The vast amount of data in constant transit throughout the Compute Continuum necessitates a continuous evaluation of trust to ensure data security. In addition, the pressing need for low network latency must also be managed. Whilst traditional approaches often treat trust as a one-time binary decision, CASTOR Horizon shifts towards and beyond a “Below-Zero-Trust” modality, ensuring that the trustworthiness of network elements is always verifiable in real-time. Dynamic trust metrics (evidence of real-time trustworthiness such as secure boot status and runtime configuration) are ingrained into the overall traffic engineering process that, when coupled with a Federated Trust Assessment Framework, allow for optimal management of fluctuations in network behaviour such that only the most trustworthy network paths can be used for the delivery of critical services.
Quantifying Trust: Subjective Logic and Uncertainty
At the foundation of the trust assessment process is the formal encapsulation of the concept of “trust” itself. CASTOR implements Subjective Logic as the core calculus for this purpose. Subjective Logic allows for the reasoning of trust in the presence of uncertainty. Entities operating within a network can collect and analyse various pieces of evidence in real-time, which are subsequently quantified into a Subjective Logic Trust Opinion.
A trust opinion (ω) is composed of four components: (b, d, u, a), where b = belief, d = disbelief, u = uncertainty and a is a base rate (i.e. the probability that a claim is true in the event of no relevant evidence).
Subjective Logic allows for the evaluation of trust opinions based on collected evidence, resulting in a quantifiable and verifiable metric that conveys the likelihood of a claim. Crucially, as part of the evaluation process, uncertainty (i.e. ignorance due to a lack of evidence) is systematically taken into account. This ensures that resulting trust levels are not overly confident if insufficient evidence was available during the evaluation process.
Federated Trust Assessment
To ensure scalability and robustness across the Computing Continuum, the CASTOR Trust Assessment Framework (TAF) implements a Federated Trust Assessment modality, relying on Local and Global TAF agents to exchange trust-related information and ensure an up-to-date view of the trust posture of an entire network. Local TAF agents are built into individual entities on the network (such as routers), focusing on the self-assessment of trust with respect to device integrity. Local TAFs can also form trust opinions on the trustworthiness of neighbouring routers to provide the Global TAF with a more complete picture. The Global TAF maintains the overall trust topology of the entire network, collecting trust reports from Local TAF agents (as well as other telemetry data, such as latency and bandwidth information) to be able to derive end-to-end path-level trust with respect to additional trust properties beyond integrity, such as confidentiality and availability.
Dealing with Multiple Sources: Discounting and Fusion
In such a complex network environment grounded in the very idea of trust, how can a Global TAF be sure that the information it receives from a Local TAF is itself trustworthy? Furthermore, how can multiple trust reports received from different Local TAFs be systematically combined by the Global TAF such that no information is lost, and any conflict is carefully considered?
These are the core challenges in the Federated Trust Assessment modality, and CASTOR mitigates these challenges through the use of Subjective Logic Discounting and Fusion. Discounting allows the Global TAF to modulate a received opinion with respect to its opinion on the reporting Local TAF agent. For example, if a router is known to exhibit untrustworthy behaviour, the Global TAF can weaken any opinion it receives from that router by increasing its uncertainty (and, conversely, trustworthy routers can have uncertainty decreased).
Similarly, if two Local TAF agents provide the Global TAF with their opinions on the same event of interest, the Global TAF uses fusion operators to combine these views into a single, consolidate perspective. Different discounting and fusion operators can be chosen based on context. For example, a specific fusion operator may be chosen if disagreement (i.e. conflicting evidence) is desired to be emphasised, resulting in a final opinion that better reflects the perspectives of all participating entities. Many different discounting and fusion operators exist which can be chosen based on the requirements of the network operator and the specific trust property being assessed.
From Theory to the Real World
Ultimately, this process results in an Actual Trustworthiness Level (ATL) – a trust opinion that accurately conveys a complete picture of the trustworthiness of a part of the network, whether that be a router, the link between two routers, or even an end-to-end path across the entire network topology. This value can be used to verify whether or not the network element satisfies the trustworthiness requirements defined by the network service provider, resulting in a Trust Decision that states if that element can be trusted. In practice, the ATL is compared with a threshold Required Trust Level (RTL) value, calculated by the Risk Assessment process, as part of this process.
Overall, the Federated Trust Assessment modality facilitates the derivation of optimal paths across vast and dynamic network environments. Subjective Logic provides a foundation for reasoning about trust in a verifiable manner, ensuring that gaps in knowledge (uncertainty) are still considered during the evaluation process, resulting in more accurate trust opinions that lead to actionable trust decisions in real-time. CASTOR seeks to enhance traffic engineering with trust aware routing decisions, such that degradations of network quality can lead to revisions in traffic engineering policies in real-time.
