Ad Hoc Grid Resource Management: Grid Securityacmbulletin.fiit.stuba.sk/abstracts/kavecky2016.pdfknown traditional grid infrastructures are Globus Toolkit [13], Gridbus Middleware

Ad Hoc Grid Resource Management: Grid Security

Slavomír Kavecký∗

Faculty of Management Science and InformaticsUniversity of Žilina

Univerzitná 8215/1, 010 26 Žilina, [email protected]

AbstractThe purpose of security in ad hoc grid environments is tosupport secure execution of tasks on shared resources andto protect the resources from malicious user actions. Themechanisms of authentication and authorization commonlyused in traditional grid environments are not sufficient tocover all security requirements arising from the decentral-ized nature of the ad hoc grid. The concept of trust man-agement is capable to solve the security issues by incor-porating trust into the process of decision making. Thequality of made decisions is dependent on a correct as-sessment and representation of trustworthiness assignedto the potentially collaborating parties. In most cases thevalue of trustworthiness is derived at least from directtrust and recommendations, but other factors as risk, un-certainty, context dependant information and attributescharacterizing the task and the shared resource should beincluded in the derived value as well. This paper presentsan overview of the trust evaluation process and provides aspecification of parameters relevant for an accurate trustevaluation.

Categories and Subject DescriptorsC.1.4 [Parallel Architectures]: Distributed architec-tures—traditional grid infrastructure, ad hoc grid infras-tructure; K.6.4 [System Management]: Centralization/decentralization—job scheduling ; D.2.0 [General]: Pro-tection mechanisms—trust aware grid security and jobscheduling

KeywordsTraditional grid, ad hoc grid, trust management, trustaware grid security, trust aware job scheduling

1. IntroductionRecently, large data processing and high-performance com-puting has become more available for the public. Grid[9],

∗Recommended by thesis supervisor: doc. Ing. PenkaMartincova, PhD.Defended at Faculty of Management Science and Infor-matics, University of Zilina in Zilina on XX XX, 2016.

c© Copyright 2016. All rights reserved. Permission to make digitalor hard copies of part or all of this work for personal or classroom useis granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies show this notice onthe first page or initial screen of a display along with the full citation.Copyrights for components of this work owned by others than ACMmust be honored. Abstracting with credit is permitted. To copy other-wise, to republish, to post on servers, to redistribute to lists, or to useany component of this work in other works requires prior specific per-mission and/or a fee. Permissions may be requested from STU Press,Vazovova 5, 811 07 Bratislava, Slovakia.

which is one of the leading technologies enabling thesecapabilities, is characterized by heterogeneity and geo-graphical dispersion of its nodes serving as resources forjob execution or as access points into the grid environ-ment. According to the OGSA (Open Grid Services Ar-chitecture)[10] the following capabilities should be typicalfor any grid middleware: user tasks execution manage-ment, data manipulation management, shared resourcesallocation and management, secure job execution and re-source sharing, information provision of executed tasksand shared resources, and finally support for the grid con-figuration.

As stated above, job scheduling and secure execution ofjobs are core services enabling provision of the main gridcapabilities – sharing and utilization of available dispersedresources. The traditional grid infrastructures (the mostknown traditional grid infrastructures are Globus Toolkit[13], Gridbus Middleware [12] and UNICORE [25]) imple-ment scheduling and security in accordance to their cen-tralized nature. In the ad hoc grids (the most known adhoc grid infrastructures are OurGrid [3, 24] and MoGrid[11]), which are well known for structural independenceand decentralized architecture, scheduling and securityare managed by participating nodes without dependingon any external infrastructure for assistance.

The aim of the paper is to present a brief description oftrust management and trust evaluation, as well as a de-tailed classification and specification of parameters thatcan be used for an accurate evaluation of trustworthinessassigned to a grid entity. The reminder of the paper is or-ganized as follows: Section 2 provides a brief introductionto the trust management and trust evaluation; Section3 surveys the state of the art in traditional and ad hocgrid security provision; Section 4 describes the processof job scheduling performed in ad hoc grid environment;Section 5 provides classification of parameters needed fortrust evaluation, describes relations between the param-eters and proposes a procedure inferring the parametersinto a final trust value; The verification of the proposedtrust management integration into the ad hoc grid infras-tructure is described in section 6; Section 7 describes thefuture work in the field; and finally, section 8 concludesthe paper.

2. Trust and Trust ManagementThe notion of trust is used with variety of meanings andwithout any unified definition. However, in the literatureare used two common definitions with well understooddistinction between them. The reliability trust [15, 16]is defined as follows: Trust is a subjective probability by

2 Kavecky, S.: Ad Hoc Grid Resource Management: Grid Security

which an individual, A, expects that another individual,B, performs a given action on which its welfare depends.The decision trust [15, 16] is defined as follows: Trustis an extent to which one party is willing to depend onsomething or somebody in a given situation with a feelingof relative security, even though negative consequences arepossible.

The reliability trust enables to make decisions whether ornot to start a collaboration only on the basis of the col-laborator’s reliability estimation. On the other hand, thedecision trust defines context as a part of the trust valueand binds the estimation of the collaborator’s reliabilitywith a risk that arises from the uncertain outcome of thecollaboration. Therefore, the decision trust seems to be abetter choice for the purpose of trust modelling.

Trust between two entities is a bidirectional relationshipand can be seen from multiple points of view. Humanstend to collaborate only with trusted individuals. Gen-erally speaking, the success and survival of an entity isdependent on the willingness of other entities to collabo-rate. There are many genetically determined or culturallyacquired strategies helping the people to appear reliableand trustworthy. The easiest and probably most usedstrategy for gaining trust is simply to behave in a trust-worthy and reliable manner. However, the attempt togive a false impression of trustworthiness for the purposeof a personal gain is not uncommon. Therefore, it is im-portant not only to represent own trustworthiness, butalso determine correctly the trustworthiness of the targetentities.

Trust management [16] is defined as follows: The ac-tivity of creating systems and methods that allow relyingparties to make assessments and decisions regarding thedependability of potential transactions involving risk, andthat also allow the players and system administrators toincrease and correctly represent the reliability of them-selves and their systems.

The parties in a computer mediated communication andcollaboration need methodologies enabling them to assessproperly the trustworthiness of remote parties, as wellas to be recognized as trustworthy by the remote par-ties. This need arises due to the fact that the computernetworks move the collaboration participants away froma direct style of interaction. They can collaborate withpeople they have never met and that they might nevermeet in person. Therefore, the traditional methods oftrustworthiness assessment and representation used in aphysical world can no longer be used. Simply expressed,the application of methodologies that enable such trustedcollaborations in online environments can be called trustmanagement [16].

Trust is a directional relationship between a trustor anda trustee, whereby the trustor is a thinking entity makingdecisions whether or not to start collaboration with thetrustee on the basis of the trustee’s trustworthiness. Ina grid the trust between the grid user and the resourceprovider is a mutual bidirectional relationship, becausethe user and the provider must be trustworthy to eachother, otherwise the collaboration is not possible.

The mutual trust relationship can be described by thetrust classes[15] as follows:

• Provision trust describes the user’s trust in a ser-vice or in a resource provider. The user trusts theprovider to provide services that implement the ad-vertised functionality and do not harm the user’sresources. The provision trust ensures the reliabil-ity of the provider and is related to the integrity ofthe user’s data stored in and/or obtained from theprovided resources.

• Access trust describes the provider’s trust in theuser intending to access to the offered resource, i.e.the provider trusts the user to use the resource inan agreed manner. This relates to the access controlparadigm which is a central element in a computersecurity.

• Delegation trust describes the trust in an agent,who acts and makes decisions on behalf of the re-lying party. The delegation trust can be seen as aspecial case of the provision trust, because the re-lying party trusts the delegate not to misuse thedelegated rights.

• Identity trust describes the belief that the claimedidentity of an entity is true.

• Context trust describes the extent to which thetrusting party believes that the distributed systemcontains mechanisms necessary to support the trans-action in a case something goes wrong.

3. Traditional and Ad Hoc Grid SecurityThe purpose of any grid security infrastructure is to pro-tect shared resource from malicious actions of users anduser’s data from unauthorized access. The common secu-rity mechanisms utilized for the protection purposes arethe processes of authentication and authorization. How-ever, the security in the traditional and ad hoc grid infras-tructures is implemented in a different manner in regardto the architectural aspects of both grid technologies. Thesubsections 3.1 - 3.3 explain this issue in more details.

3.1 Traditional Grid Security MechanismsThe first traditional grid infrastructures were used by asmall group of users with unnamed trust relationshipsamong them. When the community of users grew bigger,the need for secure access to resources, secure communi-cation and data manipulation has become an importantissue. The grid developers proposed and implementedseveral authentication and authorization infrastructuresas a solution to this problem. The following subsectionscontain a brief survey of the most widely known and/orused infrastructures.

Authentication infrastructures. The process of authen-tication checks whether or not the identity of an entityis right. Probably the most known authentication infras-tructure is the Public Key Infrastructure (PKI)[26],which is based on the concept of public key cryptogra-phy. The trust in a user’s identity is established througha trusted third party, thus a pre-established trust rela-tionship between the third party, grid users and resourceproviders is assumed. The trusted mediator is called Cer-tificate Authority and is responsible for allocating theuser’s home domain identity into the grid identity andfor issuing certificates with the allocated identity. The

Information Sciences and Technologies Bulletin of the ACM Slovakia 3

issued certificates are used by the users as a means to au-thenticate to the resources shared in the grid community.

Kerberos[20] is another security infrastructure used forauthentication of user’s identity and is also based on pre-established trust relationships. The role of the trustedmediator is performed by the authentication server. Thetrust in the user’s identity is mediated with session keysissued by the Authentication Server acting as the trustedthird party. For the purpose of accessing the availableservices the Kerberos infrastructure uses special accesstokens that carry the information about the identity ofan entity and the groups to which the entity belongs.

Athens[4] is an authentication infrastructure developedto control access to a wide range of shared resources.Users have an account for each resource they wish toaccess and these accounts are managed centrally by theAccount Server. An agent enforcing access control is in-stalled in every site sharing resources. The user provideshis user name and password in order to be granted theaccess to the requested resource. This step is repeatedevery time the user wants to access an available resource.

Authorization infrastructures. With the growth of gridpopularity the enforcement of access control based only onuser’s identity become insufficient and more fine-grainedaccess control was necessary. The process of authorizationis used to determine who is allowed to use shared resourcesand under what conditions, whereby the user’s identity(and other user’s attributes) is considered before the finaldecision whether or not to allow the access to a particularresource is made. Grid-Map Files (GMFs) [14] is thefirst access control infrastructure based not only on user’sidentity. The main idea behind GMFs is the usage ofaccess control lists. A list pairing distinguished namesof authenticated grid users and local user accounts, towhich these names are mapped, is stored on each sharedresource. It is then left to the resource operating systemand application access control mechanism to enforce theaccess to the resource.

Virtual Organization Membership Service (VOMS)[2] mediates trust between users and resource providersthrough a trusted third party - VOMS server. All infor-mation about a user is managed on the VO level by theVO administrator centrally. The VOMS server providesthe user with attributes needed to access a shared resourcein the form of attribute certificate. The user presents hisattribute certificate issued and signed by VOMS serverto a resource in order to access it. The resource checksthe validity of the certificate and the attributes it con-tains. Subsequently, local resource access policies are ap-plied and the user is granted or refused the access to theresource.

Another example of an authorization infrastructure is Priv-ilEdge and Role Management Infrastructure Stan-dard (PERMIS)[6]. In order to access a resource pro-tected by the PERMIS infrastructure the user needs topresent a role based attribute certificate. The attributecertificate is issued by a source of authority and con-tains the user’s role and attributes. PERMIS enablesdistributed role management, whereby certificates can bestored locally on the sites that allocated them. Before adecision whether or not to allow an access to a resource

is made, the resource checks the user’s certificate, role as-signed to the user, and whether the certificate was issuedby a trusted source of authority. Then the user is grantedor refused the access to a requested resource.

The Akenti[1] infrastructure defines a special type oftrusted entities called stakeholders. The stakeholders aretrusted to issue use-condition certificates, which place con-ditions on certificates the user has to obtain in order togain access to a resource. Every stakeholder can defineuse-condition certificates independently from other stake-holders. Hence, one resource can be protected by moreaccess control requirements.

3.2 Ad Hoc Grid Security MechanismsGenerally, the grid security protects shared resources againstmalicious actions of users and other entities that coulddamage the resources or corrupt the integrity of datastored and processed on the resources. However, in manysituations the users of the ad hoc grid have to be pro-tected from those who offer the resources, so the issue isalso vice-versa[15]. The security mechanisms described inthe section 3.1 are unable to provide this type of protec-tion.

Authentication and authorization, which are referred toas hard security mechanisms, do not allow any occur-rence of risk or uncertainty (the user either is authen-ticated and authorized to access a shared resource or isnot), but collaborations in an open environment are nec-essarily coupled with potential dangers that necessitatereasoning about risk and uncertainty. Trust was recog-nized as an important aspect of decision making in manydistributed systems and is used as a mechanism for man-aging the dangers and learning from past interactions inorder to reduce the risk exposure. For example, trust andreputation systems support decision making on the Inter-net provided services, which are based on a trust derivedfrom ratings assigned to a certain provider by customersafter completion of a transaction. Other parties can usethe trust and reputation derived from the aggregated rat-ings to decide whether or not to run a transaction withthe rated party in the future. Trust management, whichis referred to as a soft security, represents the shift fromattempting to provide absolute protection against poten-tial dangers to accepting dangers as an intrinsic part ofany global computing[8, 15].

3.3 Traditional and Ad Hoc Grid Security Compari-son

The traditional grid applications are hindered by the lackof security assurance from remote sites providing comput-ing resources or other services. Trust models implementedin the grid environments support the user authenticationand the single sign-on operations. However, the exist-ing mechanisms are still inadequate to access local secu-rity conditions at sites participating in the grid commu-nity[22]. The situation in the ad hoc grid environmentsis similar. Grid nodes must assert the trustworthiness ofa remote node according to the past experiences with theparticular node and other considerable factors before thedecision about the collaboration can be met.

In the traditional grid security infrastructures the identitytrust, access trust and delegation trust are implementedas the processes of authentication, authorization and del-


Characteristic Grid type

Traditional Ad hoc

Goal of grid security Protection of shared resources anduser’s data from unauthorized access.

Protection of provided resources frommalicious actions of users and protec-tion of users from those providing theresources.

Prerequisites for provision of securityservices

Authentication of user’s identity, se-cure communication and data trans-fer based on various cryptographytechnologies.

Authentication of collaborating en-tity’s identity, secure communicationand data transfer based on variouscryptography technologies.

Provision of security services Provision of security services is basedon authentication and authorizationmechanisms.

Provision of security is based on trustmanagement.

Type of trust relationship Implicit and unnamed trust relation-ships among grid community partici-pants mediated through trusted thirdparty.

Explicit trust relationship among adhoc grid entities managed by each en-tity independently.

Supported trust classes Identity trust as process of authen-tication, access trust as process ofauthorization and delegation trust assingle sign-on operations.

Mutual trust relationship betweentwo grid entities based on trust sup-porting all defined trust classes.

Table 1: Comparison of the traditional and ad hoc grid security characteristics

egation of rights among the grid sites. Explicit imple-mentations of the provision trust and context trust aremissing. The proper behaviour of the resource providerand the user is guaranteed only by the third party actingas a trusted mediator. However, the trusted third partyhas no real mechanisms to ensure such behaviour.

In the traditional grid infrastructures trust is coupled withthe establishment of the grid environment and is under-stood as an implicit part of the collaborations. On theother hand, in the ad hoc grids there are no implicit trustrelationships among grid nodes. In the future the trustmanagement mechanism could become responsible for theexecution of collaborations in a presence of mutual trust.

The traditional and ad hoc grid security share a coupleof similar features, e.g. the process of authentication isa prerequisite for other provided security services. How-ever, the traditional and ad hoc grid security also differin various characteristic features in regard to the grid ar-chitecture and the security needs of grid community par-ticipants. The most significant security characteristics ofthe both grid technologies are listed in the Table 3.3.

4. Trust Aware Ad Hoc Grid SchedulingThe purpose of the trust management in the ad hoc gridenvironment is to guarantee the quality of services pro-vided by the grid nodes and the quality of user’s be-haviour. The integration of trust into the ad hoc gridinfrastructure is coupled inseparably with the schedulingof jobs on the provided resources. However, there aresome differences between the ad hoc and the traditionalgrid scheduling when the trust management is involved.

In order to integrate trust management into the ad hocscheduling process, the steps executed during the resourcediscovery, system selection and job execution must per-form the following additional tasks: (i) definition of min-imal trustworthiness needed to begin the collaboration

between the user and the resource provider, (ii) deter-mining the current trustworthiness of the involved nodes,(iii) and update of trustworthiness after the job comple-tion.

It is evident that these tasks impose new requirements onthe ad hoc grid architecture. The architecture depictedin the Fig. 1 introduces the trust manager module as asolution to meet the imposed requirements.

During the phase of resource selection the user defines thejob and the requirements needed for the job to run. Toselect a trustworthy resource, the user defines the securitydemand[23, 22], which is taken as a constraint during thesystem selection step. The security demand is determinedeither directly by the user as one of the job requirements,or by the trust manager according to the parameters pro-vided by the user.

The resources that passed the authorization and minimalrequirements filtering are assigned a trust index [23, 22]determined by the trust manager on the basis of staticand dynamic information about the resources, job defini-tion parameters and other factors managed by the trustmanager as depicted in Fig. 2. The trust index is a combi-nation of more parameters, but what parameters and howexactly they are used for the trust index evaluation de-pends on the used trust model. The minimal componentsof the calculated value are the direct trust and the recom-mendations. However, other factors as risk, uncertaintyand context dependant information should be included inthe trust index as well. It is important to note that thescheduler uses the security demand and the trust indexesobtained from the trust manager only to exclude the un-trustworthy resources. The schedule optimization itself isnot affected and still corresponds only to the quality ofservices demanded by the user.

The resource provider demands a certain level of trust-


Figure 1: Trust manager integration into the ad hoc grid infrastructure from the requester’s point ofview

Figure 2: Trust manager architecture from the requester’s point of view


worthiness as well as the user. Therefore, after the exclu-sion of untrustworthy resources the scheduler requests themost optimal and trusted resource to consent to the fu-ture collaboration. The decision whether or not to acceptthe collaboration is based on the resource’s security de-mand and the trust index assigned to the requesting node.Both values are obtained from the resource’s trust man-ager on basis of job parameters included in the request,recommendations, previous experiences, uncertainty, riskand other factors. The decision on the collaboration isresponded back to the scheduler. In case of negative re-sponse the scheduler sends the request for consent to nextmost optimal resource until an affirmative answer is re-ceived.

The job scheduled with the help of the trust manager isforwarded to a module responsible for job submission andexecution. After the job completion the result of the ex-ecution is transferred to the requester node. The trustupdate is the final step involving the trust manager mod-ule on the requester node as well as the resource node.The update is performed according to a positive or a neg-ative experience resulting from the job execution and isnecessary for correct representation of trust in the collab-orating parties.

5. Trust Aware Ad Hoc Grid SecurityThe collaborations in the grid environment are executedby two types of entities: user and resource provider. Userand resource provider require protection against maliciousbehaviour that can take form of user’s program contain-ing malicious code capable to compromise the resourceprovider’s node or it can take a form of a malicious re-source node capable to harm the user’s job running onthe provided resource [18].

The security infrastructure incorporating trust should bebased on a trust model that is capable to support or en-hance the functional aspects of the grid infrastructure.The model should be also capable to process evidence ofthe previous collaborations and to transform it togetherwith other relevant parameters into a trust value that ispart of the security decisions for both the user and theresource provider protection.

5.1 Parameters ClassificationThe user and the resource provider have different require-ments for the grid security infrastructure. The user isinterested in competence of the shared resources to reli-ably execute the user’s code and to protect his data fromunauthorized access or modification. Similarly, the re-source provider wants to collaborate only with reliableand authenticated users not compromising the shared re-source or the integrity of unauthorized data.

Each participant of a collaboration in the grid environ-ment has his own set of expectations for the quality andperformance of the collaboration and is satisfied with theexecuted collaboration only if the required expectationswere met. Trust in this context can be used to express theconfidence of the relying entity that a collaborating partywill meet the desired expectations. The expectations forthe quality of collaboration placed by the users and re-source providers are mapped to system parameters andcapabilities that can be abstracted into three groups oftrust components (as depicted in Fig.3): (i) behaviouralparameters, (ii) system attributes (iii) and descriptive

Trust valuecomponents

Behaviouralparameters

System pa-rameters

Descriptiveparameters

Risk

Uncertainty

Figure 3: Trust value components

attributes.

Behavioural parameters (e.g. accessibility, availabil-ity, competence and reliability) describe the behaviour ofcollaborating entities and are used to create history ofdata obtained from past interactions. By analysing thehistory of the collected data using statistical methods to-gether with the entity’s personalized notion of normal oranomalous behaviour it is possible to predict the outcomeof future collaborations.

System parameters (e.g. authentication and autho-rization mechanism, utilized security mechanisms, main-tenance of data integrity, etc.) describe the technicalparameters and capabilities of the provider’s shared re-sources and the user’s node serving as access point intothe grid community. The system attributes are character-ized by a slow change over time. Over a period of time theattribute values do not change gradually, but the changeis made suddenly and is noticeably large.

In contrast with behavioural and system attributes thedescriptive parameters (e.g. benefit and loss associ-ated with a particular collaboration, amount of observedbehavioural parameters, time passed since last collabora-tion, etc.) do not describe the trusting disposition of therelying entity in the collaborating party, but they indicatethe level of security assurance required by the relying en-tity. In a particular collaboration context the securityassurance corresponds to the minimal trustworthiness ofthe collaborating party required by the relying entity.

5.2 Determining Trust From ParametersAs already stated, the incorporation of trust managementinto the grid infrastructure should support the fundamen-tal functional aspects of the grid as resource allocationand execution of tasks. The scheduling of tasks is re-sponsible for finding an appropriate resource node meet-ing the required security assurance expressed as a securitydemand. Similarly, the resource node declares its own se-curity demand that must be fulfilled by the user in orderto process his request by the resource node.

The security demand is dependant on the risk and un-certainty (as depicted in Fig.4) perceived by the relyingparty in the context of a particular collaboration. In arisky situation the relying party requires a high level ofsecurity assurance provided by the collaborating party inorder to start a collaboration. Of course, the required se-curity assurance is lower in case of a less risky situation.The uncertainty influences the security assurance in a sim-ilar manner. The higher the level of uncertainty is the lesscertain about a collaboration execution the relying party


becomes. Therefore, the required level of security assur-ance increases as well.

The more important a flawless collaboration the more se-vere the damage will become in case of failure. The like-lihood of failure occurrence and the cost incurred to therelying party is referred to as the risk. Risk and trust arerelated in the sense that there is no need for a trustingdecision unless there is a risk involved. There exist twoalternative relations between trust and risk: risk deter-mining level of trust and trust determining level of risk.The first relation can be described as follows: in a partic-ular situation or a particular action with a certain levelof risk a principal should be trustworthy in order to beallowed to enter the situation or carry out the action,i.e. the level of risk determines the minimal level of re-quired trustworthiness. The latter relation is describedas follows: in a particular situation or a particular actioninvolving a principal with a certain level of trustworthi-ness the risk should be low enough in order to allow theprincipal to enter the situation or carry out the action,i.e. the level or trustworthiness determines the maximallevel of acceptable risk. The letter view seems more ap-propriate for the risk evaluation if the costs and benefitsof the entered situation are quantifiable [8].

The measurable parameters used for inferring the valueof risk as depicted in Fig.4 are [16, 8, 17]:

• Cost of a collaboration represents the price (e.g.charges for using a shared resources) a relying partyhas to pay, if the transaction with a collaboratingparty will be launched. Typically, the relying entityis not willing to invest a large amount of funds inthe collaboration unless the security assurance ofthe collaborating party is high. Therefore, the riskperceived by the relying party increases with thegrowing amount of investments.

• Benefit is the estimated gain (e.g. result of a dataprocession) obtained by the relying party after asuccessful execution of a collaboration. The greaterthe profit the more the relying party is motivatedto launch a collaboration. Therefore, the risk per-ceived by the relying party decreases with the grow-ing profit estimation.

• Loss describes the amount of funds the relying en-tity will lose in case of failure. The loss is not equalonly to the paid cost, but also includes the estimatedbenefit, lost investment of time, importance of infor-mation or data obtained through collaboration, etc.Typically, the relying party is not willing to launch acollaboration coupled with a high loss unless the se-curity assurance of the collaborating party is high.Therefore, the risk perceived by the relying partyincreases with the growing loss rate.

• Necessity of a collaboration execution describes asituation, in which the relying party needs to launcha collaboration in order to avoid certain or highlyprobably losses, even though negative consequencesare possible. A high necessity of a collaboration low-ers the required level of security assurance providedby the collaborating party. Hence, the risk perceivedby the relying party decreases with the growing rateof a collaboration necessity.

Uncertainty refers to a situation where the relying partycannot be fully sure about the accuracy of the decision.For example, a situation can occur where two completelyunknown entities have to collaborate, but they have nei-ther the experiences with each other, nor recommenda-tions from other entities are available. A similar situationcan also occur if only a part of the information is availableand other decision factors are missing. The lack of infor-mation must not necessarily result in a change of trust inthe trusted entity, but it can change the certainty aboutthe final decision. However, if the certainty is changedsignificantly, the level of trust is changed as well [8].

The measurable parameters used for inferring the valueof uncertainty as depicted in Fig.4 are:

• Count of observations refers to the amount ofdata describing the behaviour of collaborating par-ties obtained from past interactions. With the grow-ing rate of collaborations the knowledge about thebehaviour of collaborating parties becomes more ac-curate. Therefore, the relying party can be morecertain about the decisions based on this knowledge.

• Time passed since the last collaboration de-termines certainty of the relaying party about itsdecisions. The certainty will be low, if the last in-teraction with a collaborating entity took place along time ago or no collaboration was performed atall. On the other hand, if the last collaboration tookplace only recently, then the certainty will be high.

Trust index, which specifies the trustworthiness of a col-laborating party, is dependant on direct trust and recom-mendations (as depicted in Fig.5). Recommendationsare obtained from other entities of the grid environmentand correspond to the reputation of the recommendedentity. Reputation can be described as everything that isgenerally said or believed about the entity’s character orstanding. If the relying party is aware of the collaboratingentity’s reputation it can base its trust on that reputation,i.e. the collaborating entity is trusted because of its goodreputation. Similarly, the entity becomes distrusted incase of its bad reputation.

Direct trust represents the private knowledge the rely-ing party has about the collaborating entity and is formedfrom previous interactions, current context of the collabo-ration and attributes characterizing the collaborating en-tity. The direct trust and recommendations have differenteffect on the inferred trust index. The private knowledgeof the relying entity in form of direct trust is capable tooverrule the reputation of the collaborating entity, i.e. incase of high direct trust the collaborating entity is trusteddespite its bad reputation and similarly, in case of lowdirect trust the entity is distrusted despite its good repu-tation. The capability of the direct trust to overrule therecommendations is dependant on the weights assigned tothese two parameters.

As depicted in Fig.5, the parameters used for inferringdirect trust are:

• Basic trust represents the degree to which the re-lying party is willing to trust a collaborating en-tity. Before collaboration with an unknown entity


Figure 4: Security demand inferred from trust components

the relying party assigns to that entity an initialbasic trust, which characterizes the entity as half-trusted and half-untrusted. After each collaborationthe value of basic trust is updated with new valuethat is equal to the recalculated value of trust in-dex. Basic trust also changes over time. The moretime passed since the last collaboration, the morethe value of basic trust approaches its initial value.

• Aggregated attributes represent the characteris-tics of collaborating entity relevant for trust eval-uation. The attributes are aggregated into a sin-gle value corresponding to the quality of system re-sources offered by the entity and to the quality ofentity’s behaviour experienced over multiple collab-orations.

• Uncertainty represents the amount of available in-formation needed by the relying party to make anaccurate decision on whether or not to launch a col-laboration with a particular entity. Uncertainty af-fects the inferred value not directly. It only deter-mines which parameter has greater influence on theinferred value (basic trust has higher influence incase of low uncertainty and aggregated attributesaffect the inferred value more in case of high uncer-tainty).

The aggregated attributes (as depicted in Fig.5) areinferred from system and behavioural attributes. Uncer-tainty represents a weighting factor determining the rel-ative importance of the considered attributes. The im-pact of system attributes is higher than the impact ofbehavioural attributes in case of high uncertainty and thebehavioural attributes affect the inferred value more sig-nificantly in case of low uncertainty.

Concrete value of aggregated attributes can be inferredfrom the following system attributes (as depicted in Fig.5):

• Identity describes the quality of mechanisms usedby grid entities to authenticate grid users and re-source providers involved in collaborations mediatedthrough the grid environment.

• Privacy corresponds to the capability of resourceentity to allow access only to those system resourcesand data, which the authenticated user is permittedto use.

• Security corresponds to the general ability of re-source entity to protect itself from harm that canbe caused by jobs executing malicious code, malwareprograms or exchange of data over communicationnetworks.

• Data integrity describes the ability of user’s nodeand resource entity to prevent alteration of exchangedmessages and data that can be avoided by protec-tion of communication networks and by encryptionof exchanged messages.

According the models dealing with behaviour trust [21,19, 7] the behaviour of entity can be described with thefollowing attributes (as depicted in Fig.5):

• Accessibility describes the capability of resourceentity to respond to user’s request for informationretrieval about the state of the resource, the state ofrunning user’s job or for provision of other offeredservices.


Figure 5: Trust index inferred from trust components


• Availability corresponds to the readiness of the re-source to execute user’s job, store data or provideother services offered by the resource provider.

• Competence from user’s point of view correspondsto the readiness and willingness of resource node toprovide all agreed system resources specified by theuser and are part of the agreement between the userand the resource provider. From provider’s point ofview the competence describes the user’s willingnessto use only the agreed system resources and to usethe provided resources only for the agreed amountof time.

• Reliability from user’s point of view corresponds tothe correct functioning of provided resource node orother services offered by the provider over a periodof time. From provider’s point of view the reliabil-ity describes proper execution of the user’s programwithout compromising the provided resource nodeor altering unauthorized data.

6. Experimental ResultsThe verification of the proposed model for trust value cal-culation and the trust management integration was car-ried out by a computer simulation. The simulation wasperformed using the GridSim simulation toolkit[5]. Themodel of the ad hoc grid infrastructure executed by thesimulation toolkit consists of ten user entities and tenresource provider entities. The modelled entities are as-signed several system capabilities and forms of behaviour.The assigned capabilities and forms of behaviour are usedfor trust value calculation according to the model de-scribed in the section 5. The model also allows to schedulethe user tasks according to the trust aware scheduling de-scribed in the section 4.

6.1 Experiment 1 – Ad Hoc Grid Without Trust Man-agement

The first experiment was carried out by the simulationtoolkit according to the modelled ad hoc grid infrastruc-ture without incorporation of the trust management. Thevalues measured during the simulation represent referencevalues describing the capabilities and qualities of the mod-elled infrastructure. The values were used for comparisonto values measured during other experiments.

During the experiment 1000 simulation runs were exe-cuted. The count of all tasks, successful tasks and failedtasks are given as an arithmetic mean calculated fromthe values measured in each simulation run. The table2 shows the count of all tasks executed during the firstexperiment, as well as the count of successful and failedtasks. The table also shows the percentage of the exe-cuted tasks. The count of all tasks is 5833.10, count ofsuccessful task is 4880.36 (83.67% of all executed tasks)and count of failed tasks is 952.74 (16.33% of all executedtasks).

6.2 Experiment 2 – Ad Hoc Grid With Trust Man-agement

During the experiment 1000 simulation runs were exe-cuted. The count of all tasks, successful tasks and failedtasks are given as an arithmetic mean calculated fromthe values measured in each simulation run. The secondexperiment was carried out by the simulation toolkit ac-cording to the modelled ad hoc grid infrastructure with

the incorporation of trust management. The table 3 showsthe count of all tasks executed during the second experi-ment, as well as the count of successful and failed tasks.The table also shows the percentage of the executed tasks.The count of all tasks is 5829.20, count of successful taskis 5292.12 (90.79% of all executed tasks) and count offailed tasks is 537.09 (9.21% of all executed tasks).

6.3 Evaluation ResultsThe verification of the modelled ad hoc grid infrastruc-ture is evaluated according to the following quantitativemetrics: (i) competence (ii) and reliability. The com-petence corresponds to the capability of the modelled adhoc grid infrastructure to support execution of user tasks.The competence is measured as count of all tasks executedduring the simulation. The reliability corresponds to thecapability of the modelled ad hoc grid infrastructure tosupport secure execution of user tasks. The reliabilityis measured as count of failed tasks observed during thesimulation.

The figure 6 shows that there is almost no difference in thecount of all tasks executed during the first and second ex-periment. The integration of trust management into thead hoc grid infrastructure has no negative effects on theinfrastructure competence to execute user tasks. On theother hand, the integration of trust into the ad hoc gridinfrastructure affects the capability of the infrastructureto support secure execution of user taks in a considerablemanner. The figure 6 shows that the proposed incorpo-ration of trust management results in reduced count offailed tasks and improves the reliability of the ad hocgrid infrastructure. The percentage of improvement inthe modelled ad hoc grid reliability is equal to 43.62%.

7. Future workThe requirements for the grid security can be mappedto various system, behavioural and descriptive attributesspecifying the capability of a collaborating entity to exe-cute activities in a secure manner. The task for the futureresearch is to propose adjustments in the attribute weightsresulting in reliability improvement of the proposed trustmanagement integration.

The participants of the grid community usually have dif-ferent requirements for the grid security. The diversity ofthe requirements necessitates the ability of the collaborat-ing participants to define what system and/or behaviouralattributes of interest should be included in the evaluatedtrust value. The participants should be able to assignweights to the evaluated attributes in order to specify thedesired impact of the attributes on the evaluated trustvalue. The task for the future research is to design amechanism giving the grid community participants abil-ity to specify the evaluated attributes and their weightsin an easy and understandable manner.

The infrastructure should also provide a well-defined ap-plication interface enabling an easy integration of trustmanagement (i.e. trust evaluation, trust update and trustbased decision making) into the current ad hoc grid solu-tions.

8. ConclusionThe decentralized structure and control independent na-ture of the ad hoc grid necessitates to manage the security


Task type Measured values

Count of executed tasks Percentage of the executed tasks [in %]

All executed tasks 5833.10 100,00Successful tasks 4880.36 83.67Failed tasks 952.74 16.33

Table 2: Count of tasks executed without trust management integration into the modelled ad hoc gridinfrastructure

Task type Measured values

Count of executed tasks Percentage of the executed tasks [in %]

All executed tasks 5829.20 100,00Successful tasks 5292.12 90.79Failed tasks 537.09 9.21

Table 3: Count of tasks executed with trust management integration into the modelled ad hoc gridinfrastructure

Figure 6: Comparison of tasks executed with and without trust management integration into the modelledad hoc grid infrastructure.


in the absence of a central controller and the responsibil-ity for the protection against malicious collaborators isleft to the grid nodes. The issue of security provisionin the ad hoc grid environment can be addressed withthe integration of trust management into the schedulingprocess. However, the integration of trust managementresults in changes in the scheduling process and also ne-cessitates enhancements in the ad hoc grid architecture.The paper presents an ad hoc grid architecture integrat-ing trust manager module taking over tasks as trustwor-thiness assessment of collaborating nodes and update oftrustworthiness after a job completion.

The procedure of trust evaluation is a complex processincluding procession of various trust components and re-lations among these components. The paper describes indetail these relations and their impact on the inferred val-ues produced by the trust management inference system.The values are deduced from parameters describing themost significant system attributes and behavioural traitsof evaluated grid entities.

The verification of the proposed trust management inte-gration into the ad hoc grid infrastructure was carried outby a computer simulation proving the correctness of theproposed trust management integration. The paper alsodescribes areas for future research dealing with refinementof the proposed solution and ease implementation of theproposed solution in the existing ad hoc grid infrastruc-tures.

References[1] Akenti. [Online; http://dst.lbl.gov/ACSSoftware/Akenti/].[2] R. Alfieri, R. Cecchini, V. Ciaschini, L. dell’Agnello, A. Gianoli,

F. Spataro, F. Bonnassieux, P. J. Broadfoot, G. Lowe, L. Cornwall,J. Jensen, D. P. Kelsey, k. Frohner, D. L. Groep, W. S. de Cerff,M. Steenbakkers, G. Venekamp, D. Kouril, A. McNab,O. Mulmo, M. Silander, J. Hahkala, and K. LÃurentey. Managingdynamic user communities in a grid of autonomous resources.CoRR, cs.DC/0306004, 2003.

[3] N. Andrade, L. Costa, G. GermÃsglio, and W. Cirne. Peer-to-peergrid computing with the ourgrid community. In 23rd BrazilianSymposium on Computer Networks (SBRC 2005) - 4th SpecialTools Session, 2005.

[4] Athens. [Online; http://www.openathens.net/].[5] R. Buyya and A. Sulistio. Service and utility oriented distributed

computing systems: Challenges and opportunities for modelingand simulation communities. In Simulation Symposium, 2008.ANSS 2008. 41st Annual, pages 68–81, April 2008.

[6] D. W. Chadwick, A. Otenko, and E. Ball. Role-based accesscontrol with x.509 attribute certificates. IEEE Internet Computing,7(2):62–69, Mar. 2003.

[7] I. Dionysiou and H. Gjermundrod. sguts: Simplified grid usertrust service for site selection. In The Seventh InternationalConference on Internet Monitoring and Protection, 2012, pages40–46, May 2012.

[8] C. English, S. Terzis, and W. Wagealla. Engineering trust basedcollaborations in a global computing environment. In TrustManagement, volume 2995 of Lecture Notes in ComputerScience, pages 120–134, 2004.

[9] I. Foster, C. Kesselman, and S. Tuecke. The anatomy of the grid:Enabling scalable virtual organizations. Int. J. High Perform.Comput. Appl., 15(3):200–222, Aug. 2001.

[10] I. Foster, H. Kishimoto, A. Savva, D. Berry, A. Djaoui,A. Grimshaw, B. Horn, F. Maciel, F. Siebenlist, R. Subramaniam,J. Treadwell, and J. Von Reich. The open grid servicesarchitecture, version 1.5, July 2006.

[11] A. Gomes, A. Ziviani, L. Lima, and M. Endler. Performanceevaluation of a discovery and scheduling protocol for multihop adhoc mobile grids. Journal of the Brazilian Computer Society,

15(4):15–29, 2009.[12] Gridbus. [Online; http://www.cloudbus.org/].[13] Globus toolkit. [Online; http://www.globus.org/toolkit/].[14] W. Jie, J. Arshad, R. Sinnott, P. Townend, and Z. Lei. A review of

grid authentication and authorization technologies and support forfederated access control. ACM Computing Surveys,43(2):12:1–12:26, Feb. 2011.

[15] A. Jøsang, R. Ismail, and C. Boyd. A survey of trust andreputation systems for online service provision. Decision SupportSystems, 43(2):618–644, mar 2007.

[16] A. Jøsang, C. Keser, and T. Dimitrakos. Can we manage trust? InTrust Management, volume 3477 of Lecture Notes in ComputerScience, pages 93–107. Springer Berlin Heidelberg, 2005.

[17] A. Jøsang and S. L. Presti. Analysing the relationship betweenrisk and trust. In Trust Management, volume 2995 of LectureNotes in Computer Science, pages 135–145. Springer BerlinHeidelberg, 2004.

[18] C. Lin, V. Varadharajan, Y. Wang, and V. Pruthi. Enhancing gridsecurity with trust management. In Proceedings of the 2004 IEEEInternational Conference on Services Computing, 2004., pages303–310, Sept 2004.

[19] P. Manuel, S. Thamarai Selvi, and M.-E. Barr. Trust managementsystem for grid and cloud resources. In First InternationalConference onAdvanced Computing, 2009., pages 176–181, Dec2009.

[20] B. C. Neuman and T. Ts’o. Kerberos: An authentication servicefor computer networks. IEEE Communications Magazine,32(9):33–38, Sept. 1994.

[21] E. Papalilo and B. Freisleben. Managing behaviour trust in gridcomputing environments. Journal of Information Assurance andSecurity, 3:27–37, March 2008.

[22] S. Song, K. Hwang, and Y.-K. Kwok. Trusted grid computingwith security binding and trust integration. Journal of GridComputing, 3(1-2):53–73, 2005.

[23] S. Song, K. Hwang, and M. Macwan. Fuzzy trust integration forsecurity enforcement in grid computing. In Network and ParallelComputing, volume 3222 of Lecture Notes in Computer Science,pages 9–21. Springer Berlin Heidelberg, 2004.

[24] P. G. S. Tiburcio and M. A. Spohn. Ad hoc grid: An adaptive andself-organizing peer-to-peer computing grid. In IEEE 10thInternational Conference on Computer and InformationTechnology (CIT), pages 225–232. IEEE Computer Society, 2010.

[25] Uniform interface to computing resources. [Online;http://www.unicore.eu/].

[26] J. Weise. Public key infrastructure overview, 2001. [Online;http://highsecu.free.fr/db/outils_de_securite/cryptographie/pki/publickey.pdf].

Selected Papers by the AuthorS. Kavecký. Trust based grid security and security models.

International journal on information technologies and security,ISSN 1313-8251, 4(3): 81–91, 2012.

S. Kavecký. Ad hoc grid trust management architecture. Internationaljournal on information technologies and security, ISSN1313-8251, 5(3): 21–30, 2013.

S. Kavecký. Grid security and trust management overview. IJCSIInternational journal of computer science issues, ISSN1694-0784, 10(3): 225–233, 2013.

S. Kavecký, P. Martincová. Overview of trust models integrating trustmanagement into grid computing. International journal ofcomputer applications", ISSN 0975-8887, ISBN973-93-80889-96-8, 129(7): 1–6, 2015.

S. Kavecký, P. Martincová. Specification of parameters relevant fortrust evaluation in an adhoc grid environment. Internationaljournal of computer applications", ISSN 0975-8887, ISBN973-93-80889-96-8, 132(11): 1–8, 2015.

S. Kavecký, P. Martincová. A survey on trust aware security andscheduling in traditional and ad hoc grids. International journalof computer applications", ISSN 0975-8887, ISBN973-93-80889-96-8, 133(12): 1–13, 2016.

Documents

Ad Hoc Grid Resource Management: Grid Securityacmbulletin.fiit.stuba.sk/abstracts/kavecky2016.pdfknown traditional grid infrastructures are Globus Toolkit [13], Gridbus Middleware