This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2549019, IEEE Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING 1 Towards Trustworthy Multi-Cloud Services Communities: A Trust-based Hedonic Coalitional Game
Omar Abdel Wahab, Jamal Bentahar, Hadi Otrok, and Azzam Mourad
Abstract—The prominence of cloud computing led to unprecedented proliferation in the number of Web services deployed in cloud data centers. In parallel, service communities have gained recently increasing interest due to their ability to facilitate discovery, composition, and resource scaling in large-scale services’ markets. The problem is that traditional community formation models may work well when all services reside in a single cloud but cannot support a multi-cloud environment. Particularly, these models overlook having malicious services that misbehave to illegally maximize their benefits and that arises from grouping together services owned by different providers. Besides, they rely on a centralized architecture whereby a central entity regulates the community formation; which contradicts with the distributed nature of cloud-based services. In this paper, we propose a three-fold solution that includes: trust establishment framework that is resilient to collusion attacks that occur to mislead trust results; bootstrapping mechanism that capitalizes on the endorsement concept in online social networks to assign initial trust values; and trust-based hedonic coalitional game that enables services to distributively form trustworthy multi-cloud communities. Experiments conducted on a real-life dataset demonstrate that our model minimizes the number of malicious services compared to three state-of-the-art cloud federations and service communities models.
Index Terms—Cloud Computing; trust; malicious service; game theory; services community; cloud federation; social network; bootstrapping. !
1 INTRODUCTION 1.1 Problem Definition HE advent of cloud computing has led to a rapid increase in the Several services’ community formation models have been proposed in T number of Web services that are deployed in cloud data centers. the literature [3], [5], [6], [7], [8]. Although these models may work Practically, cloud providers have tendency to publish their computing well when services reside in the same data center, they are unable to services as Web services to keep up with the industry standards such as support multi-cloud communities formation. Nonetheless, cooperation WSDL, SOAP, UDDI, and RESTful Web services [1]. Although this between services from different clouds is often needed. In fact, besides increase has the advantage of expanding the user’s choice set, it entails the aforementioned benefits of the traditional services’ communities, several challenges related to the discovery, composition, and QoS multi-cloud services’ communities provide additional benefits for both management issues. In fact, discovering the relevant services among providers and customers. Practically, such an architecture increases hundreds or even thousands of services offering the same functionality the flexibility of providers in managing clients’ requests and meeting becomes a challenging task for cloud users. Similarly, selecting the the Service-Level Agreement (SLA) requirements by allowing them appropriate services to participate in composition sequences in the to move workloads from one provider’s site to another, when needed, cloud is becoming of combinatorial complexity. Moreover, the highly in a seamless manner. It allows as well to break down the customer’s competitive market imposed by the large number of services that data at the bit level in order to enable its parallel processing by service offer various functional/non-functional properties induces a contin- instances sharing the same application logic but residing at different uous dilemma for service providers between delivering high-quality clouds. Besides optimizing latency and throughput via enabling the services and affording their associated operational costs. On the other assignment of the requests to the most appropriate Virtual Machines hand, the demands for cloud-based services is expected to increase (VMs) at each provider’s site, protecting the privacy and security of in such a way that makes providers’ available resources insufficient the data is an additional motivation for customers to favor such a to deal with [2]. This raises the need for providers to reshape model, where each provider can be aware of only a small part of the their business strategies in order to upgrade their resource scaling data [9]. As a tangible example, allowing users to toggle between Bing capabilities. Communities of Web services [3] provide an effective or Google Maps in a visualization Web site would, besides improving platform for addressing the aforementioned challenges. The idea is to the service’s availability, enhance the user’s experience by allowing group services sharing same domain of interest or functionality into a him to select the service that he feels more familiar with 1. set of homogenous clusters. This has the advantages of (1) facilitating The main limitation that makes the existing community formation the discovery of services by enhancing their visibility towards users; models inappropriate for a multi-cloud environment is mainly their (2) reducing the complexity of building composition sequences in reliance on a centralized architecture whereby a central third-party the cloud by localizing the selection process; and (3) improving the called master [6] is responsible for managing the formation, member- QoS management by overcoming the problem of limited resources; ship, and security issues in the community. However, the distributed particularly at the Infrastructure-as-a-Service (IaaS) layer [4]. nature of cloud-based services plays against the existence of such a central entity. Practically, the fact that Web services are deployed in • O. Abdel Wahab and J. Bentahar are with the Concordia Institute for In- data centers that are located in disparate parts of the World means formation Systems Engineering, Concordia University, Montreal,´ Canada. that these services are managed by different parties and are owned by • H. Otrok is with the Department of ECE, Khalifa University of Science, different providers. Therefore, finding a common third party that is Technology and Research, Abu Dhabi, UAE. trusted by all providers and that can manage all these services is quite • A. Mourad is with the Department of Mathematics and Computer Science, Lebanese American University, Beirut, Lebanon. 1. http://www.jonasson.org/maps
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2549019, IEEE Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING 2 challenging. Back to the previous example of grouping Google and are structured. Although hedonic games have been already used in Bing in one community, finding a common master for that community similar settings [2], [15], our work is the first that employs the hedonic is difficult since Bing is owned by Microsoft and Google Maps coalitional game in conjunction with the notion of trust for security is owned by Google that are from the geographical point of view purposes in the domain of SOC. Moreover, our work is the first in separate and from the economic point of view competitors; which this domain that considers a fully and effectively hedonic setting makes the decision about the master problematic. in the formulation of the utility function. Specifically, the existing Federated cloud [10] offers a practical platform for joining to- approaches satisfy only some of the requirements of hedonic games, gether services from different clouds for better resource scaling based namely the use of preference relations for building coalitions and the on providers’ agreement. Despite their effectiveness for resource fact that the utility of any player in a given coalition depends only on scaling, cloud federations are unable to handle the composition and the members of that coalition. However, the utility functions used in discovery issues due to the fact that they operate at the provider’s all these approaches are formulated in such a way to be transferable (not service) level and focus solely on the IaaS cloud services’ among players, which contradicts with the definition of hedonic games layer. Moreover, both traditional community formation and cloud that are subsets of non-transferable utility games [16]. Moreover, the federation models rely on a honest adversary model wherein all essence of hedonic games, by which the term hedonic is inspired, services/providers are assumed to be trustworthy. However, in such relies on the idea that players seek to enjoy each other’s partnership, a multilateral environment whereby multiple clouds and providers apart from numeric considerations. Therefore, we believe that trust are involved, malicious services are likely to exist. Practically, these is the best candidate to be used for formulating the non-transferable malicious services may misbehave by unilaterally deviating either utility function without contradicting with the spirit of hedonic games. from their agreements with other services upon community/federation Summarizing, the main contributions of this paper are: formation or from the SLAs made with users, with the aim of • Proposing a polynomial-time services discovery algorithm that saving resources and/or gaining advantage over other services. Such enables services to inquire about each other’s behavior based on malicious services can be referred to as passive malicious services. the concept of tagging in online social networks. Unlike the active malicious services that launch active attacks (e.g., • Proposing a trust aggregation technique that uses the Dempster- Denial of Service) to harm other parties, passive malicious services Shafer [17] theory of evidence and advances a credibility update misbehave to illegally maximize their own benefits. mechanism to ensure obtaining trust results that are resilient to the collusion attacks even when attackers are the majority. 1.2 Contributions • Proposing a trust bootstrapping mechanism that combines the concept of endorsement in online social networks with the Trust is evolving as one of the hottest, yet challenging, topics in decision tree classification technique to assign initial trust values cloud computing [11]. The importance of trust arises mainly because for the newly deployed services. of the unclear, inconsistent, and often uncommitted clauses of the • Modeling the multi-cloud community formation problem as a official contracts such as SLAs [12]. A main challenge that encounters trust-based hedonic coalition formation game and proposing a trust is how to ascertain the credibility of the trust relationships in relevant algorithm that converges to a final Nash-stable and the presence of collusion attacks in which attackers collude to give individually stable coalition partition of services. misleading judgments. The purpose of attackers in such a type of The performance of the proposed game is analyzed both theoretically attacks is to either promote or demote some other services and deceive and experimentally using a real-life cloud services dataset obtained hence the trust result. Moreover, assigning initial trust values for from the CloudHarmony service2. Simulation results show that the the newly deployed services having no past interactions, known as proposed game is able to produce trustworthy communities that trust bootstrapping, is a major challenge that encounters any trust minimize the number of malicious members, while improving their establishment mechanism. Although many trust frameworks [12], overall performance in terms of availability, throughput, and response [13], [14] can be found in the literature in the domains of cloud time compared to three state-of-the-art cloud federation and services computing and Service-Oriented Computing (SOC), most of these community formation models. approaches focus solely on one particular issue (particularly the trust aggregation) and ignore some other important issues that encounter any trust framework. In this work, we propose a comprehensive trust 2 RELATED WORK framework called DEBT (Discovery, Establishment, and Bootstrap- In this section, we provide a literature review on the concepts of Web ping Trust) that provides a stepwise guide for services to build trust re- Services Communities and Cloud Federations. lationships starting from discovering services and collecting feedback, down to bootstrapping new services and aggregating feedback in a collusion-resistant manner. Each step in the proposed trust framework 2.1 Communities of Web Services is designed to work both effectively and efficiently, while bridging The concept of community has been extensively investigated in the the gap of the state-of-the-art trust problems. DEBT is designed in a context of Web services. In [18], the authors envisaged communities fully distributed manner that eliminates the need for any central entity as service containers that share functionally-similar services. The aim to regulate the different steps of the trust framework. Specifically, we is to facilitate the composition processes when the number of services model trust as a private relationship between each pair of services is large. Maamar et al. [3] proposed a hierarchical architecture for such rather than a public measure. For example, if service S1 trusts another communities that has become later a common trend for this concept. service S2 with a belief degree of b, it is not necessary that another In this architecture, a central entity called master is responsible for service S3 would trust S2 with the same belief b. administrating the operations of the slave services. In [6], Medjahed et Based on DEBT, we design a trust-based hedonic coalitional game al. considered communities as ontological entities providing generic with nontransferable utility that aims to find the optimal coalition functions for a set of functionally-similar services. These functions partition that minimizes the number of malicious members. Hedonic may be customized later based on the underlying purposes. All of games are a type of coalitional games in which players have prefer- the aforementioned approaches focus on the composition process ences over the coalitions that they may be member of and the utility optimization and ignore the incentives that would encourage services of any player in a certain coalition depends solely on the identity of the members of that coalition regardless of how other services 2. http://cloudharmony.com/
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2549019, IEEE Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING 3 to form communities. In [7], Liu et al. investigated a coalitional game
for the community formation while accounting for the incentives of S7 the services in that process. The worth of the community is evaluated S2 in terms of price and cost that depend heavily on the availability S4 provided by the services. In a close work, Khosrowshahi-Asl et al. [8] proposed a coalitional game to boost the cooperation among services
S1 (S3->S4: M, S4->S3: T) (S4->S6: T, S6->S4: M) within communities. The key idea is to guarantee the stability of the S5 Cr(S3->S4): 0.34, Cr(S4->S3): 0.2 Cr(S4->S6): 0.5, Cr(S6->S4): 0.2 communities in the sense that membership requests to the community
are accepted only if they do not get the utility of the existing members (S6->S5: T, S5->S6: T)
Cr(S5->S6): 0.23, Cr(S6->S5): 0.8 decreased. In [5], the authors modeled the community formation as S3 a Stackelberg game that differentiates between services on the basis
of their advertised parameter such as reputation, market share, and S6 capacity of handling requests. Fig. 2: Social Network Graph: Vertices represent services and edges Overall, the problem of the existing community formation models represent the interactions among services. is their ineffectiveness in a multi-cloud community formation environ- ment. On the one hand, they rely on a centralized architecture in which a central entity coordinates the operations of the community, which 3 SYSTEM MODELAND ASSUMPTIONS contradicts with the distributed nature of cloud-based services. On the other hand, they overlook the malicious services in the formation In this section, we present and discuss the system and attack models. process whose presence is likely in the multi-cloud environment. 3.1 System Model 2.2 Cloud Federations Let S = {S ,...,Sn} be a finite set of services, where each service In [10], Rochwerger et al. paved the way for the notion of cloud 1 Si ∈ S is characterized by a set of available resources R = {R1,...,Rn} federations by introducing the concept of RESERVOIR whose main (e.g., amount of memory, number of cores, etc.). Let G = (S,E,J) goal is to explore the technologies needed to handle the scalability be a directed social network graph representing the relationships problem faced by a single provider model. They discussed the notion between these services, where each edge (Si,S j) ∈ E indicates an of cloud federations wherein providers characterized by large capacity interaction between service Si and service S j. Thus, if (Si,S j) ∈/ E then of computing infrastructure may lease some of their resources to services Si and S j had no interaction in common. Each edge (Si,S j) is other providers who lack temporarily for such resources. Goiri et al. associated with a judgement J(Si,S j) 6= J(S j,Si) ∈ {T,M} that denotes [19] addressed the problem of cloud federations from the perspective each service’s judgment on any other service based on their previous of increasing providers’ profits. They proposed several equations to interactions. For example, the judgment pair (S → S : T,S → S : M) help providers decide when to outsource resources to other providers, 1 2 2 1 between services S1 and S2 in Fig. 2 indicates that S1 rates S2 as when to insource free resources to other providers, and when to trustworthy, whereas S rates S as malicious (i.e., J(S ,S ) = T shutdown unused nodes to save power. In [20], Van den Bossche 2 1 1 2 and J(S2,S1) = M). To decide about this judgement, services use the et al. formulated a Linear Programming model to assist providers following well-known satisfaction metric [22]: with deciding which workloads to outsource and to which providers in such a way to maximize the utilization of internal data center, Sat(Si,S j) J(Si,S j) = , (1) minimize the cost of running outsourced tasks, and keep up high Tot(Si,S j) QoS constraints. Recently, game theory has been widely used to where Sat(S ,S ) denotes the number of interactions between S and address the problem of forming cloud federations. In [21], Niyato i j i S that S considers are satisfactory and Tot(S ,S ) denotes the total et al. proposed a coalitional game among cloud providers. First, a j i i j number of interactions between S and S . stochastic linear programming game model that takes into account the i j Based on Eq. (1), if J(S ,S ) > then S rates S as trustworthy, random internal demand of cloud providers is formulated to analyze i j β i j where is a threshold that is set by each service depending on the resource and revenue sharing for a certain group of providers. β the type of the other service(s) being evaluated. For example, the Thereafter, a coalitional game that enables cloud providers to form interactions with an online payment service would be weighted higher cooperative groups for resource and revenue sharing is presented. The than those of a weather forecasting service. Otherwise, S would be objective is to exploit the under-utilized resources when the internal j rated as malicious. As mentioned earlier, the objective is to form demand in cloud data centers is less than the capacity of providers. trusted multi-cloud services communities (Fig. 1a) between services In [2], Mashayekhy et al. investigated a hedonic coalitional game that geographically distributed across multiple cloud data centers using a focuses on the cooperation among IaaS services to improve resources distributed trust model. The trust towards a certain service S is built scaling capabilities. The resources considered are provisioned as VM j by collecting judgments on this service from its direct neighbors N(S ) instances of different types (e.g., small, large, etc.). The objective is j in G (i.e., the services that had interacted with S ). To this end, each to form the federations that yield the highest profit in terms of cost j service S holds a fixed number of inquiries it is allowed to make and and price of the underlying VMs. i Overall, cloud federations focus exclusively on improving the denoted by Inq(Si). Initially, all services have an equal amount of this resource scaling capabilities among IaaS providers. On the other hand, metric, which is updated later during the trust establishment process communities is a more general architecture that supports, in addition (See Section 4). Since services may be either truthful or collusive in to resource scaling, discovery, marketing and composition facilitation. judging the other services, each pair of services (Si,S j) ∈ S has a belief Thus, cloud federations may be considered as a subset of services in credibility (Cr(Si → S j) = n,Cr(S j → Si) = m) that represents each communities. Besides, the existing cloud federations formation mod- service’s accuracy level in judging the other services, where n and m are two decimal numbers. Based on the collected judgments, each els overlook the problem of having malicious services/providers that S service S builds a belief in trustworthiness denoted by belie f j (T) constitute a serious challenge for the success of such an idea. To i Si S the best of our knowledge, our work is the first that accounts for and a belief in maliciousness denoted by belie f j (M) for any other Si the problem of malicious services in both services’ communities and service S j it is interested in forming community with. It’s worth noting cloud federations formation scenarios. that such a mechanism does not entail any privacy breach as only the
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2549019, IEEE Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING 4