grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

get first paper and add meta-review

Browse source
This commit is contained in:
Arthur Grisel-Davy 2024-05-22 10:36:50 -04:00
parent 887bcd13b7
commit cc34bfe953
20 changed files with 8175 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6347
trust/EMSOFT24/IEEEtran.cls Normal file
View file

File diff suppressed because it is too large Load diff

18
trust/EMSOFT24/abstract.tex Normal file
View file

@ -0,0 +1,18 @@
\begin{abstract}
Trust is paramount in \ac{cpss}, and particularly within \ac{scs} across healthcare, transportation, and infrastructure domains. However, accurately assessing and quantifying trust remains a challenge due to complex dynamic environments and uncertainties in indirect observations. Current approaches rely on indirect observations of a system to determine system state (normal, under attack, defective), but these observations can be misleading. Therefore, there is a need to develop a trust-based mechanism that considers the dynamic nature of \ac{cpss} and provides reliable quantification of their trust levels. This paper proposes a novel methodology to address this problem. By analyzing time-series representing system activity and evaluating their compliance with predefined temporal properties like \ac{stl}, we aim to quantify trust by leveraging \ac{sl}. Our proposed trust-based mechanism can enhance the reactiveness of the system and guide the user in their interaction with critical systems, improving reliability in dynamic environments.
% Addressing this gap necessitates innovative approaches that integrate physics-based cyber controls and sophisticated analytical techniques that aggregate and analyze indirect observations, thereby enabling the establishment of robust trust frameworks essential for ensuring the reliability and responsiveness of CPSs. Current methodologies often fall short in providing reliable trust metrics, leaving CPSs vulnerable to potential failures and disruptions. indirect observations of the system can carry uncertainty and be misleading in ascertaining the true state of the system.
% given indi obser with uncertainties output a trust verdict using cuml fusion in sub logi
% application: Cyber-security for cyber-physical systems
% proof by contradiction
% robust state estimation
\end{abstract}

59
trust/EMSOFT24/acronyms.tex Normal file
View file

@ -0,0 +1,59 @@
\DeclareAcronym{sl}{
short = SL,
long = Subjective Logic
}
\DeclareAcronym{3vsl}{
short = 3VSL,
long = Three-Valued Subjective Logic
}
\DeclareAcronym{dst}{
short = DST,
long = Dempster-Shafer Theory
}
\DeclareAcronym{bpdf}{
short = Beta PDF,
long = Beta Probability Density Function
}
\DeclareAcronym{dpdf}{
short = Dirichlet PDF,
long = Dirichlet Probability Density Function
}
\DeclareAcronym{stl}{
short = STL,
long = Signal Temporal Logic
}
\DeclareAcronym{cpss}{
short = CPSs,
long = Cyber-Physical Systems
}
\DeclareAcronym{scs}{
short = SCS,
long = Safety Critical Systems
}
\DeclareAcronym{cpu}{
short = CPU,
long = Central Processing Unit
}
\DeclareAcronym{mad}{
short = MAD,
long = Machine Activity Detector
}
\DeclareAcronym{iot}{
short = IoT,
long = the Internet of Things
}
\DeclareAcronym{tca}{
short = TCA,
long = Trust Calibration Actions
}

220
trust/EMSOFT24/case_studies.tex Normal file
View file

@ -0,0 +1,220 @@
\section{Case Studies}
\begin{figure}
\centering
\includegraphics[width=0.45\textwidth]{images/diagram}
\caption{Overview of the data pipeline for the case studies.}
\label{fig:cs_diagram}
\end{figure}
Both case studies follow the same data pipeline for applying the trust framework to power consumption data.
Figure~\ref{fig:cs_diagram} provides an overview of the processing steps both in and around the trust framework.
The system under test --- a personal computer in both studies --- is instrumented to collect power consumption data either from the complete machine or the \ac{cpu} only.
For each input time series, an activity detector provides an array of labels corresponding to the detected state of the machine for each timestamp.
The activity detector, although different in each study, always provides output labels that propagate the uncertainty in the input trace.
For example, if the input time series contains patterns unrecognizable for the detector or missing data, then the output contains \textit{unknown} labels for the corresponding segments.
Where a classic system may not be able to process \textit{unknown} labels, the trust framework is designed with uncertain information in mind and thus allows the detector to provide an honest output.
The labels provided by the activity detector represent the state of the system but the trust framework expect ternary labels representing STL satisfaction.
The pipeline considers a combination of two \ac{stl} formulae to evaluate the STL satisfaction from state labels and return a ternary value.
The first formula determines if the output is uncertain or not.
If the output is not uncertain, then the second formula determines the satisfaction.
The output of the checker is an array of ternary values $\{1,0,-1\}$ representing the satisfaction of the trace against a predefined policy.
These study proposes examples of policies to verify, but it is important to note that there is no restrictions on the design of the policy.
Any condition that is verifiable with the available state labels from the activity detector can provide valid information for the trust framework.
This lack of constraint makes this approach applicable to a wide variety of security problems.
\subsection{Case Study 1: Controlled Data}
The first case study considers a dataset collected in the lab.
The monitored machine is a NUC mini-PC from Intel.
A Hall effect sensor \cite{palitronica} measures the power consumption at the cable level.
The capture system measures the current --- proportional to the power --- at 10kHz.
Prior to the activity detection, a preprocessing step downsamples the trace to 20Hz with an average filter.
The machine performs a scenario simulating the activity of an office computer during a working day.
For ease of experiment, the scenario is compressed into four hours.
The scenario starts with an \textit{off} period representing the time between midnight and the start of the day.
The computer then boots up and remains \textit{on} for the rest of the day.
When evening starts, the computer goes to sleep until the maintenance phase, just before midnight.
During the maintenance phase, the computer reboots one time to mimic update installations.
Attacks and malfunctions are randomly triggered using three mechanisms.
First, the computer can remain \textit{on} either during the night or the evening.
Then, crypto-mining software can turn on, generating a high load on the system.
Finally, the scenario can randomly skip rebooting the machine.
Each abnormal activity symbolizes a different family of attacks.
The policy for this first case study is a restriction on the high load that the system can experience.
A high load of any kind (CPU, GPU or I/O, for example) for a significant amount of time is a suspicious activity.
These loads can indicate malware like crypto-miners or ransomware or result from a software malfunction that puts the machine into a frozen state.
The policy verification considers chunks of time to produce a single ternary value depending on the state labels in the chunk.
Because the goal is to leverage uncertainty, the verification uses a combination of two \ac{stl} formulae to provide a ternary output.
\begin{align}
S_1 &= \lozenge_{[i,i+n]}[(state \neq unknown) \wedge (state \neq high)] \label{stl1}\\
S_2 &= \neg S_1 \wedge \lozenge_{[i,i+n]}[(state = unknown)] \label{stl2}
\end{align}
Because the proposed \ac{stl} formulae are simple, this study does not employ a full-featured \ac{stl} checker.
Instead, a simple purpose-built code (see pseudo-code \ref{alg:code1}) verifies the \ac{stl} formulae.
The checker first divides the power trace in non-overlapping chunks.
A satisfaction value --- $1=$satisfaction, $0=$uncertain, or $-1=$violation --- corresponds to the data in exactly one chunk.
To compute the satisfaction value, the checker searches for sequences of a predefined length that contains \textit{high} or \textit{unknown} values (Equation~\ref{stl1}).
If no such sequence is found, the chunk of trace is compliant.
If a sequence is found, the chunk is either uncertain or in violation whether it contains respectively \textit{unknown} labels or not (Equation~\ref{stl2}).
The checker returns the value after finding the first sequence.
\begin{algorithm}
\caption{Pseudo-code for detecting high load violations.}
\label{alg:code1}
\begin{algorithmic}[1]
\Require A label array $l$, chunk length $L_c$, and sequence length $L_s$.
\Procedure{checkChunk}{chunk}
\For{$j \in range(i,i+L_c)$}
\If{$j=2$ or $j=-1$}
\State $k=1$
\While{$j+k < i+L_c$ and $l[i+k] \in \{2,-1\}$}
\State $k \gets k+1$
\If{$k=L_c$}
\If{$-1 \in l[i:i+k]$}
\State \Return $0$
\Else
\State \Return $-1$
\EndIf
\EndIf
\EndWhile
\EndIf
\EndFor
\State \Return $1$
\EndProcedure
\State $start,step,end \gets 0,L_c,length(l)$
\State $compliances \gets emptyList()$
\For{$i \in range(start,end,step)$}
\State $chunk \gets l[i:i+L_c]$
\State $compliances.append(checkChunk(chunk))$
\EndFor
\State \Return $compliances$
\end{algorithmic}
\end{algorithm}
The output of verifying the STL formulae is an array of ternary labels, where each value represents the satisfaction of a chunk of time series.
The interval window is set to \( \mathcal{I} = 60 \hspace{0.5em} minutes\) in our experiment to calculate the trust snapshot opinion (\( \omega_{Y}^{S} \)).
The trust index opinion (\( \omega_{Y}^{I} \)) is then updated at the end of each interval using Eq.~\eqref{eq:trust_idx}.
\begin{figure}
\centering
\includegraphics[width=0.45\textwidth]{images/combined_plot_dsd_raw.pdf}
\caption{Case Study 1: Trust observations for a lab machine.}
\label{fig:trust_CSI}
\end{figure}
Figure~\ref{fig:trust_CSI} illustrates the information the trust management framework provides.
Subplot A is the input data from the \ac{stl}-checker, delineated into daily increments, with three discreet values: satisfied (+1), uncertain (0), and violation (-1), reflecting the system's state over the eight-day period.
Subplot B plots the trust index (\( T_{Y}^{I} \)), which represents the comprehensive trust metric of the system as it evolves throughout the experiment.
The trust index initially experiences a notable decline because uncertain or violated observations influence subjective opinions, attributable to the \ac{sl} 's reliance on a relatively sparse dataset for opinion formulation.
However, as the volume of observations increases, the sensitivity to violations and uncertainties reduces because the trust snapshot opinion is fused with the trust index opinion.
This plot illustrates the adaptive nature of our proposed trust management framework, as it effectively incorporates new evidence to update the trust index opinion continuously, ensuring an accurate representation of the system's reliability.
Subplots C, D and E present the values of the trust snapshot opinion (\( \omega_{Y}^{S} \)) projected probabilities for --- satisfied (+1), uncertain (0), and violation (-1) --- respectively, over the defined interval window \( \mathcal{I} \).
These instantaneous assessments within the window help identify short-term trends that may not be as noticeable when examining long-term aggregated data.
The sum of probabilities across these three states is equal to one at all times.
Our framework offers a more refined understanding of trust dynamics by allowing for a clear distinction between satisfied, violation and uncertain states.
The diminished sensitivity in the trust index opinion suggests a potential vulnerability.
Namely, consistent adversarial intrusions could remain undetected if solely assessed through the trust index opinion.
However, we can identify trends as significant shifts in the projected probabilities by examining the granular components of the trust snapshot opinions.
If an attacker targets a system in periodic intervals, observing only the trust index will not reveal any noticeable patterns.
However, analyzing the breakdown plot of trust snapshot opinions can aid in detecting such trends.
\begin{figure}
\centering
\includegraphics[width=0.45\textwidth]{images/trust_index_opinion_component_dsd_raw.pdf}
\caption{Case Study 1: Trust index opinion components.}
\label{fig:trust_index_opinion_component}
\end{figure}
Figure~\ref{fig:trust_index_opinion_component} illustrates the components of the trust index opinion across several days, showcasing the nuanced dynamics of trust assessment within the framework of our case study.
This visual representation helps understanding how trust in our \ac{cpss} evolves over time. The graph breaks down the trust index opinion into segmented categories of satisfaction, uncertainty, and violation.
These fluctuations are indicative of the system's responses to varying conditions and how they contribute to each component.
\subsection{Case Study 2: Production Data}
The second case study considers power consumption data from production systems.
The systems are classroom computers available to students for lab courses.
The current measurement uses the same capture system as for the first case study.
The traces contain measurements of the power consumption of the CPU only.
The machines in this classroom should never turn off.
For remote maintenance reasons, it is expected that the students log off from the machines after using them but should not turn them off completely.
For this result, the policy that this case study considers is the constant \textit{on} state from the machine.
To verify the state of the machine, the activity detection algorithm compares the current values to a threshold.
The threshold represents the separation between the \textit{off} and \textit{on} states.
In the same way as the first case study, the checker algorithm divides the input trace into multiple chunks that --- for this analysis --- represent 30 seconds of consumption.
The uncertainties in this case study take the form of missing data.
The captured system being deployed in a remote location outside of the controlled environment of a lab is subjected to network issues.
Instead of preprocessing the trace to fill empty segments using some heuristic or discarding the chunks containing missing measurements, the policy checker can leverage them by passing along \textit{uncertain} values to the trust framework.
To determine the output value for each chunk, the checker verifies the presence of \textit{off} values or missing data in each chunk.
If the chunk contains values below the threshold, then the output is $-1=$violation.
If there are no \textit{off} values but the chunk contains missing data, the checker cannot guarantee that the machine was not off at some point.
In this case, the output is $0=$uncertain.
Finally, if the chunk contains no missing values and only values above the threshold, then the output is $1=$satisfy.
Algorithm~\ref{alg:code2} presents the pseudo-code of the policy checker.
\begin{algorithm}
\caption{Pseudo-code for detecting off violations.}
\label{alg:code2}
\begin{algorithmic}[1]
\Require A power trace $t_s$, chunk length $L_c$, and a threshold value $T$.
\Procedure{checkChunk}{chunk}
\State $compliance \gets 1$
\For{$j \in range(i,i+L_c)$}
\If{$chunk[j] < T$}
\State \Return 0
\ElsIf{$chunk[j] = NaN$}
\State $compliance = 0$
\EndIf
\EndFor
\State \Return $compliance$
\EndProcedure
\State $start,step,end \gets 0,L_c,length(t_s)$
\State $compliances \gets emptyList()$
\For{$i \in range(start,end,step)$}
\State $chunk \gets t_s[i:i+L_c]$
\State $compliances.append(checkChunk(chunk))$
\EndFor
\State \Return $compliances$
\end{algorithmic}
\end{algorithm}
\begin{figure}
\centering
\includegraphics[width=0.45\textwidth]{images/combined_plot_ARTHUR-103.pdf}
\caption{Case Study 2: Trust observations for a production machine.}
\label{fig:trust_CSII}
\end{figure}
Figure~\ref{fig:trust_CSII}, illustrates the application of our trust management framework to production data from classroom computers, showcasing the framework's performance in a real-world scenario.
Subplot A illustrates the input signal to the framework over multiple days --- marked by vertical dashed lines ---, containing discrete evaluations of system states: satisfied (+1), uncertain (0), and violated (-1).
Subplot B reveals the evolution of the trust index (\( T_{Y}^{I} \)) across the observed time frame.
Initial observations show periods marked by uncertain (0) and violated (-1) states, resulting in a significant decline in trust.
The gradual increase in the trust index suggests an enhancement in system dependability as operations advance and more positive observations are noted.
Subplots C, D, and E delineate the projected probabilities for satisfaction, uncertainty, and violation states derived from the trust snapshot opinion (\( \omega_{Y}^{S} \)) over the same period.
These emphasize the nuanced understanding of trust dynamics, allowing for identifying transient anomalies and operational trends that may not be immediately evident with the trust index alone.
Subplots D (Uncertain) and E (Violation) exhibit intermittent peaks, which highlight moments when the system's operational state was either not well understood or deviated from expected behavior.

13
trust/EMSOFT24/conclusion.tex Normal file
View file

@ -0,0 +1,13 @@
\section{Conclusion}
\label{sec:conclusion}
This paper introduced a novel trust management framework for \ac{cpss}, leveraging \ac{sl} to evaluate trust in uncertain indirect observations.
Our methodology extends beyond traditional binary trust assessments, enabling the presence of uncertainties that reflects the nuanced reality of \ac{cpss} operations.
Through case studies focusing on power consumption data, we demonstrated the frameworks adaptability and efficacy in providing detailed trust assessments.
This research underscores the importance of trust management in ensuring the safety and reliability of \ac{cpss} in the \ac{scs}, especially in dynamic conditions represented by indirect observations.
Our work makes a valuable contribution to enhancing the security and effectiveness of \ac{cpss}, providing a basis for further exploration in this area.
As \ac{cpss} become more integral to modern infrastructure, advanced trust management solutions are essential for their successful deployment and operation.
To extend further the capabilities and versatility of this framework, the combination of various data sources and the usage of trust calibration actions are proposed.
% Our framework shows promise in practical applications such as healthcare CPS and autonomous vehicles by allowing nuanced trust assessments amidst uncertainties in real-time. The adaptability and versatility of our approach underscore its importance for the development of reliable, user-centric \ac{cpss}.

31
trust/EMSOFT24/discussion.tex Normal file
View file

@ -0,0 +1,31 @@
\section{Discussion}
\label{sec:discussion}
In this study, we have presented a novel trust management framework leveraging \ac{sl} to navigate the complexities of trust in \ac{cpss} using indirect observations under conditions of uncertainty.
The results indicate that the suggested framework dynamically adapts trust scores, especially in environments where data is uncertain or incomplete.
% improving reliability without requiring human input.
The trust value is determined by categorizing indirect observations and developing subjective opinions based on the evidence.
\ac{sl} is a logical reasoning framework utilized in diverse areas to evaluate trust while accommodating uncertainty in opinions.
Our framework provides a trust assessment based on long-term aggregated data and helps identify short-term trends in trust.
Current research into trust assessment has primarily concentrated on the binary domain.
Our study broadens this scope to encompass the multinomial domain by including an extra dimension where observations are categorized as uncertain.
The cumulative fusion operator merges evidence-based opinions about the same proposition in \ac{sl}.
We present our approach to performing the cumulative fusion operator on multinomial opinions and provide proof of its validity.
Including the label of uncertainty in expressing opinions offers an additional understanding of the system state.
When evaluating indirect observations affected by noise, it is advantageous to distinguish between violations and uncertain readings, as this enables a more detailed comprehension of trust.
This differentiation is critical for making informed decisions, particularly in environments where missing or ambiguous data can significantly affect the reliability of the system's performance assessment and should not be immediately categorized as a violation.
In the proposed trust management framework, we evaluate evidence observations from a single source.
However, future studies could investigate generating multiple viewpoints from extra classifiers and fusing them using \ac{sl} within the trust management framework.
Analyzing multiple opinions can improve the precision and dependability of trust evaluations by considering various viewpoints and decreasing reliance on a single classifier.
All violations in the trust management framework have an equal effect on trust, though they are not identical.
For instance, if a minor software glitch causes a one-second delay in information processing, its impact on trust should differ considerably from a server crash without reboot.
A potential enhancement would be to allocate varying weights to different categories of violations within the trust management framework.
We also introduce the concept of trust calibration actions to address the issue of undertrust. Users can leverage their domain knowledge and provide a list of actions to calibrate trust under specified conditions. Trust calibration actions are not part of the framework but supplement its functionality by providing predefined suggestions to the user.
The trust management framework equally values each trust calibration action the user performs.
Assigning weights to different trust calibration actions according to their significance or impact may lead to a more tailored trust evaluation.

20
trust/EMSOFT24/future_work.tex Normal file
View file

@ -0,0 +1,20 @@
They will say, you have a nuclear power station, something happens, you just drop the trust a little bit, the thing, but the thing blows up.
How do you put a violation in relation to how much it drops?
Then have in the discussion something where you just say, oh, different violations can have different, can affect the trust differently.
For your case study, you chose the same value for all of them, but you have this in the discussion and show really somehow that it stands out, that you say, oh, here's an example configuration with different values.
So you could look at that, your short term values will reflect that.
And if you have more than that, then every, so you have a short term trust coming out, which is for each of those weighted things. And now you can say there is a severity of an event is associated with short term and it reflects stands out. And that's the weightage that actually goes into your commutative long term thing.
Instead of having just two or three vertex or you can have many because and also you have a severity of events associated with them. So given the severity, there is a weight associated that can affect the short term and the short term will eventually affect your long term. And depending on what weight comes in, your long term trust might drop substantially.
For example, a car experiences stutter, meaning the engine, like you have to sometimes, oh, it misfires or it doesn't start anymore for after trying to trace. I mean, these are two substantially different ways to affect trust in the vehicle.
You could just do that on a BIOS example that we have, right? Sometimes it's checking for an external USB device and it takes time to boot up. But sometimes let's say your boot up has just been messed up and it doesn't go beyond a certain state. It's stuck at that blue screen. Now you have two different stages.

55
trust/EMSOFT24/high_checker.py Normal file
View file

@ -0,0 +1,55 @@
import numpy as np
from datetime import datetime, timedelta
from glob import glob
# PARAMETERS
trace_time_length = timedelta(hours=4)
sampling_rate = 20 # Hz
chunk_time_length = timedelta(minutes=10) # chunk of time to get one check value
print(f"Considering {trace_time_length/chunk_time_length} chunks of {chunk_time_length} over a {trace_time_length} trace.")
data_folder = "./data/"
data_selector = "pred_default/preds_*.npy"
# load data
data_filenames = sorted(glob(data_folder+data_selector))
print(f"Listed {len(data_filenames)} traces.")
# define the policy checking function
def checker_long_high(labels):
"""Check a policy on a trace (array of state label).
Produce a single ternary value 1=OK, 0=Unsure, -1=Not OK
Policy: No continuous High load (label=2) for more than 3m
"""
req_L = int(timedelta(minutes=3).total_seconds()*sampling_rate)
#inneficient non-numpy shit, tempormanent solution
for i in range(labels.shape[0]):
if labels[i] == 2 or labels[i] == -1 :
k=1
while i+k < labels.shape[0] and (labels[i+k] == 2 or labels[i+k] == -1):
k+=1
if k == req_L:
if -1 in labels[i:i+k]:
return 0
else:
return -1
return 1
def load_data(filename):
if filename.split(".")[-1] == "npy":
data = np.load(filename)
return data
else:
raise TypeError("plop")
counts = {"1":0, "0":0, "-1":0}
chunk_length = int(chunk_time_length.total_seconds()*sampling_rate)
for filename in data_filenames:
preds = load_data(filename)
compliance = [checker_long_high(preds[i:i+chunk_length]) for i in np.arange(0,preds.shape[0],chunk_length)[:-1]]
for key in counts.keys():
counts[key]+=compliance.count(int(key))
print(f"{filename.split('/')[-1]}: {compliance}")

31
trust/EMSOFT24/introduction.tex Normal file
View file

@ -0,0 +1,31 @@
\section{Introduction}
\label{sec:introduction}
For some embedded systems, the monitoring system can be as important as the design of the system itself.
In the context of \ac{scs}, assessing the integrity and performance of the system along its life-cycle is crucial.
Failing to detect an anomalous activity or an attack can result in catastrophic consequences for the humans involved or the environment.
Given the current trend of digitization and increasing connectivity in all domains --- including for \ac{scs} ---, the importance and scale of monitoring will only increase in the foreseeable future.
To answer this growing need, generations of monitoring systems proposed to collect a variety of logs, reports, or events journals.
All these sources are accessible to human agents that can evaluate them and find patterns or anomalous behavior.
Although automated systems exists for each type of collected information, human agents remain the final destination for the result of the monitoring and they often make the final decision.
Trust management systems have emerged as a promising avenue alongside traditional security mechanisms in \ac{scs}. These systems are designed to calculate trust values of \ac{scs} and ensure that users can trust and rely on these systems for their critical operations. Trust management systems aim to provide transparency and accountability, allowing users to understand the basis for the trust values assigned to critical systems.
Trust management systems address concerns arising from undertrust and overtrust.
Undertrust in a system can lead to disuse or hesitancy in using critical systems, which can hinder their effectiveness and potentially compromise safety.
Overtrust, on the other hand, can result in blind reliance and negligence, leading to complacency and overlooking potential risks.
Therefore, it is essential to understand the role of trust in human-computer interaction in critical applications.
Trust management systems play a pivotal role in addressing these challenges by providing a structured framework for calculating and quantifying trust values of safety-critical systems.
This work studies trust management for \ac{scs} but only addresses the problem of undertrust.
\subsection{Contribution}
This paper proposes a novel trust management framework using \ac{sl} and its application to the assessment of embedded systems from indirect observations with uncertainties.
The framework considers multinomial opinions to leverage uncertainty as a dimension contributing to trust output.
The proposed approach relies on the cumulative fusion operation within \ac{sl} on multinomial opinions and provides arguments for the validity of the proposed definitions.
Finally, the study provides an evaluation of the framework for power consumption data from both lab and production machines.
These case studies illustrate the effect of input information on output trust values.

151
trust/EMSOFT24/main.tex Normal file
View file

@ -0,0 +1,151 @@
\documentclass[conference]{IEEEtran}
\IEEEoverridecommandlockouts
% The preceding line is only needed to identify funding in the first footnote. If that is unneeded, please comment it out.
\usepackage{cite}
\usepackage{amsmath,amssymb,amsfonts}
\usepackage{amsthm}
\usepackage{amssymb}
%\usepackage{algorithmic}
\usepackage{graphicx}
\usepackage{textcomp}
\usepackage{witharrows}
\usepackage{balance}
\usepackage{algpseudocodex}
\usepackage{algorithm}
\newcommand\agd[1]{{\color{red}$\bigstar$}\footnote{agd: #1}}
\newcommand\wqk[1]{{\color{blue}$\bigstar$}\footnote{wqk: #1}}
% \newcommand\agd[1]{}
% \newcommand\wqk[1]{}
\usepackage{acro}
\input{acronyms}
\usepackage{xcolor}
\def\BibTeX{{\rm B\kern-.05em{\sc i\kern-.025em b}\kern-.08em
T\kern-.1667em\lower.7ex\hbox{E}\kern-.125emX}}
\begin{document}
\newcommand{\linebreakand}{%
\end{@IEEEauthorhalign}
\hfill\mbox{}\par
\mbox{}\hfill\begin{@IEEEauthorhalign}
}
\newtheorem{problemstatement}{Problem Statement}
\newtheorem{definition}{\textbf{Definition}}
% Custom command to expand acronym again if needed
\newcommand{\acexp}[1]{\acl{#1} (\acs{#1})}
\title{Trust Management with Subjective Logic for Safety Critical Systems in Uncertain Environments}
% \title{Trust Management for Physics-based Cybersecurity Controls}
% \author{
% \IEEEauthorblockN{1\textsuperscript{st} Waleed Khan}
% \IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
% \textit{University of Waterloo}\\
% Waterloo, Canada \\
% wqkhan@uwaterloo.ca}
% \and
% \IEEEauthorblockN{2\textsuperscript{nd} Arthur Grisel-Davy}
% \IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
% \textit{University of Waterloo}\\
% Waterloo, Canada \\
% agriseld@uwaterloo.ca}
% \and
% \IEEEauthorblockN{3\textsuperscript{rd} Apurva Narayan}
% \IEEEauthorblockA{\textit{???} \\
% \textit{University of Western Ontario}\\
% London, Canada \\
% ???}
% \and
% \IEEEauthorblockN{4\textsuperscript{th} Sebastian Fischmeister}
% \IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
% \textit{University of Waterloo}\\
% Waterloo, Canada \\
% sfischme@uwaterloo.ca}
% }
\author{
\IEEEauthorblockN{1\textsuperscript{st} Anonymous}
\IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
\textit{NoWhere}\\
Earth \\
email@example.com
}
\and
\IEEEauthorblockN{1\textsuperscript{st} Anonymous}
\IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
\textit{NoWhere}\\
Earth \\
email@example.com
}
\and
\IEEEauthorblockN{1\textsuperscript{st} Anonymous}
\IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
\textit{NoWhere}\\
Earth \\
email@example.com}
\and
\IEEEauthorblockN{1\textsuperscript{st} Anonymous}
\IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
\textit{NoWhere}\\
Earth \\
email@example.com}
\and
\IEEEauthorblockN{1\textsuperscript{st} Anonymous}
\IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
\textit{NoWhere}\\
Earth \\
email@example.com}
\and
\IEEEauthorblockN{1\textsuperscript{st} Anonymous}
\IEEEauthorblockA{\textit{Electrical and Computer Engineering} \\
\textit{NoWhere}\\
Earth \\
email@example.com}
}
\maketitle
\input{abstract}
\begin{IEEEkeywords}
Trust Framework, Subjective Logic, Uncertainties, Cyber-Physical Systems
\end{IEEEkeywords}
\acresetall % reset all acronyms to be expanded on first use.
\input{introduction}
\input{problem_statement}
\input{related_work}
\input{subjective_logic}
\input{proof}
\input{trust_framework}
\input{case_studies}
\input{discussion}
\input{conclusion}
\bibliographystyle{plain} % Specify the bibliography style
\bibliography{references}
\balance
\vspace{12pt}
\end{document}

74
trust/EMSOFT24/mmlab_checker.py Normal file
View file

@ -0,0 +1,74 @@
import numpy as np
from datetime import datetime, timedelta
from glob import glob
# PARAMETERS
#trace_time_length = timedelta(hours=4)
#sampling_rate = 20 # Hz
#chunk_time_length = timedelta(minutes=10) # chunk of time to get one check value
#print(f"Considering {trace_time_length/chunk_time_length} chunks of {chunk_time_length} over a {trace_time_length} trace.")
data_folder = "./data"
data_selector = "/ARTHUR-103/*.npy"
# load data
data_filenames = sorted(glob(data_folder+data_selector))
print(f"Listed {len(data_filenames)} traces.")
# define the policy checking function
def checker_long_high(labels):
"""Check a policy on a trace (array of state label).
Produce a single ternary value 1=OK, 0=Unsure, -1=Not OK
Policy: No continuous High load (label=2) for more than 3m
"""
req_L = int(timedelta(minutes=3).total_seconds()*sampling_rate)
#inneficient non-numpy shit, tempormanent solution
for i in range(labels.shape[0]):
if labels[i] == 2 or labels[i] == -1 :
k=1
while i+k < labels.shape[0] and (labels[i+k] == 2 or labels[i+k] == -1):
k+=1
if k == req_L:
if -1 in labels[i:i+k]:
return 0
else:
return -1
return 1
def checker_off(trace):
chunk_sample_length = 30
thresh = 1000
N = trace.shape[0]
nbr_windows = int(N/chunk_sample_length)
windows = trace[:chunk_sample_length*nbr_windows].reshape(nbr_windows,chunk_sample_length)
res = np.zeros(windows.shape[0],dtype=int)
for i in range(windows.shape[0]):
if np.any(windows[i]<thresh):
res[i] = -1
elif np.all(windows[i]>=thresh):
res[i] = 1
else:
pass
#value is already 0 by default
return res
total_counts = {"-1":0,"0":0,"1":0}
all_res = []
for f in data_filenames:
trace = np.load(f)
res = checker_off(trace)
print(res.shape)
unique, counts = np.unique(res,return_counts=True)
counts = dict(zip(unique,counts))
for key in counts.keys():
total_counts[str(key)]+=counts[key]
all_res.append(res.reshape(1,-1))
print(f"{f.split('/')[-1]}: {res.shape[0]} evaluations, {total_counts}")
final_res = np.concatenate(all_res,axis=0)
print(final_res.shape)
np.save(f"generated/{data_filenames[0].split('/')[-1].split('--')[0]}.npy",final_res)

34
trust/EMSOFT24/problem_statement.tex Normal file
View file

@ -0,0 +1,34 @@
\section{Problem Statement}
The problem this study investigates takes its roots in the intrinsic uncertainty in the measurement of physical values.
Any physical measurement system introduces noise or abnormal data.
The challenge resides in designing a trust framework capable of leveraging these uncertainties as a source of information.
\begin{problemstatement}
Given a series of indirect and uncertain observations of a system's integrity, provide a quantitative assessment of the trustworthiness of the system.
\end{problemstatement}
Indirect observations refer to data collected from sensors or monitoring systems that indirectly infer the system's state or behaviour rather than directly measuring it. This uncertainty arises from several factors, including the inherent limitations and imperfections of the sensing or monitoring systems, the complexity of the system being observed, and the inherent variability and unpredictability of the system's behaviour.
Indirect observations provide useful insights into systems but are subject to uncertainty due to the nature of their collection and interpretation. This uncertainty can affect the reliability of predictions or decisions based on those observations.
\subsection{Guiding Example}
To demonstrate the importance of trust evaluation in power traces and illustrate our approach, we present a reference problem from the field of \ac{cpss}.
This example is referenced frequently throughout this paper.
Consider a server deployed in a nuclear power plant control room.
This system easily qualifies as a critical infrastructure and its reliability and security are paramount.
Consider now that side-channel data, such as the server's power usage, is gathered and used as indirect observation for modelling the system's state.
Activity detectors process the power trace to detect the server's state.
The result is an array of state labels that maps each power measurement to a state such as \textit{off}, \textit{boot}, or \textit{High Load}.
To evaluate the integrity of the system, \ac{stl} properties indicate compliance with pre-defined policies.
The outputs are either ``satisfied (+1)'', ``uncertain (0)'', or ``violation (-1)''.
The policies are user-defined based on the domain knowledge related to the system under observation and represent the desired behaviour or constraints that the system should adhere to.
The trust framework uses as input the ternary array values computed by the \ac{stl}-checker.
By employing \ac{sl} formalism (see Section~\ref{sec:sl}), we obtain (1) trust index, which is an ongoing evaluation of the server's trust, (2) a trust snapshot representing the trust over the most recent interval window, and (3) recommended \ac{tca} from the framework to be taken by the user if the trust value decreases below a predetermined threshold.
The user can perform the suggested \ac{tca}, such as running antivirus software or rebooting the system. If these actions are detected in the power trace data, trust in the system will increase. \ac{tca} is explained in more detail in Section~\ref{sec:trust_calib_action}.

130
trust/EMSOFT24/proof.tex Normal file
View file

@ -0,0 +1,130 @@
\subsection{Proof}
To verify that our approach of cumulative fusion operator ($\oplus$) of multinomial opinions is valid, we verify that the operator preserves the properties that valid multinomial opinions must respect.
\begin{proof}[Property 1: $b+d+u = 1$]
The point is to prove that the fusion equation for multinomial opinions preserve the properties : $b+d+u = 1$ and $\sum_{i=1}^3a_i^H=1$. This method leverages the existing cumulative fusion operator ($\oplus$) for binomial opinions to handle multinomial opinions.
Given two multinomial opinions in a ternary domain $W^F$ and $W^G$, with cardinality $k=3$:
\begin{align*}
W^F=&\left([b_1^F,b_2^F,b_3^F], u^H, [a_1^F,a_2^F,a_3^F] \right)\\
W^G=&\left([b_1^G,b_2^G,b_3^G], u^H, [a_1^G,a_2^G,a_3^G] \right)
\end{align*}
Each multinomial opinion can be represented into $k$ binomial opinions, where each binomial opinion focuses on one element of the ternary set versus the other two:
\begin{align*}
W^F&=
\begin{array}{rl}
W^F_1=&\left(b_1^F, d_1^F=(b_2^F+b_3^F), u^H, a_1^F \right)\\
W^F_2=&\left(b_2^F, d_2^F=(b_1^F+b_3^F), u^H, a_2^F \right)\\
W^F_3=&\left(b_3^F, d_3^F=(b_1^F+b_2^F), u^H, a_3^F \right)\\
\end{array}
\end{align*}
\begin{align*}
W^G&=
\begin{array}{rl}
W^G_1=&\left(b_1^G, d_1^G=(b_2^G+b_3^G), u^H, a_1^G \right)\\
W^G_2=&\left(b_2^G, d_2^G=(b_1^G+b_3^G), u^H, a_2^G \right)\\
W^G_3=&\left(b_3^G, d_3^G=(b_1^G+b_2^G), u^H, a_3^G \right)\\
\end{array}
\end{align*}
A valid multinomial opinions must satisfy the conditions outlined in Eq.~\eqref{eq:mn_bmd} and~\eqref{eq:mn_brd}. The underlying binomial opinions hence then also satisfy the condition in Eq.~\eqref{eq:add_req}. The resulting binomial opinions also adhere to their respective base rate $a$, which affects the uncertainty component.
We want to perform the cumulative fusion operator ($\oplus$) on the multinomial opinions to obtain $W^H = W^F \oplus W^G$,
\begin{equation*}
W^H = \left( [b_1^H,b_2^H,b_3^H], u^H, [a_1^H,a_2^H,a_3^H] \right)
\end{equation*}
To achieve this we perform cumulative fusion for each pair of corresponding binomial opinions from the two multinomial opinions $W^F$ and $W^G$. The mapping involves treating each option in isolation against the others.
\begin{align*}
W^H&=
\begin{array}{rl}
W^H_1=&\left(b_1^H, d_1^H, u^H, a_1^H \right) = W^F_1 \oplus W^G_1\\
W^H_2=&\left(b_2^H, d_2^H, u^H, a_2^H \right) = W^F_2 \oplus W^G_3\\
W^H_3=&\left(b_3^H, d_3^H, u^H, a_3^H \right) = W^F_3 \oplus W^G_3\\
\end{array}
\end{align*}
The equations governing cumulative fusion of binomial opinions are listed in Eq.~\eqref{eq:cum_fus}. By applying the cumulative fusion to binomial opinions, we ensure that each pair of corresponding binomial opinions from two multinomial opinions is combined in a way that respects the subjective logic constraints.
The reconstructed multinomial opinion from the $k$ fused binomial opinions should also adhere to the constraints of subjective logic:
\begin{align*}
\sum_{i=1}^k (b_i + d_i + u_i) = k
\end{align*}
Let us consider the disbelief in the first component $d^H_1$.
\begin{align*}
d^H_1 &= \dfrac{d_1^Fu^G + d_1^Gu^F}{u^F+u^G-u^Fu^G} \\% because d_1 = b_2+b_3\\
&= \dfrac{(b_2^F+b_3^F)^Fu^G + (b_2^G+b_3^G)u^F}{u^F+u^G-u^Fu^G}\\
&= \dfrac{b_2^Fu^G+b_2^Gu^F}{u^F+u^G-u^Fu^G} + \dfrac{b_3^Fu^G+b_3^Gu^F}{u^F+u^G-u^Fu^G}\\
d^H_1 &= b_2^H + b_3^H
\end{align*}
By symmetry, we obtain the same results for the other components:
\begin{align*}
d^H_1 &= b_2^H + b_3^H\\
d^H_2 &= b_1^H + b_3^H\\
d^H_3 &= b_1^H + b_2^H
\end{align*}
From these expressions of the disbeliefs of $W^H$ using the beliefs of $W^F$ and $W^G$, we can evaluate the following goal equation $b^H+d^H+u^H=1$ for the first component:
\begin{align*}
&d_1^H = 1-u^H - b_1^H\\
&b_2^H + b_3^H = 1- \dfrac{u^Fu^G}{u^F+u^G-u^Fu^G} - \dfrac{b_1^Fu^G+b_1^Gu^F}{u^F+u^G-u^Fu^G}\\
%&b_2^Fu^G+b_2^Gu^F + b_3^Fu^G+b_3^Gu^F = u^F+u^G-u^Fu^G - u^fu^G - b_1^Fu^G-b_1^Gu^F\\
&\underbrace{(b_1^F+b_2^F+b_3^F-1)}_{\triangleq 1}u^G + \underbrace{(b_1^G+b_2^G+b_3^G-1)}_{\triangleq 1}u^F = -2u^Fu^G\\
&-u^Fu^G -u^Fu^G = -2u^Fu^G
\end{align*}
From here we can prove that
\begin{flalign*}
&\sum_{i=1}^k (b_i + d_i + u_i) = k \quad here \hspace{0.5em} k=3 &\\
&b_1^H + b_2^H + b_3^H + d_1^H + d_2^H + d_3^H + u^H + u^H + u^H = 3 &\\
&b_1^H + b_2^H + b_3^H + b_2^H + b_3^H + b_1^H + b_3^H + b_1^H + b_2^H + 3 u^H = 3 &\\
&3 b_1^H + 3 b_2^H + 3 b_3^H + 3 u^H = 3 &\\
&3 (b_1^H + b_2^H + b_3^H + u^H) = 3 &\\
&3 (1) = 3 &\\
&3 = 3 &
\end{flalign*}
We now verified that the goal relationship of the ternary belief function is respected when using the multinomial fusion functions provided above.
\end{proof}
\begin{proof}[Property 2: $\sum_{i=1}^ka_i=1$]
For the second property, we start with the known relationship with the two ternary belief functions:
\begin{align*}
\sum_{i=1}^3a_i^F=&1\\
\sum_{i=1}^3a_i^G=&1
\end{align*}
Through the fusion, the $ai$ value of the new function is expressed by
\begin{equation*}
a_1^H = \dfrac{a_1^Fu^G+a_1^Gu^F - (a_1^F+a_1^G)u^Fu^G}{u^F+u^G-2u^Fu^G}
\end{equation*}
From this equation, we can express the sum of all $a$ values of the new belief:
\begin{equation*}
\sum_{i=1}^3a_i^F=\dfrac{u^G\overbrace{\sum\limits_{i=1}^3a_i^F}^{\triangleq 1} + u^F\overbrace{\sum\limits_{i=1}^3a_i^G}^{\triangleq 1} -u^Fu^G(\overbrace{\sum\limits_{i=1}^3(a_i^F+a_i^G}^{\triangleq 2}))}{u^F+u^G-2u^Fu^G}
\end{equation*}
We can verify that the property on the $a$ values is respected.
\end{proof}

319
trust/EMSOFT24/references.bib Normal file
View file

@ -0,0 +1,319 @@
@book{josang2016subjective,
title={Subjective logic},
author={J{\o}sang, Audun},
volume={3},
year={2016},
publisher={Springer}
}
@inproceedings{maler2004monitoring,
title={Monitoring temporal properties of continuous signals},
author={Maler, Oded and Nickovic, Dejan},
booktitle={International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems},
pages={152--166},
year={2004},
organization={Springer}
}
@article{shafer1992dempster,
title={Dempster-shafer theory},
author={Shafer, Glenn},
journal={Encyclopedia of artificial intelligence},
volume={1},
pages={330--331},
year={1992}
}
@book{jsang2018subjective,
title={Subjective Logic: A formalism for reasoning under uncertainty},
author={Jsang, Audun},
year={2018},
publisher={Springer Publishing Company, Incorporated}
}
@article{spatz2019review,
title={A review of anomaly detection techniques leveraging side-channel emissions},
author={Spatz, Devin and Smarra, Devin and Ternovskiy, Igor},
journal={Cyber Sensing 2019},
volume={11011},
pages={48--55},
year={2019},
publisher={SPIE}
}
@INPROCEEDINGS{9062014,
author={Xu, Aidong and Jiang, Yixin and Cao, Yang and Zhang, Guoming and Ji, Xiaoyu and Xu, Wenyuan},
booktitle={2019 IEEE 3rd Conference on Energy Internet and Energy System Integration (EI2)},
title={ADDP: Anomaly Detection for DTU Based on Power Consumption Side-Channel},
year={2019},
volume={},
number={},
pages={2659-2663},
keywords={Power demand;Feature extraction;Power grids;Monitoring;Security;Hardware;Resistors;Power Prid;Security;DTU;Side-Channel Analysis;Machine Learning},
doi={10.1109/EI247390.2019.9062014}
}
@article{DUNLAP201612,
title = {Using timing-based side channels for anomaly detection in industrial control systems},
journal = {International Journal of Critical Infrastructure Protection},
volume = {15},
pages = {12-26},
year = {2016},
issn = {1874-5482},
doi = {https://doi.org/10.1016/j.ijcip.2016.07.003},
url = {https://www.sciencedirect.com/science/article/pii/S1874548216301111},
author = {Stephen Dunlap and Jonathan Butts and Juan Lopez and Mason Rice and Barry Mullins},
keywords = {industrial control systems, Programmable logic controllers, Modification attacks, Side channels, Anomaly detection},
}
@ARTICLE{8653533,
author={Han, Yi and Christoudis, Ioannis and Diamantaras, Konstantinos I. and Zonouz, Saman and Petropulu, Athina},
journal={IEEE Signal Processing Magazine},
title={Side-Channel-Based Code-Execution Monitoring Systems: A Survey},
year={2019},
volume={36},
number={2},
pages={22-35},
keywords={Monitoring;Hidden Markov models;Malware;Antenna measurements;Temperature sensors;Power demand;Temperature measurement;Embedded systems;Internet of Things;Programmable logic devices},
doi={10.1109/MSP.2018.2887243}
}
@ARTICLE{8854845,
author={Gangwal, Ankit and Conti, Mauro},
journal={IEEE Transactions on Information Forensics and Security},
title={Cryptomining Cannot Change Its Spots: Detecting Covert Cryptomining Using Magnetic Side-Channel},
year={2020},
volume={15},
number={},
pages={1630-1639},
keywords={Cryptography;Smart phones;Time series analysis;Magnetic sensors;Central Processing Unit;Magnetoacoustic effects;Hardware;Altcoin;Bitcoin;cryptocurrency;detection;machine learning;mining},
doi={10.1109/TIFS.2019.2945171}
}
# Trust applications
@inproceedings{xu2016maintaining,
title={Maintaining efficient collaboration with trust-seeking robots},
author={Xu, Anqi and Dudek, Gregory},
booktitle={2016 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS)},
pages={3312--3319},
year={2016},
organization={IEEE}
}
@inproceedings{akash2020toward,
title={Toward adaptive trust calibration for level 2 driving automation},
author={Akash, Kumar and Jain, Neera and Misu, Teruhisa},
booktitle={Proceedings of the 2020 international conference on multimodal interaction},
pages={538--547},
year={2020}
}
@inproceedings{sheng2019case,
title={A case study of trust on autonomous driving},
author={Sheng, Shili and Pakdamanian, Erfan and Han, Kyungtae and Kim, BaekGyu and Tiwari, Prashant and Kim, Inki and Feng, Lu},
booktitle={2019 IEEE Intelligent Transportation Systems Conference (ITSC)},
pages={4368--4373},
year={2019},
organization={IEEE}
}
@inproceedings{okamura2018adaptive,
title={Adaptive trust calibration for supervised autonomous vehicles},
author={Okamura, Kazuo and Yamada, Seiji},
booktitle={Adjunct proceedings of the 10th international conference on automotive user interfaces and interactive vehicular applications},
pages={92--97},
year={2018}
}
# Trust Measurement Survey
@inproceedings{brzowski2019trust,
title={Trust measurement in human--automation interaction: A systematic review},
author={Brzowski, Matthew and Nathan-Roberts, Dan},
booktitle={Proceedings of the Human Factors and Ergonomics Society Annual Meeting},
volume={63},
number={1},
pages={1595--1599},
year={2019},
organization={SAGE Publications Sage CA: Los Angeles, CA}
}
@article{kok2020trust,
title={Trust in robots: Challenges and opportunities},
author={Kok, Bing Cai and Soh, Harold},
journal={Current Robotics Reports},
volume={1},
number={4},
pages={297--309},
year={2020},
publisher={Springer}
}
# Mutual Trust Modelling Framework
@inproceedings{basu2016trust,
title={Trust dynamics in human autonomous vehicle interaction: a review of trust models},
author={Basu, Chandrayee and Singhal, Mukesh},
booktitle={2016 AAAI spring symposium series},
year={2016}
}
# Trust Calibration
## Explaining decisions - Interpretable and Uncertainty-Aware
@article{tomsett2020rapid,
title={Rapid trust calibration through interpretable and uncertainty-aware AI},
author={Tomsett, Richard and Preece, Alun and Braines, Dave and Cerutti, Federico and Chakraborty, Supriyo and Srivastava, Mani and Pearson, Gavin and Kaplan, Lance},
journal={Patterns},
volume={1},
number={4},
year={2020},
publisher={Elsevier}
}
@inproceedings{mcdermott2019practical,
title={Practical guidance for evaluating calibrated trust},
author={McDermott, Patricia L and Brink, Ronna N ten},
booktitle={Proceedings of the Human Factors and Ergonomics Society Annual Meeting},
volume={63},
number={1},
pages={362--366},
year={2019},
organization={SAGE Publications Sage CA: Los Angeles, CA}
}
@article{de2023mutually,
title={Mutually Adaptive Trust Calibration in Human-AI Teams},
author={de Visser, Ewart J and Momen, Ali and Walliser, James C and Kohn, Spencer C and Shaw, Tyler H and Tossell, Chad C},
year={2023}
}
# Trust Measurement Techniques Catalog
@article{kohn2021measurement,
title={Measurement of trust in automation: A narrative review and reference guide},
author={Kohn, Spencer C and De Visser, Ewart J and Wiese, Eva and Lee, Yi-Ching and Shaw, Tyler H},
journal={Frontiers in psychology},
volume={12},
pages={604977},
year={2021},
publisher={Frontiers}
}
# Subjective Logic
@article{du2023scalable,
title={A Scalable and Trust-Value-Based Consensus Algorithm for Internet of Vehicles},
author={Du, Zhiqiang and Zhang, Jiaheng and Fu, Yanfang and Huang, Muhong and Liu, Liangxin and Li, Yunliang},
journal={Applied Sciences},
volume={13},
number={19},
pages={10663},
year={2023},
publisher={MDPI}
}
@inproceedings{cheng2021trust,
title={Trust-aware control for intelligent transportation systems},
author={Cheng, Mingxi and Zhang, Junyao and Nazarian, Shahin and Deshmukh, Jyotirmoy and Bogdan, Paul},
booktitle={2021 IEEE Intelligent Vehicles Symposium (IV)},
pages={377--384},
year={2021},
organization={IEEE}
}
@inproceedings{petrovska2020knowledge,
title={Knowledge aggregation with subjective logic in multi-agent self-adaptive cyber-physical systems},
author={Petrovska, Ana and Quijano, Sergio and Gerostathopoulos, Ilias and Pretschner, Alexander},
booktitle={Proceedings of the IEEE/ACM 15th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
pages={149--155},
year={2020}
}
@inproceedings{akhuseyinoglu2020automated,
title={On automated trust computation in iot with multiple attributes and subjective logic},
author={Akhuseyinoglu, Nuray Baltaci and Karimi, Maryam and Abdelhakim, Mai and Krishnamurthy, Prashant},
booktitle={2020 IEEE 45th Conference on Local Computer Networks (LCN)},
pages={267--278},
year={2020},
organization={IEEE}
}
@article{liu2019trust,
title={Trust assessment in online social networks},
author={Liu, Guangchi and Yang, Qing and Wang, Honggang and Liu, Alex X},
journal={IEEE Transactions on Dependable and Secure Computing},
volume={18},
number={2},
pages={994--1007},
year={2019},
publisher={IEEE}
}
@article{cheng2019trust,
title={Trust assessment in vehicular social network based on three-valued subjective logic},
author={Cheng, Tong and Liu, Guangchi and Yang, Qing and Sun, Jianguo},
journal={IEEE Transactions on Multimedia},
volume={21},
number={3},
pages={652--663},
year={2019},
publisher={IEEE}
}
@inproceedings{cheng2021general,
title={A general trust framework for multi-agent systems},
author={Cheng, Mingxi and Yin, Chenzhong and Zhang, Junyao and Nazarian, Shahin and Deshmukh, Jyotirmoy and Bogdan, Paul},
booktitle={Proceedings of the 20th International Conference on Autonomous Agents and MultiAgent Systems},
pages={332--340},
year={2021}
}
@inproceedings{liu2014assessment,
title={Assessment of multi-hop interpersonal trust in social networks by three-valued subjective logic},
author={Liu, Guangchi and Yang, Qing and Wang, Honggang and Lin, Xiaodong and Wittie, Mike P},
booktitle={IEEE INFOCOM 2014-IEEE Conference on Computer Communications},
pages={1698--1706},
year={2014},
organization={IEEE}
}
%replace with Independent Boot Process Verification using Side-Channel Power Analysis
@INPROCEEDINGS{10430037,
author={Hidden for blind review},
booktitle={hidden},
title={Title hidden for blind review},
year={2023},
volume={},
number={},
doi={0000}
}
@article{randolph2020power,
title={Power side-channel attack analysis: A review of 20 years of study for the layman},
author={Randolph, Mark and Diehl, William},
journal={Cryptography},
volume={4},
number={2},
pages={15},
year={2020},
publisher={MDPI}
}
@misc{palitronica,
title = "Hidden for blind review",
howpublished = "",
month = "",
year = "",
}
% title = "Palitronica",
% howpublished = {\url{ttps://www.palitronica.com/"}},
% month = "March",
% year = "2024",
%}

46
trust/EMSOFT24/related_work.tex Normal file
View file

@ -0,0 +1,46 @@
\section{Related Work}
\label{sec:related_work}
Cybersecurity requires information from the protected system to evaluate the integrity of a system properly.
Whether the goal is detection or prevention, the security system relies on quality and trustworthy source information to provide the user with helpful results.
Among the classic sources of information, such as log files, source code, or network traffic, side-channel information provides compelling insights into a system's activity.
Historically leveraged for attacks, side channels are directly correlated with the activity of a system and can be considered as a source of information like any other for defense.
Side-channel information is complementary to host or network information and possesses specific characteristics.
Side-channel can take many form but power consumption in particular is often leverages to obtain side-channel information \cite{randolph2020power}.
The independent and hard-to-forge nature of involuntary emissions increases the trustworthiness of the information and makes deployment and retrofitting to various machines possible.
However, the time series data containing the information in its raw form contains unlabeled measurements prone to noise.
Thus, tailored prepossessing of the raw time series is crucial when leveraging side-channel information.
After prepossessing, several methods can extract information from unlabeled time series.
A common usage is anomaly detection.
Anomaly detection systems are often capable of ingesting large datasets of unlabeled data.
The literature in this domain provides examples of applications to smart grid \cite{9062014}, industrial control systems \cite{DUNLAP201612} or \ac{iot} devices \cite{8653533}.
Another approach is the classification or recognition of time series patterns.
The pattern can be known-malicious and associated with malware activity \cite{8854845}.
On the opposite, the pattern can be known-good, and the protection system detects deviations from it \cite{10430037}.
Uncertainty in classification can occur due to noise in side-channel data.
Users must base their trust in the system on the classifications derived from these indirect observations.
\textit{Trust} refers to the level of trust that users perceive in the system or technology with which they are engaging.
A considerable amount of research focuses on the importance of trust in human-computer interactions, particularly in areas such as automation~\cite{akash2020toward, sheng2019case}, robotics~\cite{xu2016maintaining}, aviation~\cite{okamura2018adaptive}, and military~\cite{tomsett2020rapid}.
Efforts have also been made to establish trust frameworks that calibrate trust levels, as user trust can be influenced by elements such as system reliability, openness, error management, and interaction~\cite{basu2016trust, tomsett2020rapid, kok2020trust, mcdermott2019practical, de2023mutually, kohn2021measurement, akash2020toward}.
The findings of these studies indicate that most research on trust relies on subjective measures or user-defined criteria to assess trust specific to their studies~\cite{brzowski2019trust}.
Subjective measures for calculating trust are either self-reporting --- for example, filling out trust questionnaires like the Muir questionnaire~\cite{basu2016trust} --- or implicit measures, for example, observing user behavior, physiological responses, and facial expressions during interactions with the system.
%A study found that real-time trust cannot be reflected by traditional trust questionnaires such as Muir questionnaire~\cite{basu2016trust}.
\ac{sl}~\cite{josang2016subjective} is a mathematical framework for logical reasoning that accommodates uncertainty through subjective opinions.
\ac{sl} integrates probabilistic logic with the \ac{dst} of evidence~\cite{shafer1992dempster}, enabling the representation of uncertainty in real-world scenarios and trust modelling in distributed systems.
It facilitates trustworthiness evaluations via a probabilistic epistemic logic.
\ac{sl} defines multiple operators to combine opinions from diverse sources in various manners.
Subjective Logic has been applied to assess trust in autonomous driving~\cite{du2023scalable}, transportation infrastructure~\cite{cheng2021trust}, autonomous multi-agent systems~\cite{petrovska2020knowledge, cheng2021general} and \ac{iot} ~\cite{akhuseyinoglu2020automated}.
These studies mainly employed \ac{sl} in a binary field to analyze evidence, where the observation is classified as either true or false.
However, they have not addressed situations in which the classification of indirect observations is labelled as uncertain, switching from a binary to a ternary field.
However, \ac{sl} encounters challenges when analyzing opinions in complex network structures as it necessitates simplifying the network graph, leading to information loss~\cite{liu2014assessment}.
\ac{3vsl}~\cite{liu2014assessment} proposes another formalism to compute trust based on an arbitrary opinion graph, which characterizes trust as a three-part event (belief, distrust, uncertain).
\ac{3vsl} evaluates trust within intricate networks, such as social networks~\cite{liu2019trust, cheng2019trust}.
However, certain operators in the \ac{sl} formalism are not defined in \ac{3vsl}.
For instance, the cumulative fusion operator merges opinions on the same proposition across non-overlapping observations.

246
trust/EMSOFT24/review_trust_EMSOFT24.typ Normal file
View file

@ -0,0 +1,246 @@
#let act(body) = [
#text(fill: rgb(230, 76, 0))[Action: #body]
]
#let dact(body) = [
#strike(stroke: 2pt+black)[#text(fill: rgb(230, 76, 0))[Action: #body]]
]
#align(center)[*Trust Management with Subjective Logic for Safety Critical Systems in Uncertain Environments*]
Review \#374A
------------------------------------------------------------------------
Overall merit
*1.* Reject
Paper summary
The paper under review proposes a new system for trust management of
cyber physical system by using subjective logic and signal temporal
logic for trust assessment in uncertain environments. The theoretical
contribution of the paper is a development of a new cumulative fusion
formalism for subjective logic. This operator fuses multiple opinions
about the same proposition into a single, combined opinion, taking into
account the uncertainty inherent in each opinion. The authors prove that
this operator respects the goal relationship of the belief function.
Based on this new fusion formalism, they build a trust management
framework that aggregates data, generates a trust opinion over each time
interval end combines them with the ne fusion operator. The trust
management framework is then applied to two case studies.
*Strengths*
The new fusion operator is rigorously formalized and its correctness is
proven.
*Weaknesses*
- the use of STL for labeling the data is not explained, the used
formulas are very simple
#act[We could remove references to STL. The DSD does not truly use STL and the little it does is very simple and does not _require_ STL formalism. I agree it is cool to show that STL can be used but this is not the core of the proposed approach and it seems to confuse readers.]
- there is a large body of work on SLT based monitoring of CPS from
the formal methods community; it is unclear how this paper compares
and why these existing monitoring methods are not employed
#act[Again, maybe remove STL.]
- the overall motivation did not become clear and I do not see why I
need to use subjective logic on top of signal temporal logic
#act[Remove STL and reinforce the interest of subjective logic in the intro or presentation of the proposed approach]
- it is not obvious to me that combining opinions on trusts over
different time-windows is beneficial in CPS that are subject to
dynamic changes over time
#act[Provide a deeper analysis of the temporal relationship and the interest in not taking only the latest observation of trust.]
Review \#374B
------------------------------------------------------------------------
Overall merit
*2.* Weak reject
Paper summary
This paper presents a novel trust management framework for
Cyber-Physical Systems (CPSs). Utilizing observations from target
systems, such as power consumption, the framework employs an activity
detector and an STL checker to classify these observations into
"satisfaction (+1)," "uncertainty (0)," or "violation (-1)" based on
predefined STL properties. For any fixed interval window, the framework
leverages subjective logic (SL) to compute a trust snapshot opinion,
which evaluates the system's trustworthiness within the current time
interval, as well as a trust index opinion, which provides an assessment
of the system's overall trustworthiness. Additionally, the framework
optionally include trust calibration actions, which can be manually
designed to bolster trust in the system if it falls below a predefined
threshold.
Meta review:
The reviewers thought the problem considered in this paper is important
and interesting, but it should be improved at least from the following
aspects: 1, the motivation is unclear, particular, why subjective logic
is necessary for dealing with trust, some real-world examples are
needed. 2, there is a huge bulk of work on monitoring of CPS, but
unfortunately, no comparison with them.
*Strengths*
1. Unlike existing works, the proposed framework accommodates the
possibility of "unknown" evidence, enabling it to handle uncertain
information effectively.
2. By leveraging subjective logic, the proposed framework offers a
quantitative assessment of the system's trustworthiness.
*Weaknesses*
1. The main technical contribution extending beyond traditional
binary trust assessments to accommodate uncertainties appears
limited. Incorporating 'unknown' into the domain of subjective logic
does not present significant challenges.
#act[Well *you* try to do it and *you* make a paper then!]
2. It is difficult to assess or reason why the obtained trust snapshot
opinion and trust index opinion accurately capture the
"trustworthiness" of the system.
Detailed comments
Based on the observed data series, the proposed framework calculates
values intended to capture the system's "trustworthiness." It is crucial
to demonstrate, either theoretically or experimentally, why the proposed
metrics effectively represent "trustworthiness," considering that
numerous alternative metrics could be proposed.
#act[Difficult to provide as there are no ground truth. Need to think about that.]
Minor:
On page 4, right column, the notation "W_2^F \oplus W_3^G" should be
corrected to "W_2^F \oplus W_2^G".
#act[fix that]
Review \#374C
------------------------------------------------------------------------
Overall merit
*4.* Accept
Paper summary
The paper proposes a framework for utilizing Subjective Logic (SL) for
trust management. Core is the adoption of SL in two case studies (power
consumption of a NUC mini-PC from Intel, production data) for providing
a trust score even with uncertain or incomplete data. The framework is
intended for observations in cyber physical systems (CPS).
*Strengths*
- accountable derivation of adoption of SL for the case studies
- comprehensive description of both trust management framework and case studies
*Weaknesses*
- just a short discussion part
- a more comprehensive description of system reaction in the case of
violations and some evaluated evidence would support understanding
the effectiveness of the proposed framework for the use in CPS
#act[Not clear. Maybe talking about calibration actions (_reaction in the case of violation_)]
Detailed comments
the derivation of formulas given in Joesang "Subjective Logic" could be
shortened to more concise descriptions in favour of more detailed
description of interaction of the framework with the CPS in case of
violation
Review \#374D
------------------------------------------------------------------------
Overall merit
*1.* Reject
Paper summary
This paper proposes a model for quantifying trust in a system that uses
subjective logic. The model includes a trust index and a trust snapshot
for purposes of trust measurement, with trust calibration to allow the
user to adjust the trust. The design is evaluated with two case studies.
*Strengths*
Trust is an important concern in CPS, and it's interesting to see it
applies subjective logic for trust management purpose.
*Weaknesses*
- Poor motivation
#act[No. But we could still put more emphasis on the motivations.]
- Lack connection between the concepts and real-world scenarios
#act[Very no! Read the paper!]
- Unclear usefulness
#act[WHAT!? READ THE PAPER!]
- Lack comparisons to existing systems
#act[ok we could try to provide a baseline for comparison.]
Detailed comments
Managing trust in CPS is an important research problem, and the use of
subjective logics to this setting is interesting. Unfortunately, I feel
that the paper is rather immature and has a number of problems.
- The paper does not provide a convincing motivation to the proposed
framework. In the introduction, the description and importance of
trust management systems are so vague that it makes it impossible to
relate to real systems. A concrete example or use case should be
discussed to show where these systems are used and how bad
undertrust and overtrust would be.
- The concepts are not very well described. Where is the definition of
“integrity” (used in the problem statement)? Is it the same thing as
“trustworthiness”? How are “off”, “boot”, and “high load” in the
example related to integrity or trustworthiness? Real-world examples
should be provided to show what is a system with integrity and what
is a system without integrity.
#act[I still diasgree but for the few that read diagonaly we could maybe review the paragraphs explaining the real-world experiment and make it clearer.]
- The authors fail to address why the properties they prove in Sec.
IV-C are useful for real systems. What will be the consequences if
they dont hold?
- There are existing intrusion detection systems using different
techniques. How is the proposed method superior to existing
solutions? The case study does not have any metrics to show how
good/accurate a method is.
#act[First, it does not need to be superior to be interesting. We are not selling vacume cleaner we are doing research. Second, we can look into providing a baseline with other methods.]
In short, while I find trust an interesting topic, the paper falls short
in several important aspects, making its benefits and contributions
questionable.

136
trust/EMSOFT24/subjective_logic.tex Normal file
View file

@ -0,0 +1,136 @@
\section{Subjective Logic}
\label{sec:sl}
\ac{sl} accommodates uncertainty through subjective opinions, allowing for the representation of uncertainty in real-world scenarios. This is particularly valuable in \ac{scs}, where trust evaluations often rely on uncertain or incomplete information. This section gives a concise summary of \ac{sl} concepts pertinent to the trust management framework.
\subsection{Subjective Opinion}
Within \ac{sl}, subjective opinions serve as expressions of probabilities influenced by varying degrees of uncertainty. This enriched probabilistic logic framework allows for the explicit inclusion of uncertainty and subjective belief ownership, enabling the expression of confidence or doubt in beliefs. Opinions in \ac{sl} can be likened to Dirichlet and Beta probability density functions under specific mapping.
In \ac{sl} a domain represents the set of all possible outcomes or states that a variable can have. The cardinality \( k \) refers to the number of possible outcomes or states within a domain.
\begin{definition}\label{def:bin_op}
(Binomial Opinion~\cite{josang2016subjective}).
In \ac{sl} a binomial opinion \( \omega_{x} = (b_{x}, d_{x}, u_{x}, a_{x}) \), \( \forall b_{x}, d_{x}, u_{x}, a_{x} \in [0, 1]\) represents a probabilistic belief about a proposition in a binary domain that can have exactly two values \(\mathbb{X} = \{x, \overline{x} \}\). And let \( X \in \mathbb{X}\) be a random variable.
\end{definition}
\( b_{x} \): is the belief mass (i.e \( X = x \)),
\( d_{x} \): is the disbelief mass (i.e \( X = \overline{x} \)),
\( u_{x} \): is the uncertainty mass,
\( a_{x} \): is the base rate - the prior probability of \( X = x \)
With the additivity requirement:
\begin{equation}
b_{x} + d_{x} + u_{x} = 1
\label{eq:add_req}
\end{equation}
The projected probability of a binomial opinion concerning value \( x \) is defined by:
\begin{equation}
P(x) = b_{x} + a_{x} u_{x}
\label{eq:bin_prob}
\end{equation}
\begin{definition}\label{def:mln_op}
(Multinomial Opinion~\cite{josang2016subjective}).
A multinomial opinion in \ac{sl} is represented as a tuple of three values \( \omega_{Y} = (\textbf{b}_{Y}, u_{Y}, \textbf{a}_{Y}) \) applies to multinomial domains \( \mathbb{Y}\) with more than two possible outcomes or states that a variable can have i.e. \( k = \lvert \mathbb{Y} \lvert > 2 \). It deals with opinions where states are mutually exclusive and exhaustive options. Each state has its own projected probability of occurrence where:
\end{definition}
\( \textbf{b}_{Y} \): The belief mass distribution over \( \mathbb{Y}\),
\( u_{Y} \): The uncertainty mass.
\( \textbf{a}_{Y} \): The base rate distribution over \( \mathbb{Y}\)
The satisfies the following
\begin{equation}
\begin{aligned}
& \textbf{b}_{Y} : \mathbb{Y} \rightarrow [0, 1], \\
& u_{Y} + \sum_{y \in \mathbb{Y}} \textbf{b}_{Y}(y) = 1
\end{aligned}
\label{eq:mn_bmd}
\end{equation}
The base rate distribution \( a_{Y} \) is the base rate probability assignment to all possible values of \( Y \in \mathbb{Y}\):
\begin{equation}
\begin{aligned}
& \textbf{a}_{Y} : \mathbb{Y} \rightarrow [0, 1], \\
& \sum_{y \in \mathbb{Y}} \textbf{a}_{Y}(y) = 1
\end{aligned}
\label{eq:mn_brd}
\end{equation}
In multinomial opinions the belief mass distribution \( \textbf{b}_{Y} \) and the base rate distribution \( \textbf{a}_{Y} \) both have \( k \) parameters. While the uncertainty mass \( u_{Y} \) is a scalar value.
The projected probability of a multinomial opinion is defined by:
\begin{equation}
P_{Y}(y) = \textbf{b}_{Y}(y) + \textbf{a}_{Y}(y) u_{Y}, \quad \forall y \in \mathbb{Y}
\label{eq:mn_prob}
\end{equation}
Multinomial opinions are a generalisation of binomial opinions, in the same way as Dirichlet PDFs are a generalisation of Beta PDFs~\cite{josang2016subjective}. A multinomial domain can be reduced to a binary domain by mapping multiple possible outcomes into one with only two possible outcomes. It involves restructuring belief masses to accommodate the simplified binary outcomes.
\begin{definition}\label{def:evidence_op}
(Evidence-Based Opinion~\cite{josang2016subjective}).
Opinions within \ac{sl} may be derived through the analysis of observations collected from the system under scrutiny. The evidence vector \( \textbf{r}_{Y} \) is generated through system observations, where \( \textbf{r}_{Y}(y) \) shows how much evidence there is for each possible outcome in \( y \in \mathbb{Y}\). The belief mass distribution and uncertainty mass values are derived as follows:
\begin{equation}
\begin{aligned}
& \forall y \in \mathbb{Y} \\
& \textbf{b}_{Y}(y) = \frac{\textbf{r}_{Y}(y)}{ W + \sum_{y_{i} \in \mathbb{Y}} \textbf{r}_{Y}(y_{i})}, \\
& {u}_{Y} = \frac{W}{ W + \sum_{y_{i} \in \mathbb{Y}} \textbf{r}_{Y}(y_{i})}
\end{aligned}
\label{eq:evd_op}
\end{equation}
where \( W \) denotes the default non-informative prior weight, set to \( W = 2 \). Default base rate distribution can be set to \( \textbf{a}_{Y}(y) = \frac{1}{k} = \frac{1}{3}\). Base rates can be set to any arbitrary value as long as Eq.~\eqref{eq:mn_brd} is satisfied.
\end{definition}
\subsection{Operators}
\ac{sl} has several operators that facilitate in synthesizing and integrating opinions from multiple sources into a single unified opinion.
\begin{definition}\label{def:cum_fus}
(Cumulative Fusion Operator (\( \oplus \))~\cite{josang2016subjective}).
The cumulative fusion operator (\( \oplus \)) in \ac{sl} is used to combine opinions based on non-overlapping observations.
Given two binomial opinions \( \omega_{X}^{A} = (b_{X}^{A}, d_{X}^{A}, u_{X}^{A}, a_{X}^{A}) \) and \( \omega_{X}^{B} = (b_{X}^{B}, d_{X}^{B}, u_{X}^{B}, a_{X}^{B}) \), the cumulative fusion operation outputs the combined opinion \( \omega_{X}^{(A \lozenge B)} = \omega_{X}^{A} \oplus \omega_{X}^{B} \) as follows for \( u_{X}^{A} \neq 0 \vee u_{X}^{B} \neq 0 \):
\begin{equation}
\begin{aligned}
& b_{X}^{(A \lozenge B)}(x) = \frac{b_{X}^{A}(x) u_{X}^{B} + b_{X}^{B}(x) u_{X}^{A}}{u_{X}^{A} + u_{X}^{B} - u_{X}^{A}u_{X}^{B}}, \\
& d_{X}^{(A \lozenge B)}(x) = \frac{d_{X}^{A}(x) u_{X}^{B} + d_{X}^{B}(x) u_{X}^{A}}{u_{X}^{A} + u_{X}^{B} - u_{X}^{A}u_{X}^{B}}, \\
& u_{X}^{(A \lozenge B)} = \frac{u_{X}^{A} u_{X}^{B}}{u_{X}^{A} + u_{X}^{B} - u_{X}^{A}u_{X}^{B}}, \\
& a_{X}^{(A \lozenge B)}(x) = \frac{ a_{X}^{A}(x) u_{X}^{B} + a_{X}^{B}(x) u_{X}^{A} - (a_{X}^{A}(x) + a_{X}^{B}(x))u_{X}^{A}u_{X}^{B} }{u_{X}^{A} + u_{X}^{B} - 2u_{X}^{A}u_{X}^{B}}, \\
& if u_{X}^{A} \neq 1 \vee u_{X}^{B} \neq 1
\end{aligned}
\label{eq:cum_fus}
\end{equation}
\end{definition}
The cumulative fusion operator in subjective logic fuses multiple opinions about the same proposition into a single, combined opinion, taking into account the uncertainty inherent in each opinion.
For example, when employing the evidence-based opinion method in \ac{sl}, the server's performance is observed during non-overlapping hourly time frames and then combined to form a daily opinion. The observations from each hour are initially processed into an hourly opinion, contributing to the overall daily evaluation of the server's performance using the cumulative fusion operator. This enables a thorough analysis of the server's performance throughout the day.

155
trust/EMSOFT24/subjective_logic_old.tex Normal file
View file

@ -0,0 +1,155 @@
\section{Subjective Logic}
\label{sec:sl}
\textbf{Subjective logic extends traditional probabilistic logic by including uncertainty with opinions}
\ac{sl}~\cite{josang2016subjective} is a mathematical framework for logical reasoning that accommodates uncertainty through subjective opinions. \ac{sl} integrates probabilistic logic with \ac{dst} of evidence~\cite{shafer1992dempster}, enabling the representation of uncertainty in real-world scenarios and trust modeling in distributed systems. It facilitates trustworthiness evaluations via a probabilistic epistemic logic.
\ac{sl} finds utility in modeling situations fraught with uncertainty and unreliable sources, where subjective opinions can convey trust or belief in events and propositions. In essence, \ac{sl} serves as a versatile calculus for reasoning under uncertainty, offering a nuanced approach to probabilistic reasoning by incorporating subjective perspectives on belief and uncertainty.
\subsection{Subjective Opinion}
Within \ac{sl}, subjective opinions serve as expressions of probabilities influenced by varying degrees of uncertainty. This enriched probabilistic logic framework allows for the explicit inclusion of uncertainty and subjective belief ownership, enabling the expression of confidence or doubt in beliefs. Opinions in \ac{sl} can be likened to Dirichlet and Beta probability density functions under specific mapping.
In \ac{sl} a domain represents the set of all possible outcomes or states that a variable can have. The cardinality \( k \) refers to the number of possible outcomes or states within a domain.
\begin{definition}\label{def:bin_op}
(Binomial Opinion~\cite{josang2016subjective}).
A binary domain has exactly two values, and for example can be denoted by \(\mathbb{X} = \{x, \overline{x} \}\). And let \( X \in \mathbb{X}\) be a random variable.
A binary domain is used when modelling a situation that can have only two possible outcomes. It has cardinality \( k = 2 \). An example of such a situation can be the outcome of flipping a coin, where the outcome can either be heads or tails. In this scenario, if \( x \) represents heads is TRUE, then \( \overline{x} \) represents tails being TRUE (alternatively heads being FALSE). Also, if \( X = x \), this means that \( X \) has the value \( x \), so heads is TRUE.
The binomial opinion regarding the truth of \( x \) is represented as a tuple of four values \( \omega_{x} = (b_{x}, d_{x}, u_{x}, a_{x}) \), \( \forall b_{x}, d_{x}, u_{x}, a_{x} \in [0, 1]\) where:
\( b_{x} \): represents belief mass distribution - degree of belief that the outcome is heads (i.e \( X = x \))
\( d_{x} \): represents disbelief mass distribution - degree of belief that the outcome is tails (i.e \( X = \overline{x} \))
\( u_{x} \): represents uncertainty mass - uncertainty about the outcome of the coin toss.
\( a_{x} \): represents base rate - it signifies the prior probability on the outcome of the coin flip resulting in heads or tails without any evidence. For a fair coin, \( a_{x} \) can be assigned a value of 0.5, with equal probability of each outcome occurring.
With the additivity requirement:
\begin{equation}
b_{x} + d_{x} + u_{x} = 1
\label{eq:add_req}
\end{equation}
The projected probability of a binomial opinion concerning value \( x \) is defined by
\begin{equation}
P(x) = b_{x} + a_{x} u_{x}
\label{eq:bin_prob}
\end{equation}
\end{definition}
Continuing with the example of the coin flip, the value \( P(X = heads) \) represents the projected probability of getting heads.
\begin{definition}\label{def:mln_op}
(Multinomial Opinion~\cite{josang2016subjective}).
\textbf{dealing with opinions about three mutually exclusive and exhaustive options.}
In a multinomial domain there are more than two possible outcomes or states that a variable can have i.e. \( k = \lvert \mathbb{Y} \lvert > 2 \). Each state has its own projected probability of occurrence. For example, let \(\mathbb{Y} = \{y_{1}, y_{2}, y_{3} \}\) be a ternary domain. And \( Y \in \mathbb{Y}\) a random variable. The cardinality of a ternary domain is \( k = 3 \). An example of a ternary domain can be \( movie\_rating = \{ good, neutral, bad \} \). Here \( Y \) can only be singleton values from the domain \( \mathbb{Y} \), meaning that \( Y \) can either be good, or neutral or bad. Composite sets such as \( Y = \{ good, bad \} \) fall under hyperdomains.
\textbf{Multinomial opinions are a generalisation of binomial opinions, in the same way as Dirichlet PDFs are a generalisation of Beta PDFs. Since the domain has been reduced to binary, the Dirichlet PDF is reduced to a Beta PDF which is simple to visualise. The interpretation of Beta and Dirichlet PDFs is well established in the statistics literature, so the mapping of Definition 3.6 creates a direct mathematical and interpretation equivalence between Dirichlet PDFs and opinions, when both are expressed over the same domain X. The cumulative fusion operator is equivalent to updating prior Dirichlet PDFs by adding new evidence to produce posterior Dirichlet PDFs. Deriving the cumulative belief fusion operator is based on the bijective mapping between belief opinions and evidence opinions. The mapping is expressed in Definition 3.9.}
The multinomial opinion is represented as a tuple of three values \( \omega_{Y} = (\textbf{b}_{Y}, u_{Y}, \textbf{a}_{Y}) \) where:
\( \textbf{b}_{Y} \): The belief mass distribution - a belief mass assignment to all possible values of \( Y \in \mathbb{Y}\).
\( u_{Y} \): The uncertainty mass.
\( \textbf{a}_{Y} \): The base rate distribution - the prior probability of the outcomes over \( \mathbb{Y}\).
The satisfies the following
\begin{equation}
\begin{aligned}
& \textbf{b}_{Y} : \mathbb{Y} \rightarrow [0, 1], \\
& u_{Y} + \sum_{y \in \mathbb{Y}} \textbf{b}_{Y}(y) = 1
\end{aligned}
\label{eq:mn_bmd}
\end{equation}
The base rate distribution \( a_{Y} \) is the base rate probability assignment to all possible values of \( Y \in \mathbb{Y}\):
\begin{equation}
\begin{aligned}
& \textbf{a}_{Y} : \mathbb{Y} \rightarrow [0, 1], \\
& \sum_{y \in \mathbb{Y}} \textbf{a}_{Y}(y) = 1
\end{aligned}
\label{eq:mn_brd}
\end{equation}
In multinomial opinions the belief mass distribution \( \textbf{b}_{Y} \) and the base rate distribution \( \textbf{a}_{Y} \) both have \( k \) parameters. While the uncertainty mass \( u_{Y} \) is a scalar value.
The projected probability of a multinomial opinion is defined by:
\begin{equation}
P_{Y}(y) = \textbf{b}_{Y}(y) + \textbf{a}_{Y}(y) u_{Y}, \quad \forall y \in \mathbb{Y}
\label{eq:mn_prob}
\end{equation}
\end{definition}
\begin{definition}\label{def:evidence_op}
(Evidence Based Opinion~\cite{josang2016subjective}).
Opinions within \ac{sl} may be derived through the analysis of observations collected from the system under scrutiny. The evidence vector \( \textbf{r}_{Y} \) is generated through system observations, where \( \textbf{r}_{Y}(y) \) shows how much evidence there is for each possible outcome in \( y \in \mathbb{Y}\).
Continuing with the example of movie ratings of a certain director, who has produced 6 good movies, 1 neutral movie and 1 bad movie in the past. The resulting evidence vector then becomes \( \textbf{r}(good) = 6, \textbf{r}(neutral) = 2, \textbf{r}(bad) = 2 \). The default base rate distribution is set to \( \textbf{a}_{Y}(y) = \frac{1}{k} = \frac{1}{3}\). Base rates can be set to any arbitrary value as long as Eq.~\eqref{eq:mn_brd} is satisfied.
The belief mass distribution and uncertainty mass values are derived as follows:
\begin{equation}
\begin{aligned}
& \forall y \in \mathbb{Y} \\
& \textbf{b}_{Y}(y) = \frac{\textbf{r}_{Y}(y)}{ W + \sum_{y_{i} \in \mathbb{Y}} \textbf{r}_{Y}(y_{i})}, \\
& {u}_{Y} = \frac{W}{ W + \sum_{y_{i} \in \mathbb{Y}} \textbf{r}_{Y}(y_{i})}
\end{aligned}
\label{eq:evd_op}
\end{equation}
where \( W \) denotes the default non-informative prior weight, set to \( W = 2 \).
\end{definition}
Inputting the evidence values into Eq.~\eqref{eq:evd_op} yields the following multinomial opinion \( \omega_{Y} = (\textbf{b}_{Y} = [0.5, 0.167, 0.167], u_{Y} = 0.167, \textbf{a}_{Y} = [0.333, 0.333, 0.333]) \). The projected probability of the next movie can be calculated using Eq.~\eqref{eq:mn_prob} to get: \( P_{Y}(good) = 0.556, P_{Y}(neutral) = 0.222, P_{Y}(bad) = 0.222 \).
A multinomial opinion can be mapped to \( k \) binomial opinions \( Y \in \mathbb{Y}\). Consider the case where \( Y = good\), then a binary partition can be made for \( \overline{Y} = \{neutral, bad\} \). This binomial opinion would be for the case if the review is either good or not good. The sum of the belief mass of neutral and bad would equate to the disbelief mass \( d_{x} \). The base rate of the binomial opinion would be \( \textbf{a}_{Y}(good) \), and the uncertainty mass would be \( u_{Y} \) as is to yield \( \omega_{x} = (b_{Y}(good), (b_{Y}(neutral) + b_{Y}(bad)), u_{Y}, \textbf{a}_{Y}(good)) \).
\subsection{Operators}
\ac{sl} has several operators that facilitate in synthesizing and integrating evidence or opinions from multiple sources into a final
\begin{definition}\label{def:cum_fus}
(Cumulative Fusion Operator (\( \oplus \))~\cite{josang2016subjective}).
The cumulative fusion operator (\( \oplus \)) in \ac{sl} is used to combine opinions based on non-overlapping observations. If \( \omega_{D}^{1-5} \) and \( \omega_{D}^{6-10} \) is the multinomial opinion of the first 5 and last 5 movies respectively. Using cumulative fusion the overall opinion of all movies can be calculated via \( \omega_{D}^{1-10} = \omega_{D}^{1-5} \oplus \omega_{D}^{6-10} \).
\textbf{Cumulative fusion of evidence opinions simply consists of evidence parameter addition.}
\textbf{The cumulative fusion operator in subjective logic is used to fuse multiple opinions about the same proposition into a single, combined opinion, taking into account the uncertainty inherent in each opinion. For binomial opinions, the equations for cumulative fusion are well-defined.}
Given two binomial opinions \( \omega_{X}^{A} = (b_{X}^{A}, d_{X}^{A}, u_{X}^{A}, a_{X}^{A}) \) and \( \omega_{X}^{B} = (b_{X}^{B}, d_{X}^{B}, u_{X}^{B}, a_{X}^{B}) \), the cumulative fusion operation outputs the combined opinion \( \omega_{X}^{(A \lozenge B)} = \omega_{X}^{A} \oplus \omega_{X}^{B} \) as follows for \( u_{X}^{A} \neq 0 \vee u_{X}^{B} \neq 0 \):
\begin{equation}
\begin{aligned}
& b_{X}^{(A \lozenge B)}(x) = \frac{b_{X}^{A}(x) u_{X}^{B} + b_{X}^{B}(x) u_{X}^{A}}{u_{X}^{A} + u_{X}^{B} - u_{X}^{A}u_{X}^{B}}, \\
& d_{X}^{(A \lozenge B)}(x) = \frac{d_{X}^{A}(x) u_{X}^{B} + d_{X}^{B}(x) u_{X}^{A}}{u_{X}^{A} + u_{X}^{B} - u_{X}^{A}u_{X}^{B}}, \\
& u_{X}^{(A \lozenge B)} = \frac{u_{X}^{A} u_{X}^{B}}{u_{X}^{A} + u_{X}^{B} - u_{X}^{A}u_{X}^{B}}, \\
& a_{X}^{(A \lozenge B)}(x) = \frac{ a_{X}^{A}(x) u_{X}^{B} + a_{X}^{B}(x) u_{X}^{A} - (a_{X}^{A}(x) + a_{X}^{B}(x))u_{X}^{A}u_{X}^{B} }{u_{X}^{A} + u_{X}^{B} - 2u_{X}^{A}u_{X}^{B}}, \\
& if u_{X}^{A} \neq 1 \vee u_{X}^{B} \neq 1
\end{aligned}
\label{eq:cum_fus}
\end{equation}
\end{definition}

35
trust/EMSOFT24/todo_file.tex Normal file
View file

@ -0,0 +1,35 @@
Introduction
\begin{itemize}
\item The introduction is safety critical systems.
\item safety critical systems need to be monitored. Cyber security is an issue. computation is added to safety critical systems. people are required to monitor that computation.
\item \agd{todo} trust management is the path forward. Other people are currently incorporating trust values into systems
\item \agd{todo}trust management systems seem to be the way forward for human computer interaction in in critical applications
\item \agd{todo}So this work looks into trust management for it.
\end{itemize}
\ac{sl} finds utility in modeling situations fraught with uncertainty and unreliable sources, where subjective opinions can convey trust or belief in events and propositions. In essence, \ac{sl} serves as a versatile calculus for reasoning under uncertainty, offering a nuanced approach to probabilistic reasoning by incorporating subjective perspectives on belief and uncertainty.
\textbf{robust state estimation}, anything from the control side? controls people deal with this all the time. You get sensor readings and somehow your system needs to be robust. control systems people deal with this problem as well. uncertainty comes in as well because robust state estimation.
two paragraphs, five citations and just a sentence on how it differs from your part. And how it differs is straightforward because theirs is for control systems. So they have a mathematic description of the model of how the system behaves and how it should evolve. And as I understand, they use this model, the description, in order to correct for any type of attacks or to identify certain attacks. You do not assume that you have a model of the system.
\textbf{the motivation,}
Accurately assessing and quantifying trustworthiness in \ac{cpss} remains challenging due to dynamic environments and uncertainties in indirect observations, necessitating the development of a trust-based mechanism for reliable trust quantification.
there is already work on calculating trust using subjective logic in \ac{cpss}. reference that work here. But that work has focused on binomial opinions. in our work we specifically have data with the unsure label. mention 3SVL and no use of cumulative fusion.
talk about trust in human AI interaction. the importance the obstacles etc.
\textbf{the application, }
assume you get a plus one, zero, and minus one from An uncertain signal that was processed by a classifier
later on section X, we'll expand this to show how we use power traces for this.

55
trust/EMSOFT24/trust_framework.tex Normal file
View file

@ -0,0 +1,55 @@
\section{Trust Management Framework}
\label{sec:trust_mng_frmwrk}
In this section, we present our proposed trust management framework. The framework is designed to be flexible, adaptable, and not restricted to any specific industry or context. Users can tailor the framework to meet their specific needs and requirements.
\subsection{Data Acquisition and Processing}
\label{sec:data_proc}
The trust management framework takes the results of the \ac{stl}-checker and uses them as input. The input consists of values representing the domain specified by the user's output from the \ac{stl}-checker. This step involves gathering and processing the evidence data required for assessing trust, including error handling and data validation.
Each evidence instance corresponds to the classification of indirect observations and carries information about the satisfaction (+1), uncertainty, or violation (-1) of predefined \ac{stl} properties.
\subsection{Data Aggregation}
\label{sec:data_proc}
After acquiring and processing the data, the trust management framework aggregates instances of evidence over specific time intervals. The interval window \( \mathcal{I} \), represents a particular time frame within which observations are collected and processed. This interval window is user defined and can be customized to fit the needs of the observed system, guaranteeing flexibility to capture its dynamics and adapt to different operational situations. These observations are converted into a \(k\)-value evidence vector that holds the number of occurrences of each classification label.
In our running example, we form multinomial opinions on a ternary domain \(\mathbb{Y} = \{+1, 0, -1 \}\), which is a mapping of discrete values that indicate the ``satisfaction (+1)'', ``uncertainty (0)'', or ``violation (-1)'' of predefined \ac{stl} properties.
For a given interval window \( \mathcal{I} = 60 \hspace{0.5em} minutes\), \{6, 2, 2\} would mean six occurrences of +1, two occurrences of 0, and two occurrences of -1 in the 60-minute window.
\subsection{Trust Snapshot Opinion (\( \omega_{Y}^{S} \))}
\label{sec:trust_snapshot}
The \textit{trust snapshot opinion} (\( \omega_{Y}^{S} \)) is a concise assessment of system trustworthiness formed by creating a multinomial opinion over the \(k\)-value evidence vector using Eq.~\eqref{eq:evd_op}. The non-informative prior weight is set to \( W = 2 \), and the base rate distribution to \( \textbf{a}_{Y}(y) = \frac{1}{k} = \frac{1}{3}\).
The multinomial opinion \( \omega_{Y}^{S} \) is developed through evidence observation within a particular interval window \( \mathcal{I} \) and evaluates of the system's trustworthiness at that point in time. It does not consider the past or future conduct of the system.
The trust snapshot (\( T_{Y}^{S} \)) value represents the expected likelihood of (\( Y = +1 \)) for the opinion \( \omega_{Y}^{S} \), and is determined using Eq.~\eqref{eq:mn_prob}.
\subsection{Trust Index Opinion (\( \omega_{Y}^{I} \))}
\label{sec:trust_index}
The \textit{trust index opinion} (\( \omega_{Y}^{I} \)) is a pivotal metric within the trust management framework, offering a comprehensive assessment of the system's trust. The multinomial opinion \( \omega_{Y}^{I} \) encapsulates the aggregated opinions derived from the trust snapshot opinion and undergoes continuous updating to reflect the evolving trust value. The cumulative fusion operator within \ac{sl} described in Section~\ref{def:cum_fus} is employed to integrate the two multinomial opinions into an overarching trust index opinion:
\begin{equation}
\omega_{Y}^{I} = \omega_{Y}^{I} \oplus \omega_{Y}^{S}
\label{eq:trust_idx}
\end{equation}
The trust index opinion is subject to continuous updating to ensure its alignment with the evolving state of the system. This updating mechanism integrates new evidence from subsequent trust snapshot opinions, enabling the index to adapt and reflect the most current system behaviour.
The ``trust index (\( T_{Y}^{I} \))'' value represents the expected likelihood of (\( Y = +1 \)) for the opinion \( \omega_{Y}^{I} \), and is determined using Eq.~\eqref{eq:mn_prob}.
\subsection{\acexp{tca}}
\label{sec:trust_calib_action}
\textit{\ac{tca}} refer to measures that users can undertake to boost trust in the system if trust drops below a set threshold. Domain experts familiar with the system provide these actions to support troubleshooting and enhance system performance. \ac{tca} are not included in the trust management framework but rather complement its use case by tackling the issue of undertrust. \ac{tca} are recommendations offered to the user, which can be disregarded at their discretion.
For example, if the framework outputs a trust snapshot opinion with a very low trust value for a particular interval window \( \mathcal{I} \), possible \ac{tca} could be to run the anti-virus scan on the system. Alternatively, if the trust index opinion shows a decreasing trend over time, \ac{tca} action could include rebooting the system. Detection of \ac{tca} in the power trace leads to the satisfaction of an \ac{stl} property, increasing trust.
The framework generates a trust snapshot opinion (\( \omega_{Y}^{S} \)) and trust index opinion (\( \omega_{Y}^{I} \)) to assess system trustworthiness. The trust snapshot opinion offers a concise assessment for a particular interval window \( \mathcal{I} \), while the trust index opinion provides an overall evaluation considering past and present evidence. This allows users to evaluate trustworthiness at a specific point in time and track changes over time.
Both values are provided because, following extensive evidence collection, a trust snapshot opinion (\( \omega_{Y}^{S} \)) with a low trust value may not exert considerable influence on the trust index opinion (\( \omega_{Y}^{I} \)) due to \ac{sl} formalism. However, it remains crucial for the user to be aware that a particular trust snapshot opinion exhibits a low trust value as this signifies potential unreliability in the system at that specific moment. Thus, both values are presented to give users a comprehensive understanding of the system's trustworthiness.