decision scenarios: 1. The user is driving to the office, at the same time he is uploading important files to the company server. Let us assume that the data is important for the company and that it should be treated as confidential. The decision engine selects as ideal link speed 20kbps, according to the running applications, since the domain is recognized as the car, the decision engine selects complete mobility (3). The Home/Work value is set as 2 (work). The weights vector is zero for everything but trust (0.2), cost per kByte (0.1), mobility (0.2), roaming (0.2) and Home/Work (0.3). Table 3 shows the distances (absolute value) from the ideal element to the others. The item selected is number 4. Moreover, other closer peers are 7 and 9. Since work networks are always trusted it may be a good idea to increment Home/Work weight and reduce trust weight to ensure that only a work network is selected. 2. The user is waiting for a flight at the airport and he/she wants to surf the web for entertainment. The ideal peer is set to mobility 0, cost 0, link speed to 1000 and open authentication 1 (unspecified values are set to NaN). The weight vector is set to zero for all values but cost (0.5), open authentication (0.2) and link speed (0.3). The peer selected is 2, and other near pears are 8 and 5 (see Table 3). 3. See a movie at home. In this scenario, the ideal peer is set to mobility 0, cost 0, link speed 11000 and Home/Work to 1. The rest are set to NaN. The weight vector is {cost,link speed,home/work} = {0.4,0.4,0.2} and the nearest peers are (from the closest): 5, 2 and 3. 4. In an emergency situation, once the user pushes the “panic button” or make a call to 112 (911), the Ideal peer is the nearest one able to perform an emergency call, the rest can remain unspecified. For that reason the weight vector focused in the nearest one (0.1 for distance) able to perform an emergency call (0.9). As can be seen in Table 3, the first four peers to connect to are: 9, 4, 7 and 6. 17 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


scenario 1

scenario 2

scenario3

scenario 4

2

2,3415

0,4556

0,0764

2,0011

3

1,3818

2,1693

0,1270

2,0011

4

0,0021

2,3358

1,3261

0,0064

5

0,1107

0,7785

0,0424

2,0011

6

0,9542

2,3175

0,3057

0,0101

7

0,0043

1,7562

1,2219

0,0075

8

2,1010

0,5638

1,4205

2,0044

9

0,0058

2,1197

1,2357

0,0038

10

2,3709

0,4624

1,4089

2,0043

11

2,0986

2,2660

1,4499

2,0045

Table 3: Distances from ideal element

As explained in section 4.1, this second example shows how the algorithm works with the absence of data (NaN), been possible to add any other information as the provided by service discovery protocols. The simulations we have performed show that the model suits the data. ALSCAL minimize a parameter called S-STRESS that is used to stop the iterations when its value goes below a minimum. The average of S-STRESS obtained in the simulations (varying the number of elements from 2 to 60) is 0.2728. While stopping the iterations for this S-STRESS value is not enough for other data analysis problems that need more accuracy, it is enough for the network selection problem and less resources are consumed. Moreover, the quadratic correlation between the (di)similarities and the distances (RSQ), is a parameter that gives and idea of the goodness of the fit, 1 for a perfect fit and 0 for the worst fit. The model provided values for RSQ between 1 and 0.8. The complexity of the algorithm is O(n2.65 ) where n is the number of elements. Fig. 6 shows the results of performance simulation where the resolution used is 1s = 3.579.545, 00. Though S-STRESS and RSQ give reasonable values, other iterative algorithms will be tested in future versions. 18 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


5 IMPLEMENTATION DETAILS

Figure 6: Performance counter value vs. number of elements

5

Implementation Details

To validate our design, we have developed a prototype for Windows Mobile operating system. Windows Mobile, a Microsoft operating system, derives from Windows CE. Windows CE is a full featured operating system that gives support to a huge amount of devices, servers and network protocols. In the other hand, Windows Mobile is intended to be a cost-effective operating system, so it supports only a subset of the features that Windows CE provides. Microsoft provides a tool, known as Platform Builder, that allows hardware vendors to customize Windows CE for their particular devices: PDAs, smartphones, routers. . . Though Windows Mobile is a profile of customization for Windows CE, of which particular implementations might differ from one manufacturer to other, almost a basic set of features is guaranteed. Thus, targeting Windows Mobile devices we are covering a huge amount of devices. This fact will help us to disseminate our solution and obtain feedback from users to improve our model covering real needs. The aforementioned architecture implementation should provide with the following: 1) a API to allow interactions with cross-layer applications, and the necessary operating system components to provide surveillance mechanisms for legacy applications; 2) a simple interface for user input that allows policy and preferences edition, log viewing, and identities man-




agement; 3) a environment definition module that describes environments in terms of the information provided by the specific hardware of the device, but using a general syntaxis that allows to share that information. 4) A decision engine. The implementation have been developed in C++ under Windows Mobile. To gather information about anchors we have used the results of the Herecast project [22], a set of libraries that interact with the Network Device Interface System (NDIS), present in every Windows based operating system, that provides localization-based WiFi services. By using NDIS we are able to gather information about surrounding devices based in 802.11x and legacy network technology. Besides, to obtain access to the radio/cellular information, we have developed a wrapper for Radio Interface Layer (RIL). RIL, see Figure 7, is described in United States Patent 6826762. In this way we control every network interface, cellular or not and even the SIM/USIM card. We are currently testing mobile devices from different manufacturers since driver implementation vary from one manufacturer to another. Thus, no representative tests results can be provided in this paper apart from the algorithm efficiency (see figure 6).

Figure 7: Radio Interface Layer (from MSDN website) To avoid any application to circumvent the enforcement points, we have embedded in the operating system. Thus, we have implemented two Policy Enforcement Points (PEP) for handling legacy applications interactions. One of the PEPs controls the network traffic: the Network PEP (NPEP) through NDIS and RIL. The other controls the use that secure protocols, as SSL or TLS, make of the available credentials: the Secure PEP (SPEP). 20 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx



When either an outgoing or an incoming connection takes place it is detected by the NPEP. The NPEP analyzes the destination, origin and protocol. Then, the NPEP provides that information to the Policy Decision Point (PDP).

Figure 8: Policy module The NPEP is a NDIS intermediate driver that is placed on the top of the NDIS miniport drivers but behind the NDISUIO driver and is also a RIL wrapper. The PEP have bindings to all the network interface drivers below it so it can sniff the incoming and outgoing traffic and provide this information to the PDP. Thus, the PDP can allow or deny a particular interaction depending on the domain even for legacy applications. The PDP besides being invoked at application request, can also be triggered and take decisions on context changes. To select among the different network interfaces the PDP uses the NDISUIO driver [23] that is a connection-less, NDIS 5.1 compliant protocol driver. Using this intermediate driver, the PDP module can establish and tear-down bindings to network adapters. Furthermore, NDISUIO allows the PDP to set packet filters, sending and receiving data, and handling plug-and-play events. NDISUIO can directly open an NDIS miniport driver (i.e. network card driver) to send requests, set, and query information. Thus, depending on the domain, some network interactions can be allowed or not, i.e. if the mobile device is in a distrusted domain the policy 21 . Find other publications, references and citing information at both publisher’s site and Pervasive Computing site http://pervasive.gast.it.uc3m.es/publications.aspx


REFERENCES

module can either tear-down all the bindings, to deny connections, or set filters for some protocols for incoming and outgoing traffic. The PDP uses an XACML engine. XACML defines a complex set of elements that might not fit in a mobile device. Therefore, we have extended and modified Sun’s XACML implementation [24] in order to fit in a mobile device with a reasonable resource consumption.

6

Conclusions and future work

The solution depicted in this paper provides mechanisms that allow a mobile device to take decisions based in the environment. The decisions are driven by policies that consider both user preferences and environment information. We have focused on attributes as trust and distance but we have shown also that many others can be considered. We have demonstrated also how multidimensional scaling algorithms, that helps to think as humans, are useful to simplify decision problems with a complexity of O(n2.65 ). Other algorithms that minimize different cost functions than ALSCAL will be tested to improve performance. We are now facing the validation phase of the work. Our next step is to test the solution in different environments to measure the load and the resource consumption. We are planning also to move the solution to Symbian mobile phones.

References [1] Weiser, M.: The computer for the 21st century. Scientific American (1991) 94–104 [2] Satyanarayanan, M.: Pervasive computing: Vision and challenges. IEEE Personal Communications 8 (2001) 10–17 [3] Dutta, A., Zhang, T., Madhani, S., Taniuchi, K., Fujimoto, K., Katsube, Y., Ohba, Y., Schulzrinne, H.: Secure universal mobility for wireless internet. In: WMASH’04: 2nd ACM international workshop on Wireless Mobile Applications And Services On WLAN Hotspots. (2004) 71–80



REFERENCES

[4] Chaouchi, H., Pujolle, G., Armuelles, I., Siebert, M., Bader, F., Ganchev, I., ODroma, M., Houssos, N.: Policy based networking in the integration effort of 4G networks and services. In: VTC’04-Spring: Proceedings of IEEE Semiannual Vehicular Technology Conference, Milan, Italy (2004) [5] Shang, Y., Ruml, W., Zhang, Y., Fromherz, M.P.J.: Localization from mere connectivity. In: MobiHoc’03: Proceedings of the 4th ACM international symposium on Mobile ad hoc networking & computing, New York, NY, USA, ACM Press (2003) 201–212 [6] Platt, J.C.: Fast embedding of sparse music similarity. In: Advances in Neural Information Processing Systems vol. 16. (2004) [7] Almenarez, F., Diaz, D., Marin, A.: Secure ad-hoc mbusiness: Enhancing windows ce security. In: TrustBus’04: First International Conference Trust and Privacy in digital business, Springer-Verlag LNCS 3184 (2004) [8] Borg, I., Groenen, P.: Modern Multidimensional Scaling, Theory and Applications. Springer-Verlag, New York, NY, USA (1997) [9] Deun, K.V., Delbeke, L.: Multidimensional scaling (2000) University of Leuven, Belgium, www.mathpsyc.uni-bonn.de. [10] Shepard, R.N.: The analysis of proximities: multidimensional scaling with unknown distance function part i. In: Psychometrika 27. (1962) [11] Kruskal, J.B.: Multidimensional scaling by optimizing goodness of fit to a nonmetric hypothesis. In: Psychometrika 29. (1964) [12] Takane, Y., Young, F.W., de Leeuw, J.: Nonmetric individual differences multidimensional scaling: an alternating least squares method with optimal scaling features. In: Psychometrika 42. (1977) [13] Cheshire, S., Krochmal, M.: DNS-Based Service Discovery. InternetDraft (work in progress) (2005) [14] Cheshire, S., Krochmal, M.: Performing DNS queries via IP Multicast. Internet-Draft (work in progress) (2005) [15] Esibov, L., Adoba, B., Thaler, D.: Linklocal Multicast Name Resolution (LLMNR). Internet-Draft (work in progress) (2005)



REFERENCES

[16] Campo, C., Garc´ıa-Rubio, C.: DNS-based service discovery in ad hoc networks: evaluation and improvements. In: PWC’06: 11th IFIP International Conference on Personal Wireless Communications, SpringerVerlag LNCS 4217 (2006) [17] Campo, C., Garc´ıa-Rubio, C., Mar´ın, A., F.Almenárez: PDP: A lightweight discovery protocol for local-scope interactions in wireless ad hoc networks. Computer Networks Journal. Elsevier (2006) 3264–3283 Pending to be published. [18] Elnahraway, E., Li, X., Martin, R.P.: The limits of localization using rss. In: SenSys ’04: Proceedings of the 2nd international conference on Embedded networked sensor systems, New York, NY, USA, ACM Press (2004) 283–284 [19] Elnahraway, E., Li, X., Martin, R.P.: The limits of localization using signal strength: a comparative study. In: SECON’04: IEEE International Conference on Sensor and Ad Hoc Communications and Networks. (2004) 406–414 [20] Almen´ arez, F., Mar´ın, A., Campo, C., Garc´ıa, C.: TrustAC: Trustbased access control for pervasive devices. In: SPC’05: 2nd International Conference Security in Pervasive Computing. (2005) [21] OASIS: eXtensible Access Control Markup Language (2005) http://www.oasis-open.org/apps/org/workgroup/xacml/. [22] Paciga, M.: An open infrastructure for location-based services using wifi (2005) http://www.herecast.com. [23] Microsoft: NDIS User Mode I/O (NDISUIO). Version dependencies (2005) http://www.ndis.com/pcakb/KB01010301.htm. [24] Proctor, S.: Sun’s XACML implementation. version 2.0 (2006) http://sunxacml.sourceforge.net/.
