Secure information sharing in social agent interactions using information flow analysis

Shahriar Bijani, David Robertson, David Aspinall
2018 Engineering applications of artificial intelligence  
When we wish to coordinate complex, cooperative tasks in open multi-agent systems, where each agent has autonomy and the agents have not been designed to work together, we need a way for the agents themselves to determine the social norms that govern collective behaviour. An effective way to define social norms for agent communication is through the use of interaction models such as those expressed in the Lightweight Coordination Calculus (LCC), a compact executable specification language based
more » ... on logic programming and pi-calculus. Open multi-agent systems have experienced growing popularity in the multi-agent community and gain importance as large scale distributed systems become more widespread. A major practical limitation to such systems is security, because the very openness of such systems opens the doors to adversaries to exploit vulnerabilities introduced through acceptance of social norms. This paper addresses a key vulnerability of security of open multi-agent systems governed by formal models of social norms (as exemplified by LCC). A fundamental limitation of conventional security mechanisms (e.g. access control and encryption) is the inability to prevent information from being propagated. Focusing on information leakage in choreography systems using LCC, we suggest a framework to detect insecure information flows. A novel security-typed LCC language is proposed to prevent information leakage. Both static (design-time) and dynamic (run-time) security type checking are employed to guarantee no information leakage can occur in annotated agent interaction models. The proposed security type system is discussed and then formally evaluated by proving its properties. Two disadvantages of the pure dynamic analysis are its late detection and its inability to detect implicit information flows. We overcome these issues by performing static analysis. The proposed security type system supports non-interference, i.e. high-security input to the program never affect low-security output. However, it disregards information leaks due to the termination of the program.
doi:10.1016/j.engappai.2018.01.002 fatcat:ebcillzhkvgpfakg2g2xouojle