ebook img

Flow-based reputation: more than just ranking PDF

1.3 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Flow-based reputation: more than just ranking

Flow-based reputation: more than just ranking AntoninoSimone,BorisSˇkoric´,NicolaZannone EindhovenUniversityofTechnology 2 1 0 Abstract 2 ThelastyearshaveseenagrowinginterestincollaborativesystemslikeelectronicmarketplacesandP2P n filesharingsystemswherepeopleareintendedtointeractwithotherpeople. Thosesystems, however, a aresubjecttosecurityandoperationalrisksbecauseoftheiropenanddistributednature. Reputation J systems provide a mechanism to reduce such risks by building trust relationships among entities and 5 identifying malicious entities. A popular reputation model is the so called flow-based model. Most 2 existingreputationsystemsbasedonsuchamodelprovideonlyaranking,withoutabsolutereputation values; this makes it difficult to determine whether entities are actually trustworthy or untrustworthy. ] Y In addition, those systems ignore a significant part of the available information; as a consequence, reputation values may not be accurate. In this paper, we present a flow-based reputation metric that C givesabsolutevaluesinsteadofmerelyaranking.Ourmetricmakesuseofalltheavailableinformation. . s Westudy,bothanalyticallyandnumerically,thepropertiesoftheproposedmetricandtheeffectofattacks c onreputationvalues. [ 1 v 1 Introduction 0 2 The advent of the Internet has brought new business opportunities and favored the development of col- 8 laborative environments. In particular, the Internet provides the basis for the development of electronic 1 . communities where strangers interact with each other and possibly do business. However, these interac- 3 tionsinvolverisks. Forinstance,inaneCommercesetting,buyersarevulnerabletorisksduetopotential 0 incompleteormisleadinginformationprovidedbysellers[34]. Similarly,sellersaresubjecttotheriskthat 2 1 thecounterpartyinatransactionwillbeunabletohonoritsfinancialobligations. Tomitigatethoserisks, : thereistheneedofadecisionsupportsystemthatisabletodeterminethetrustworthinessofcollaborative v parties. i X Reputationsystemsarewidelyconsideredas‘thesolution’toassesstrustrelationshipsamongusersandto r identifyandisolatemalicioususers[28]. Reputationsystemsarecurrentlyadoptedincommercialonline a applicationssuchasP2Pfilesharing[8],websearch[9],electronicmarketplaces[3,15],andexpertsystems [2,16]. Reputationisacollectivemeasureoftrustworthinessbasedonaggregatedfeedbackrelatedtopast experiencesofusers.Thebasicideaistoletusersrateeachotherandtoaggregateratingsaboutagivenuser to derive a reputation value. This value is then used to assist other users in deciding whether to interact with that user in the future [21]. In the last years, a number of reputation systems have been proposed to aggregate ratings and calculating reputation values; each system is based on a particular theoretical foundation(see[18,21]forasurvey). Thequalityofareputationsystemisdeterminedbyhowaccuratelythecomputedreputationpredictsthe futureperformanceofentities[18]. This,however,isdifficulttoachievebecausesomeuserscanattempt tomanipulatetheirreputationandthereputationofothersfortheirownbenefit. Mostexistingreputation systemslacktheabilitytodiscriminatehonestratingsfromdishonestyones. Therefore,suchsystemsare vulnerabletomalicioususerswhoprovideunfairratings[34]. Theissueofdiscriminatinghonestfromdishonestratingsisusuallyaddressedbyreputationsystemsusing thesocalledflowmodel[21]asthemathematicalfoundation. ExamplesofsuchsystemsareEigenTrust [23], PageRank [9], SALSA [26], and PeerTrust [34]. What makes them appealing is that reputation is computed taking into account the feedback of all the users involved in the system, and the feedback is weightedwithrespecttothereputationoftheuserprovidingthefeedback. Flowmodelsareoftenbased 1 User Ratings User Ratings Bob positive1 Bob positive100 neutral999 neutral900 negative0 negative0 Charlie positive9 Charlie positive900 neutral991 neutral100 negative0 negative0 David positive0 David positive200 neutral100 neutral600 negative900 negative200 (a) (b) Figure1: Examplescenarios. 1000ratingsgiventoBob,CharlieandDavid. onthetheoryofMarkovchains. Thefeedbackprovidedbytheusersisaggregatedandnormalizedinorder to obtain a Markov chain. Thereby, starting from a vector of initial reputation values, Markov steps are repeatedlyapplieduntilastablestatehasbeenreached. Unfortunately, thecurrentstateofaffairsregardingthiskindofreputationmodelisnotverysatisfactory. Firstofall,thosesystemsonlyprovidearankingofusersratherthananabsolutereputationvalue.Although thiscanbeacceptableinsomeapplicationslikewebsearch,itisnotinotherslikeelectronicmarketplaces. For instance, a buyer prefers to do business with an honest seller rather than with the most trustworthy oneinapoolofdishonestsellers. Inascenariowherehealthcareprovidersarewillingtousedatacreated by patients [32], the quality of the data provided by a patient cannot be assessed by only looking if he is more capable than other patients to do good measurements; an absolute quality metric is required. In addition,mostoftheflow-basedsystemsignoreasignificantpartoftheavailableinformation(e.g.,negative feedback). Consequently,thereputationvaluesthosesystemsreturnmaybeinaccurate. To illustrate these points, let us consider an electronic marketplace where users can rate each other after eachtransaction, asineBay[15]. Here,eachtimeAlicehasatransactionwithanotheruserj (e.g., Bob, Charlie, David), she may rate the transaction as positive, neutral, or negative. Let us consider scenarios (a)and(b)inFig.1. FromareputationmetricwewouldexpectthatAlicehasalmostneutralopinionof BobandCharlieandnegativeopinionofDavidin(a),andpositiveopinionofBobandCharlieandneutral opinionofCharliein(b). However,ifweapplythereputationmetricproposedin[23]tothesescenarios, wehavethatinboth(a)and(b)Bobhaslocaltrustvalue10.1,Charlie0.9andDavid0. Theformulasused tocomputethesevalueswillbepresentedinSection2. Here,wejustwanttopointoutthatthemetricin [23]isunabletodistinguishbetweencases(a)and(b). Thislackofdistinguishingpowercanberiskyfor users as it can mislead them in their decision whether to do business with other users. For instance, the reputation value of Charlie computed using the metric in [23] in (a) can lead users to think that Charlie is ‘very’ trustworthy while in fact he is not. These reputation values only indicate that Charlie is more trustworthythanothers(i.e.,arankingwithoutanabsolutescale). Moreover,itisworthnotingthatin[23]negativeratingsarediscardedinordertoobtainaMarkovchain. Consequently, it is not possible to distinguish between users that have (strong) negative reputation and users that have neutral reputation. This can be observed by comparing the ratings received by David in scenarios(a)and(b)ofFig.1: althoughDavidreceivedalargenumberofnegativeratingsandnopositive ratingsin(a)andanequalnumberofpositiveandnegativeratingsin(b),hisreputationvalueisequalto0 inbothscenarios. Lastbutnotleast, thedesignofflow-basedreputationmodelsrequiresincludinganumberofparameters which intend to guarantee the convergence of computations. However, a comprehensive and exhaustive study of the impact of such parameters on reputation values and how they can be used to protect the systemsagainstattackshasnotbeenconductedyet. Ourcontributions Inthispaper, wepresentareputationmetricthatenhancesexistingflow-basedrep- utation metrics (see [9, 23, 31]) by providing absolute values instead of merely a ranking, and by not discardinganyavailableinformation. Computingabsolutereputationvaluesmakesitpossibletoquantify 1In[23]localtrustvaluesindicatetheopinionthatusershaveofotherusersbasedonpastexperiences. Localtrustvaluesarein therange[0,1]. 2 the trustworthiness of users and therefore provides a measure to univocally compare reputations values. Thisallowsus,forinstance,todistinguishcases(a)and(b)inFig.1. Inthedesignofourreputationmet- ric,westudytheeffectofself-reference(i.e.,auserwhogivesfeedbacktohimself). Wedemonstratethat ourconstructionminimizessuchaneffect,leadingtoreputationvaluesthatareclosertointuitiveexpecta- tions. Weformallyprovethattheproposedreputationmetricalwayshasasolution,andthatthesolutionis unique. Wealsodiscussseveralmethodsofsolvingthereputationequationnumerically. Ourmetricdependsonanumberofparameters: apatternmatrix,whichstoresthe(aggregated)feedback received by the system owner from the users about the interactions they had with other users (hereafter, thepatternmatrixisalsocalledindirectevidencematrix),astartingreputationvector,whichrepresentsthe directinformationknowntothesystemowneraboutthetrustworthinessofentitiesinthesystem, andan interpolationparameterα,whichservesasaweightfordirectversusindirectinformation. Weanalytically study the impact of changes in the indirect evidence matrix on reputation values. This study allows us to analyze how someone can attack the reputation system by providing unfair ratings. In particular, we analyze self-promoting and slandering attacks[18] as well as Sybil attacks[14]. To study self-promoting (slandering)attacks,weassumethatanattackercanmanipulatereputationvaluesbygivingpositiveratings to users who gave positive ratings to him (negative ratings to the target) and negative ratings to users who gave negative ratings to him (positive ratings to the target). We study the effect of Sybil attacks by modelinganattackerwhosubvertsthereputationsystembyfirstcreatingalargenumberofpseudonymous entities,andthenusingthemtoinfluencethereputationvalueofatargetuserinasimilarwayasisdone forself-promotingandslanderingattacks. Ontheotherhand,weassumethatthestartingreputationvectorandtheweightparameteraredefinedbythe systemownerandcannotbemodifiedbytheattacker.Wenumericallystudytheimpactoftheseparameters onreputationvaluesandanalyzehowtheycanbeusedtomitigatetheeffectofabovementionedattacks. Theanalysisallowsustodrawsomeguidelinesforchoosingthevalueoftheseparameters. Theguidelines aregeneralandapplytoreputationmetricsthatusesimilarparameters. Inthisworkwearemainlyinterestedinthestudyofthemathematicalmodelofreputationsystems,rather thaninthealgorithmimplementingthemathematicalmodel. Therefore,weassumethroughoutthepaper theexistenceofacentralauthoritywhichcollectsallratingsandcalculatesthereputationofeverypartic- ipatinguser. Thisassumptionisinlinewiththeapproachproposedin[9]whereasearchenginecollects information about hyperlinks of several million pages and indexes search results on the basis of such an information. The paper is structured as follows. Section 2 provides an overview of reputation systems. Section 3 presents our metric and Section 4 discusses its formal properties. Section 5 discusses several methods for computing the reputation vector. Section 6 evaluates reputations numerically for a number of attack scenarios. Section7concludesanddiscussesdirectionsforfuturework. 2 Reputation Systems Reputationsystemshavebeenproposedasamechanismfordecisionsupportinopencollaborativesystems, whereentitiesdonotknoweachotherapriori. Reputationisacollectivemeasureoftrustworthinessbuilt fromuserexperience. Auser’sexperienceconsistsoftheeventsobservedbythatuser. Eventscanbe,for instance,voicedopinions,thatisopinionsthataremadepublic[31],downloads[23],ortransactions[15]. Userscanratethebehaviorofotherusersonthebasisoftheirexperience. Inparticular,ratingsrepresent directjudgmentsofthebehaviorofuserswithrespecttotheperspectiveofthejudginguser. Thosepieces of evidence are aggregated in order to calculate the reputation of users. Reputation gives the extent to whichthetarget’sbehaviorisgoodorbad[4]. In [18] Hoffman et al. identify three dimensions of reputation systems: formulation (the mathematical model), calculation (the algorithm implementing the model and actually computing reputation), and dis- semination(themechanismtodisseminatetheoutcome).Here,wemainlyfocusontheformulationdimen- sion,andonattacksonthemathematicalmodel. Theformulationofareputationsystemincludesanumber ofaspects: informationsource,informationtype,temporalaspects,andreputationmetrics. Thesourceof informationcanbesubjective,i.e.theratingisbasedonsubjectivejudgmentlikein[15,31],orobjective, i.e.theratingisdeterminedfromformalcriterialikein[9]. Theadvantageofusingobjectiveinformation 3 isthatitscorrectnesscanbeverifiedbyotherentities; however, sometimesitisdifficulttodefineformal criteriathatfullycaptureentities’opinions. Atthesametime,subjectiveinformationmakesitdifficultto protectthesystemagainstunfairrating,whichliesatthebasisofself-promotingandslanderingattacks(see [18]). AtypicalexampleoftheseattacksisthesocalledSybilattack(see[14]),inwhichdifferententities ormultipleidentitiesheldbythesameentitycolludetopromoteeachother. Anotheraspectofinformation sources is observability. Here it is important whether the information is directly observed by the entity calculating the reputation, or it is obtained second-hand or inferred from direct information. We call the reputationvaluecalculatedfromdirectlyobservedinformationdirectreputation.2 Indirectinformationis widelyusedinreputationsystemstosupportanotionoftransitivityoftrust(see[9,13,22,23]). Although trustisnotalwaystransitiveinreallife[11],trustcanbetransitiveundercertainsemanticconstraints[22]. In this paper we assume that ratings have the same trust purpose (i.e., the same semantic content) and therefore their aggregation is meaningful. We also do not distinguish between functional trust (i.e., the abilitytomakeajudgmentaboutatransaction)andreferraltrust(i.e.,theabilitytorefertoathirdparty). As in [23, 34], we assume that a user trusts the opinion of users with whom he had positive transitions, sinceuserswhoarehonestduringtransactionsarealsolikelytobehonestinreportingtheirratings. The type of information used by a reputation system has a considerable impact on the types of attack to which the system is vulnerable. Some reputation systems (see [15, 23]) allow users to specify ternary ratings(positive, neutral, negative); othersallowonlypositive[9,31]oronlynegativeratings. Although systemsthatonlyconsiderpositivevaluesarerobusttoslanderingattacks,theyarenotflexibleenoughto discriminatebetweenhonestandmaliciousentities. Negativereputationsystemsareparticularlyvulnera- bletowhitewashingattacks[18];entitieswhoreceivealargenumberofnegativeratingscanchangetheir identityandre-enterthesystemwithafreshreputation[25]. Therefore,oneofourrequirementsforrepu- tationsystemsisthatentitiesshouldnotbeabletogainanadvantagefromtheirnewcomerstatus. Atthe sametime,newcomersshouldnotbepenalizedfortheirstatus. Here,thetemporalaspectsofareputation systemplayafundamentalrole.Forinstance,somesystems(see[9,19,23,31])donotdistinguishbetween recentandpastbehavior,whereasothersystems(e.g.,see[4,15,24])givemoreweighttorecentbehavior. Forinstance,in[4]reputationvaluesareupdatedbyaggregatingthepreviousreputationvaluewithafactor indicatingtheproximityoftherecentscoretothepastreputation,i.e.r(t) =r(t−1)+µ(d ,r(t−1)),where ij ij ij ij µisafunctionthatdetermineshowfastthereputationvaluer changesafteraneventwithratingd . ij ij Areputationmetricisusedtoaggregateratingsandcomputereputations.Severalcomputationmodelshave beenused: simplesummationoraverageofratings[3,15,16],Bayesiansystems[20,30],betaprobability density [32], discrete trust models [10], belief models [1, 19], fuzzy models [7, 29], and flow models [9,23,26,33,31]. Flowmodelsareparticularlyinterestingastheymakeitpossibletocomputereputation bytransitiveiterationthroughloopsandarbitrarychainsofentities.Here,wepresentthereputationsystem proposedin[23]asanexampleofaflow-basedreputationsystem. Eachtimeuserihasatransactionwith anotheruserj,shemayratethetransactionaspositive(d =1),neutral(d =0),ornegative(d = 1). ij ij ij − Thelocaltrustvalues isdefinedasthesumoftheratingsthatihasgiventoj, ij s = d . (1) ij ij transactions (cid:88) ThisaggregatedfeedbackisthennormalizedinordertoobtainaMarkovchain. Formally,thenormalized localtrustvaluea isdefinedasfollows ij max(s ,0) ij a = . (2) ij max(s ,0) k ik Normalized local trust values can be organized(cid:80)in a matrix [a ] (the so called pattern matrix). In flow ij models the reputation vector (the vector containing all reputation values) corresponds to the steady state vector ofaMarkovchain; onestartswithavectorofinitialreputationvaluesandthenrepeatedlyapplies theMarkovstepuntilastablestatehasbeenreachedusingthefollowingequation r(k+1) =αATr(k)+(1 α)p (3) − 2Directreputationisalsocalledsubjectivereputation[27]orlocaltrustvalue[23]. 4 where r is the reputation vector, A is the pattern matrix, p is a vector of initial reputation values, and α [0,1]isadampingfactor.3 ∈ Unfortunately, thecurrentstateofaffairsregardingthiskindofreputationmodelisnotverysatisfactory. Firstofall, theapproachitselfhasadrawback. IntheMarkovchainapproach, reputationvaluesneedto benormalizedinthesensethattheyaddupto100%(2). Theproblemisthatsuchreputationvaluescarry relativeinformationonly. Applying(1)and(2)tothetwoscenariospresentedinFig.1,weobtaininboth scenarios that Bob has normalized local trust value equal to 0.1, Charlie has 0.9 and David has 0. This is good enough for ranking, but when an absolute measure is required, the Markov chain approach fails. Actually, one may expect that Bob and Charlie have a similar reputation value in the first scenario; also that the reputation value of Bob in the second scenario is greater than the reputation value of Charlie in thefirstscenario. Inaddition,whenentitieshaveasimilarreputationvalue,itisimpossibletoseewhether theyarealltrustworthyoralluntrustworthy. Supposeascenario(i)inwhichBobandCharliereceiveten positiveratingsoutof1000transactionsfromAliceandascenario(ii)inwhichBobandCharliereceive 900positiveratingsoutof1000transactions. Inprinciple,BobandCharlieshouldhaveneutralreputation in (i) and strongly positive reputation in (ii). However, because of the normalization in (2), from Alice’s perspectiveBobandCharliehavenormalizedlocaltrustvalueequalto0.5inboth(i)and(ii). Furthermore,implementationsofflowmodelsignoreasignificantpartoftheavailableinformation: while ratings are positive, negative or neutral, their aggregation ignores the negative values and maps them to zero. For instance, EigenTrust [23] takes the sum s of the ratings of all transactions between entities ij i and j, and normalizes it with respect to the sum of all the positive ratings given by i (see (2)). As a consequence,itisnotpossibletodiscriminatebetweenusersthathavebadreputationandusersthathave neutralreputation. Consider,forexample,thelocaltrustvalueofDavidinthetwoscenariosofFig.1: by applying(1),weobtain 900in(a)and0in(b). However,afternormalizingusing(2),weobtain0inboth − scenarios. Finally, themetricsbasedonMarkovchainsincludeparameterswhichaimtoguaranteetheconvergence of computations and to resist malicious coalitions (e.g., the damping factor α and the vector of initial reputationvaluessin(3)). Unfortunately,theimpactoftheseparametersonreputationvalueshasnotbeen studiedinsufficientdetail. 3 Our reputation metric 3.1 Reputationmodel Reputationisacollectivemeasureoftrustworthinessbasedonthejudgmentofacommunity. Theusersin thecommunitycaninteractwitheachotherandratethecounterpartinthetransactionafterthecompletion ofthetransaction. Thereputationvalueofagivenuseriscomputedbyaggregatingtheratingsthatother users in the community gave to that user and reflects the level of trust that they have on the user on the basisoftheirpastexperience. Intheremainderofthissection, wediscusstheratingsystem, themethod foraggregatingratings,andthemetricforcalculatingreputationvaluesfromtheaggregatedratings. Ratingsarecollectedbyacentralauthorityusingaratingsystem. Weadoptaratingsystemwhereratings are bounded to the corresponding transaction. Ratings can be positive, negative, and neutral; we do not imposeanyrestrictionontherangeofvaluesofratings. Thecentralauthorityaggregatesratingsinordertocomputethereputationvaluesofallusersinvolvedin the system. We assume that aggregated ratings lie in the range [0,1] where 1 means very good, 0 very bad, and 1 neutral. The restriction to [0,1] does not affect the generality of the model: values lying in a 2 differentinterval(andevenqualitativevalues)caneasilybemappedto[0,1]. Inthisway,alltheavailable information(includingnegativeratings)canbeusedinthecomputationofreputation. Anumberoffactorsshouldbetakenintoaccountwhenratingsareaggregated(see[4,31,34]): theratingsauserreceivesfromotherusers, • thetotalnumberofratingsauserreceivesfromotherusers, • 3Notethatαisdifferentfromthe‘α’inPageRank[9],whosepurposeistomodifythematrix. 5 thecredibilityoftheratingsource, • thesizeofthetransaction,and • thetimeofthetransaction. • Several aggregation methods based on (some of) these factors have been proposed. In [15] ratings are aggregatedbysummingthepositiveandnegativeratingsthattheuserreceivesfromotherusers. However, it is well known that methods based only on ratings are flawed [12, 34]. Indeed, a user can increase his reputation by increasing the transaction volume to cover that fact he is cheating at a certain rate. In particular, the user can build a good reputation in small transactions and then act dishonestly in large transactions[17].Topreventthis,anaggregationmethodshouldalsotakeintoaccountotherfactorslikethe totalnumberofthetransactionsinwhichauserisinvolvedandthesizeofthetransaction.Inaddition,some existing reputation systems use threshold functions for accurate discrimination between trustworthy and untrustworthyusers[31]. Inparticular,theratingsprovidedbyauserareconsideredonlyifthecredibility of the user is greater than a certain threshold. To discriminate between past and recent behavior, some reputation systems update reputation by aggregating the previous reputation with a factor indicating the proximityoftherecentratingtothepastreputation[4]. Thefollowingexamplepresentsasimplemethodforaggregatingratingsthatincorporatestheratingsauser receivesfromotherusers,thetotalnumberofratings,andthecriticalityofthetransactions. Intuitively,the aggregated ratings are defined as the weighted ratio of the sum of positive and negative ratings averaged over the total criticality of transactions. In the example, we do not consider the credibility of the rating source because this factor is used later in (5) to calculate reputation values from aggregated ratings. In (5), the credibility of a user is given by the reputation of the user. We refer to [4] for an example of a time-sensitiveaggregationmethod. Example1 Consider the electronic marketplace scenarios of Fig. 1. Let xy be the set of transactions V betweenusersxandy,letq : 1,0, 1 beafunctionthatreturnstheratinggivenbyytoxforthe xy transactionandw : NVafun→cti{ontha−ta}ssignsacriticalityvaluetothetransaction. Theaggregated xy V → ratingsA canbecomputedasthesumofindividualratingsweighedwithrespecttothecriticalityofthe xy transactionsandthenmappedintotherange[0,1]asfollows q(v)w(v) A = 1 + 1v(cid:88)∈Vxy . (4) xy 2 2 w(v) v(cid:88)∈Vxy If we apply (4) to the scenarios of Fig. 1 (and assuming that all transactions have the same criticality value),weobtainthatthevaluescomputedbyaggregatingtheratingsgivenbyAlicetoBob,Charlie,and Davidin(a)areequalto0.5005,0.5045,and0.05respectively,whereasscenario(b)gives0.55,0.95,and 0.5respectively. Thesevaluesareclosertowhatonewouldexpectthantheresultsof(2),namely0.1,0.9, and0forBob,Charlie,andDavidrespectivelyinbothscenarios. (Here1meansverygoodand0bad). The set of all aggregated ratings A can be organized in a matrix. We refer to Table 1 for the notation xy usedhereafter. Definition1 Fornusers,theaggregatedratingsarecontainedinanirreduciblen nmatrixA, × A [0,1] forx=y; xy • ∈ (cid:54) A =0. xx • A represents the aggregated ratings of user x from the perspective of user y. We impose that self- xy referencearenotincludedintheaggregation(A = 0forallx). ThischoiceismotivatedinSection3.2, xx where we show that a nonzero diagonal has undesirable consequences in a simple toy scenario. In Sec- tion6.4wepresentnumericalresultsontheeffectofself-reference. 6 Notation Meaning n Numberofusers. [n] Theset{1,···,n}. r∈[0,1]n Columnvectorcontainingallreputations. s∈[0,1]n The‘starting’reputationvector. Axy ∈[0,1] Aggregationofratingsofxgivenbyy. α∈[0,1] Weightoftheindirectevidence. e Then-componentcolumnvector(1,1,···,1)T. (cid:96)∈[0,n] The‘norm’eTr. vi Thei’theigenvectorofA. λi Thei’theigenvalueofA. λmax LargesteigenvalueofA. vmax Eigenvectorcorrespondingtoλmax. C Then×nconstantmatrixC=eeT.Cij =1;Ck=nk−1C. Table1: Notation Tocomputereputation,weemployametricthatisanadaptationofthemetricsin[23,31].Inparticular,we adopttheequationproposedin[31](see(5)),whichdiffersfromtheoneproposedin[23](see(3))inthe momentwhenthenormalizationsteptakesplace. In[23]normalizationisdoneonceatthebeginningin ordertoobtainaMarkovchainusing(2);then,startingfromavectorofinitialreputationvalues,Markov stepsarerepeatedlyapplieduntilastablestatehasbeenreached. Conversely,in[31]reputationvaluesare normalizedwithrespecttothesumofallreputationvaluesinthereputationvector( r in(5))atevery z z iteration to guarantee that reputation values stay in the range [0,1]. We differ from the metric proposed (cid:80) in [31] in the way the indirect evidence matrix A is defined: in [31] A is symmetric (whereas we allow asymmetry),andA =1(whereaswesetA =0). xx xx Weconsiderasystemwithnusers. Thecentralauthoritydeterminesthetrustworthinessofallusersbased onhisdirectexperiencewiththemandtheaggregatedratings. Definition2 Lets [0,1]n,withs = 0,bea‘startingvector’containingstartingvaluesassignedtoall ∈ (cid:54) usersbythecentralauthority. Letα [0,1]beaweightparameterfortheimportanceofindirectvs.direct ∈ evidence. Wedefinethereputationvectorr [0,1]n asafunctionofα,sandAbythefollowingimplicit ∈ equation: r y r =(1 α)s +α A (5) x x xy − (cid:96) y(cid:88)∈[n] wherewehaveintroducedthenotation(cid:96)= r . z z Eq.(5)canbereadasfollows. Ifthecentra(cid:80)lauthoritywantstodeterminethereputationofuserx,itfirst takesintoaccountthedirectinformationthatithasaboutx. Fromthisitcomputess ,thereputationthat x itwouldassigntoxifithadnofurtherinformation. However,italsohastheaggregateddatainA. Itgives weight1 αtoits‘direct’assignmentsandweightαtothecollectiveresultderivedfromA. Ifitdidnot − haveanydirectinformationaboutx,itwouldcomputer asr = (r /(cid:96))A ,i.e.aweightedaverage x x y y xy ofthereputationvaluesA withweightsequaltothenormalizedreputationsofalltheusers. Addingthe xy (cid:80) twocontributions,withweightsαand1 α,weendupwith(5),whichhastheformofaweightedaverage − overallavailableinformation. Notethat(5)canbeexpressedinvectornotationas Ar r=(1 α)s+α , (6) − eTr whereestandsforthen-componentcolumnvector(1,1, ,1)T. ··· 7 3.2 Discussionofself-references The quality of a reputation metric is determined by the accuracy of reputation values. Here, we provide further motivation for our metric and, in particular, for the choice A = 0. We demonstrate that the xx reputationvaluescalculatedbyourreputationmetricareclosetotheexpectedvalues. Theexpressionforr containsatermα(r /(cid:96))A ,theasyetunknownreputationofxmultipliedbyhis x x xx ‘self-rating’A . Webrieflyinvestigatetheeffectofself-referenceonourreputationmetric. Firstwelook xx whathappenswhenthediagonalofAisnotsettozerobuttoζ [0,1].ForlargenandrandomAonedoes ∈ notexpectasignificanteffect,sincethediagonalconsistsofonlynelementsoutofn2. (Seethenumerical resultsinSection6.4). Weconsiderthefollowingscenario,whichwetailoredtomakethediagonalstand out: Everybodyagreesthatonlyoneuserisreasonablytrustworthy(letuscallhimuser1). Letε 1be (cid:28) a small positive constant. Let σ be a positive constant of order 1. We set A = ε for x / 1,y and xy ∈ { } A = b [0,1]forally = 1. Wesets = σεforx = 1. Becauseinthisscenarioalltheusersexcept 1y x ∈ (cid:54) (cid:54) user1aretreatedequally,(5)yieldsthesamereputationforallusersx=1,whichwewilldenoteasr . rest (cid:54) ζ b b b ε ζ ε ··· ε s1 r1 A=... ... ... ·.·..· ..., s=σ.ε, r=rre.st. (7) . . ε... ··· ·.·..· ζε ζε σ.ε rre.st   From a good metric we expect that user 1 has reputation (1 α)s + (ε) and that r is of order 1 rest − O ε, preferably r = (1 α)σε + αε. Substitution of (7) into (5) yields, after some algebra, r = rest 1 − (1 α)s +αζ+ (ε)andr =ε(1−α)σ+α + (ε2). Clearly,ourexpectationsaremetonlyifζ =0. − 1 O rest 1−αζ/r1 O OnecouldarguethatsettingthediagonalofAtozeroisnotenoughtoremoveself-referencescompletely: inthecomputationofr thenormalizationfactor(cid:96) = eTrstillcontainsr ,i.e.r affectstheweightsfor x x x thecomputationofr . Inordertoavoidthis,onecoulddefineanalternativereputationmetrictas x t y t =(1 α)s +α A . (8) x x xy − t y∈(cid:88)[n]\x z∈[n]\x z (cid:80) ForlargenandgeneralA,thedifferencesbetween(8)and(5)aretiny.However,substitutionofthespecial scenario(7)into(8)givest =(1 α)s +αb+ (ε)andt =(1 α)σε+αε.Whilet isasdesired, 1 1 rest rest − O − t isnot.Thereisasignificantdifferencebetweent andthedesiredoutcome(1 α)s + (ε),especially 1 1 1 − O whenbislarge. Asaspecialcaseconsiders b,asituationwherethecentralauthoritymistrustsuser1, 1 (cid:28) butalltheuserstrusthim. Theauthoritydoesnotwanthisresultforuser1tobeinfluencedheavilybythe users,sincetheirreputationsare (ε). O WeconcludethatthemetricrworksbestwhenA =0isimposed,andthatrisbetterthanthemetrict. xx Here‘better’meansthatitmorecloselymatchesourexpectationsofhowametricshouldbehave. 4 Formal properties The implicit function (5) can be shown to have a number of desirable properties. In particular, for any choice of α,s,A allowed by Definitions 1 and 2 there always exists a well defined, unique solution r ∈ [0,1]n. Thisresultisfundamentalincollaborativesystemsinwhichpartiesrelyonthereputationvaluesto makeadecision. Inthissection,wefirstintroducesomenotationandlistanumberofusefullemmas. Wediscussthetrivial solutions for α = 0 and α = 1. Then, we present a proof of existence and uniqueness of the solution r forthegeneralcase0 < α < 1. Finally,wecomputethederivativeofrwithrespecttoA. Thisprovides awaytostudythesensitivityofthereputationmetrictomaliciouschangesintheindirectevidencematrix (Section6.5). 8 4.1 Notationandlemmas Foravectororamatrix,thenotation‘V 0’meansthatalltheentriesarenonnegative. Forothernotation ≥ werefertoTable1. Lemma1 Ifrisasolutionof(5)satisfyingr 0,thenr [0,1]n. ≥ ∈ TheproofisgivenintheAppendix. Lemma2 Forgivenα,s,Aandagiven(cid:96) [0,n],suchthatdet((cid:96)1 αA) = 0,therecanexistatmost onevectorr Rnthatsatisfies(5)andeTr∈=(cid:96). − (cid:54) ∈ Proof: Let(cid:96)=eTr. Eq.(5)canberewrittenas α −1 r=u((cid:96)):=(1 α) 1 A s. (9) − − (cid:96) (cid:104) (cid:105) Thisfixesthevectorruniquelyasafunctionofthescalar(cid:96). (cid:3) Givenasolutionr,Lemma2tellsusthatanontrivialpermutationofrcannotbeasolution. Lemma3 (Theorem1.7.3inRef.[5])LetM 0beasquarematrix. ThenM hasapositiveeigenvalue ≥ λ whichisequaltothespectralradius. Thereisaneigenvectorv 0associatedwithλ . For max max max ≥ x>λ itholdsthat(x1 A)−1 0. max − ≥ 4.2 Thespecialcasesα = 0andα = 1 Thecaseα=0triviallyyieldsr=s. Thecaseα=1ismoreinteresting. Eq.5reducesto Ar= eTr r. (10) Thishastheformofaneigenvalueequation. Thema(cid:0)trixA(cid:1) haseigenvectorsv ,andeigenvaluesλ . There i i existnsolutionsof(10),namely v r(i) =λ i , (11) ieTv i i.e. proportional to the eigenvectors of A. However, the Perron-Frobenius theorem for nonnegative irre- duciblematrices(seee.g. Ref.[6],Chapter2)tellsusthatonlyoneoftheeigenvectorsgivesanacceptable reputationvector: v >0. Alltheothereigenvectorshaveatleastonenegativeentry. Weareleftwitha max singlesolution, v max Atα=1: r=λ and (cid:96)=λ . (12) maxeTv max max 4.3 Thegeneralcase0<α<1;Maintheorems Multiplying(9)fromtheleftwitheTandthenmultiplyingbyasuitableconstantgives f((cid:96))=1 where f((cid:96)):=(1 α)eT((cid:96)1 αA)−1s. (13) − − Thisequationhelpsustoproveseveralimportantpropertiesofourmetric. First,wedemonstratethat(5) hasalwaysawelldefined,uniquesolutioninthegeneralcase0<α<1. Theorem1 Forα,A,sasgiveninDefinitions1and2,thereexistsareputationvectorr [0,1]nsatisfy- ∈ ing(5). Thesolutionisoftheformr=u((cid:96) )withuthefunctiondefinedin(9)and(cid:96) (αλ ,n]. ∗ ∗ max ∈ Corollary1 Inthelimitsα 0andα 1,(13)and(9)correctlyreproducethereputationvectorforthe → → specialcasesα=0andα=1. Theorem2 ThesolutioninTheorem1istheonlysolutionof(5)satisfyingr [0,1]n. ∈ 9 TheproofsofTheorems1and2,andCorollary1aregivenintheAppendix. Thequalityofareputationsystemisdeterminedbyhowaccuratelythecomputedreputationpredictsthe futureperformanceofentitiesevenwhenattackersattempttomanipulatereputationvalues. Thefollowing result allows us to study the effect of unfair ratings by analyzing the sensitivity of reputation values to changesintheindirectevidencematrix. Theorem3 Forfixedαands,asmallchangeinAaffectsrasfollows: ∂r α −1 x =α (cid:96)1 αA+ AreT r . (14) y ∂Azy − (cid:96) xz (cid:104) (cid:105) (Here[ ]−1standsforelementxzoftheinversematrix.) ···xz TheproofofTheorem3isgivenintheAppendix. Theorem 3 gives some direct insight into the effectiveness of attacks. First, we see that the effect of the attackisproportionaltoα. Furthermore,ifsomeusery wantstoattackthereputationofuserx,themost obvious attack is to reduce the matrix element A , i.e. (δA) < 0. We see in (14) that the effect is xy xy proportionaltor . Hence,theeffectivenessofhisattackisproportionaltohisownreputation. (Ofcourse y thisdoesnotcomeasasurprise,butitisgoodtoseeintuitiongettingconfirmed.) Fromthisweseethatit isadvantageousforhimtoimprovehisownreputationbeforeattackingotherusers’reputations. Finally, from(14)wecanalsoreadoffalessobviousattackstrategy. Theattackery mayalsoindirectly attackxbymanipulatingA ,wherez issomeotheruser. Theeffectofthisattackisproportionaltothe zy matrixelementE :=[(cid:96)1 αA+αAreT]−1. Inpractice,usery’sattackonxcouldlookasfollows. He xz − (cid:96) xz computesE forallz,z = y. Hepicksanumberofusersz whoseE havethehighestmagnitude. For xz xz (cid:54) eachofthem,ifE <0,hecausesapositivechangeinA ,otherwiseanegativechange. Remark: This xz zy reasoningappliesforsmallchangesofδA.Inthenumericalexperiments(Section6.5)wetakeaworstcase approachandallowtheattackertomakebigchangesinA. 5 Computing reputation From the structure of Lemma 2 and the proof of Theorem 1, we can derive a direct method (Fig. 2) for computing r from α, s, and A. This algorithm first solves (13) for (cid:96), obtaining a solution (cid:96) > αλ ∗ max (lines1-3). Theequationf((cid:96))=1isapolynomialequationofdegreen;thisbecomesevidentifwewrite AasA = QΛQ−1 (withΛthediagonalmatrixcontainingtheeigenvaluesofA,andQthematrixwhose columnsaretheeigenvectorsv )andmultiply(13)bydet((cid:96) αA): i − n n ((cid:96) αλ )=(1 α) (eTQ) (Q−1s) ((cid:96) αλ ). (15) i i i j − − − i(cid:89)=1 (cid:88)i=1 j∈[(cid:89)n]\{i} Thehighestorderonthelefthandsideis(cid:96)n,andontheright(cid:96)n−1. Thealgorithmfirstcompletelysolves the eigensystem of A (lines 1-2) and then solves (15), looking only for the unique solution (cid:96) > αλ ∗ max (line3).Finally,itsubstitutesthatvalueinto(9)(line4).Theorem1guaranteesthattheoutcomeisavector in[0,1]n. 1 r(0)=s 1 {λi}=Eigenvalues(A) 2 repeat 2 Q=Eigenvectors(A) 3 r(k+1)= Ar(k) 3 Find(cid:96)∗>αλmaxthatsolves(15) (cid:80)zrz(k) (cid:104) (cid:105)−1 4 r(k+1)=(1−α)s+αr(k+1) 4 r=(1−α) 1− (cid:96)α∗A s 5 diff =(cid:107)r(k+1)−r(k)(cid:107)1 6 untildiff <δ Figure2: Directmethod Figure3: Iterativemethod Aniterativemethodforsolving(5)ispresentedinFig.3. Thisalgorithmfirstcomputesreputationasthe weightedaverageofreputationvaluesinA(line3). Then,itcalculatestheaverageoverdirectandindirect 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.