International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems

© World Scientific Publishing Company

TOWARD SECURE AND CREDIBLE INFORMATION SHARING USING

INFORMATION SUPPLY CHAINS

Shuang Sun*, Peng Liu*, Guruprasad Airy+, Shizhuo Zhu*, John Yen*
School of Information Sciences and Technology*
Department of Computer Science and Engineering+
The Pennsylvania State University
University Park, PA 16802

Information assurance and information sharing are two contradictory yet important tasks in a
distributed and information rich environment. Many reports regarding intelligence failures on
preventing the Sep 11’s tragic events challenge the current information technologies that are often
segregated for easiness of information assurance and demand systems that better support information
sharing requirements. To meet this challenge, we propose an information supply chain (ISC)
framework that aims to not only promote legitimate information sharing, but also enforce secured
access controls and provide an effective way to improve information credibility. Initial
implementation has demonstrated that the information-sharing-agents that are based on the ISC
framework can capture, consolidate, investigate, and satisfy dynamic information requirements in a
secure, credible, and timely manner. We expect this research can yield further results that can inspire
information technology practitioners to understand the challenges and make information systems
efficient and accountable.
Keywords: information sharing, information assurance, information leakage, credibility, trust,
information supply chain

1. Introduction
Information assurance and information sharing are two contradictory yet important tasks
in a distributed and information rich environment. Information sharing in a secure fashion
is a daunting challenge, since we must deal with information content that ranges from the
simple to the complex [8]. The Markle Foundation Task Force reports [2] that the
challenges of homeland security raise a critical need to create a decentralized network for
information sharing and analysis with key characteristics such as focusing more on
preventive strategy and avoiding blind spots. Unfortunately, such an envisioned network
is hard to create because the current information sharing systems bear the following
limitations. First, the existing systems are susceptible to single point of failure. Second,
the systems are mostly designed to only flow information up to senior agencies, but not
down to operational entities or out to other parties. Third, the information to first
responders is oftentimes irrelevant and not actionable [2]. To overcome these
weaknesses, a general design guideline called the System-wide Homeland Analysis and
Resource Exchange network (SHARE) is proposed [2]. SHARE argues for developing
loosely coupled architectures that 1) are robust to single point of failure, 2) support
directory based services and real-time operations, and 3) offer security and accountability

1
2 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

services to prevent abuse. How to realize the SHARE network, however, is still an open
issue.
To enable effective information sharing and analysis, we propose a framework called
ISC (Information Supply Chain), which is based on ideas from the supply chain
management (SCM), a widely used framework in business management science. ISC
aims not only to promote legitimate information sharing, but also to enforce secured
access controls and to improve information credibility. A configurable information-
sharing-agent architecture has been designed to capture, consolidate, investigate, and
satisfy dynamic information requirements in a secure, credible, and timely manner. Our
goal is not to give a complete set of solutions regarding all aspects of information-
sharing. Instead, we aim to create ISC as a SCM metaphor: a set of concepts, methods,
theories, and technologies that can help to organize concepts, unify existing methods, and
discover new solutions that have been neglected.
In the following, section 2 and 3 describes the ISC framework from sharing and
assurance perspectives. Then we discuss related issues in Section 4. Section 5
summarizes this paper.

2. ISC from Information Sharing Perspective

Information-sharing refers to activities that distribute useful information among multiple
entities (people, systems, or organizational units) in an open environment. Sharing
information should consider four questions: 1) what to share, 2) whom to share with, 3)
how to share, and 4) when to share. Better answering these questions can greatly improve
information-sharing results: avoiding overload or deficiency, reducing sharing cost, and
being more responsive. To address those questions and achieve better information-
sharing results, we propose a framework called “information supply chain” or ISC.

2.1. Information Supply Chain

Information
sources
Users
Materials Customers

Interpretation
Manufacturers
Agents
Scanning Broker
Suppliers Distributors Agents Agents

Fig. 1a. A material supply chain Fig. 1b. An information supply chain

Supply chain management (SCM) is an approach widely used in management science. A

supply chain fulfills its customer’s material demands by a network of companies, mainly
including a) suppliers that provide materials, b) manufactures that make products, and c)
distributors that allocate products to customers. Fig 1a shows a typical material supply
 Toward Secure and Credible Information Sharing Using Information Supply Chains 3

chain. Similar to a material supply chain, an information supply chain* (ISC) fulfills
users’ information requirements by a network of information-sharing agents (ISA) that
may include a) scanning agents that gather information and provide information to other
agents, b) interpretation agents†[12] that make sense of the information, and c) broker
agents that collect users’ requirements and satisfy the requirements with proper
information. Fig 1b shows an information supply chain.
Developing the ISC framework requires understanding information-sharing problems,
defining terms, developing methods, and choosing evaluation criteria. A material supply
chain has two primary targets: to balance demand and supply, and to improve efficiency
and responsiveness [5]. These are also the primary goals for sharing information. So,
creating an Information Supply Chain Management framework offers us the opportunity
to look at the information-sharing problem from a new perspective, and to better leverage
the existing research effort in the SCM framework to find new solutions to information
sharing.
First, the ultimate goal of both ISC and SCM is to balance demands and supplies.
Unbalanced demands and supplies may lead to problems such as poor supply chain
performances: either high cost due to over supplies or poor customer service due to stock
outs. Information-sharing has the same goal: unbalanced demand and supply can cause
problems such as information overload and information deficiency.
Second, we can easily find the counterparts of concepts of SCM in the ISM
framework. For example, basic activities, objects (or entities) in SCM such as purchase,
sales, product, supplier, customer, or warehouses correspond to those in ISM: query,
inform/answer, information, supplier, requester, or knowledge-base. Even complex
concepts in SCM have their counterpart in ISC. For example, bill of materials (BOM)
lists the components needed to produce one unit of a product. Checking each
component’s availability can reveal the shortage for desired productions. Fig 2a shows a
simple BOM in a tree structure: a computer is composed of a machine, a monitor and a
keyboard. The machine is composed of a main-board, a CPU, and a hard-disk.
Computer (Dangerous ?group)

(Has_key_insurgent (Gourp_size ?group

Machine * 1 Monitor * 1 Keyboard * 1
?group ?insurgent) large)

(Member ?group (On_wanted_list

Main-board * 1 CPU * 1 Harddisk * 1
?insurgent) ?insurgent)

Fig. 2a. A BOM tree Fig. 2b. An IDR tree

We can find similar composition or dependency relationships among information. For

example, an information type may depend on several supporting information or

*
An ISC is different from the information flow of a supply chain.
†
Scanning and interpretation are from Weick’s sensemaking framework.
4 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

evidences, each of which may further depend on other supporting information. Such
dependency relationship is called information dependency relation (IDR), which can also
be represented in a tree-like structure. Fig 2b shows an IDR tree about anti-terror
intelligence analysis. We use logical predicates to represent information type and rules to
represent dependency among information types‡. (Dangerous ?group) is a predicate;
“(Has_key_insurgent ?group ?insurgent) and (Group_size ?group large) -> (Dangerous
?group)” is a rule. Each node in the tree corresponds to the application of an antecedent-
consequent rule. A group is labeled as “has key insurgents” if the group has a member
who is on the wanted list. A group is considered as “dangerous” if the group has a key
insurgent and its size is large. Suppose a group is large and its members are known.
Diagnosing the IDR can identify the missing information— “if the members are on the
wanted list”. Such IDR trees can also be used for information fusion as described in [14].
After developing the concepts, we can adopt business models to handle information-
sharing problems. For example, vendor managed inventory (VMI) is a business model
that specifies vendors to manage their customers’ inventories. After a customer sets its
demands over a period of time, the vendor monitors the customer’s stock and decides to
refill when the stock level is low. It is an effective model that enables a company to focus
its attention to customer service. We can adopt VMI model to information subscription,
in which a provider updates its subscribers about any new or changed information. By
subscription, a user can save time on queries and spend the time on processing
information. We call subscription a counterpart of VMI. Other business models that have
no counterparts for information-sharing can suggest new ways of sharing information.
Finally, we evaluate information supply chains by two criteria that are used to
evaluate material supply chains: fill rate and total cost. Fill rates measure
responsiveness— the more demands is fulfilled, the better the performance. Total cost
measures efficiency by considering numbers of actions for seeking or sharing
information. However, fill rate and total cost cannot be used as “quality control” — to
evaluate how well the provided information satisfies requirements. In section 3.2, we
introduce credibility of information, which can be used to serve as an effective “quality
control” indicator.

‡
We use logical rules as an example for IDR. However, IDR can also be used to capture other dependences
such as the aggregative or selective relations among views and data sources.
 Toward Secure and Credible Information Sharing Using Information Supply Chains 5

2.2. Realizing ISC using Information Sharing Agents

Information Requirement Planning 2 Requirement flow

Investigation flow
investigation
requirements
Anticipation
Demand
Supply Manager
Manager

1b 3a
Anticipator inquiry
1a investigate diagnose
3c
3b
anticipate Process Manager
Communication
Knowledgebase
Manager
Decision Model

Fig. 3. The information sharing agent architecture

In order to further study how to use ISC to share information, we design and implement
an information sharing agent (ISA) architecture, which can be used to model entities for
constructing an ISC. The information sharing agent architecture is composed of a
communication manager, a knowledge base, a process manager, a decision model, and an
information requirement planning (IRP) module, which interacts with other components
through a demand manager and a supply manager. Fig 3 illustrates the agent architecture,
and Fig 4 gives the interface screenshots for an IRP, a communication manager, a process
manager, and a knowledge base. Readers may refer to [10, 11] for detailed information
regarding the ISC framework and implementation of ISA agent architecture.

Fig. 4. The interfaces of information sharing agents

6 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

Communication manager
The communication manager governs inter-agent communication. An agent may either
initiate a new conversation context or simply follow existing ones. The manager
organizes related messages into conversation sessions, and monitors the development of
on-going conversations.

Knowledge base
The knowledge base is a forward-chaining rule-based system. Each agent has an internal
knowledge base (KB) to maintain what it believes regarding the external world. In
addition, the KB specifies how to represent information, information sources, and
information dependency relations (IDR).

Process manager
The process manager manages the templates of predefined plans, each of which contains
preconditions, termination conditions, fail conditions, effects, contingency plan, and a
process body. Upon being requested by the decision-making module or the information
manager, the process manager can instantiate plan instances from appropriate templates.
An agent may run multiple plan instances simultaneously, each of which can be in active,
suspended, wait, failed, or terminated state. The process manager is responsible for
scheduling the execution of plan instances based on the constraints associated with the
instances and the KB's current state.

Information Manager
The information manager coordinates information requirement, launches investigations,
and fulfills the requirements. Fig 3 shows the steps of this process as numbered labels.
First, initial information requirements are collected by a demand manager, which either
anticipates others’ requirements (1a) or creates requirements upon request (1b). Next, the
requirements are consolidated and prioritized by the IRP algorithm (step 2). Then, the
IRP investigate each requirement following an investigation strategy, which specifies an
order of different investigation methods. An agent has three methods to investigate:
taking investigation action (3a), diagnosing a requirement and seeking information for
dependent requirement (3b), and query others who might know or can obtain the required
information (3c). Last, a supply manager monitors the investigation status and fulfills the
requirements when information is available.

3. ISC from Information Assurance Perspective

As pointed out by the SHARE guideline, information sharing system should “offer
security and accountability services to prevent abuse”. Clearly, an information sharing
system should be both secure that prevents unauthorized information access and
accountable that allows only trusted information to be shared among agents. In this
section, we describe two methods to address this need: an IDR based authorization model
 Toward Secure and Credible Information Sharing Using Information Supply Chains 7

and an IDR based information credibility estimation framework. The authorization model
ensures security from information pull perspective that only legitimate requirements can
be satisfied, whereas the credibility model ensures security from information push
perspective that only credible information can be shared, and only credible sources can be
trusted.
It should be noticed that besides authorizing information access and quantifying
information credibility, there are several other important information assurance issues
associated with ISC, such as secure communications (among agents) and key
management, protocols to ensure authenticity and non-repudiation, intrusion detection
and response when some agents are hacked, and maintaining availability in the face of
denial-of-service attacks. These issues and the corresponding information assurance
techniques are complementary to the proposed authorization model and information
credibility estimation framework, but they are out of the scope of this paper.

3.1. IDR Based Authorization Model

Based on an information dependency relationship (IDR), we propose a distributed
authorization model for the security concerns of the ISC framework. First, we define the
concept of authorization. Then, we will give the IDR based authorization model. Last, we
propose an algorithm that can verify authorization models.

Authorization
In an information supply chain, each agent is responsible for maintaining and enforcing
its own security concerns. In another word, the authorization and enforcement are
distributed. For a particular agent, an authorization can be defined in the following form:
Definition 1. An authorization ∂ ∈ A × Ψ × P , where
• A is the set of customer agents that the agent has
• Ψ is the set of information type that the agent knows
• P = {0,1} indicates whether access (read) is granted (1) or disallowed (0).
Thus, an authorization ∂ is a three-tuple (a, I, p), where
• a represents an agent’s identification,
• I represents an information type,
• p represents whether a is permitted to access information of type I. We call
an authorization positive if p = 1, otherwise we call it negative.
For example, ∂ = ( Alice, Salary ,1) is a positive authorization, which defines that
Alice is permitted to access the Salary information. The union set of authorizations for a
particular agent a is called the authorization profile of that agent, and is denoted as ∂ ( a ) .
For example, ∂ ( a ) = {( a, I1, 0), ( a, I2,1), ( a, I3, 0)} describes the authorization profile for
agent a. According to the authorization profiles, an agent decides if allow or deny the
requested access of an information type from another agent. For example, according
to ∂ = ( Bob, Salary , 0) , Bob’s access requests to the Salary information will be denied.
8 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

It is worth to clarify three issues about the definition. First, in ISC, after a piece of
information is gathered or created by an agent, it is used primarily for read purposes.
Modifying a piece of information can be modeled as creating a new piece of information
(e.g., a new version associated with a new creator.) Second, fine-grained authorizations
specified against information instances can be easily got by extending the authorization
model. Such fine-grained authorizations are useful when an agent needs to have different
authorizations on two information instances of the same type. For example, an agent can
know the location of its acquaintances, but it should not know the location of President
Bush. Last, in order to make authorizations flexible, we can introduce context
information such as roles [9], groups, tasks, etc. Different context may suggest different
authorizations [4]. For instance, when an agent has been authorized for a certain task, the
agent should be authorized to access the relevant information; when the task is finished,
the agent should not have the authorizations anymore. To make later discussions clear,
we will not consider instance level security and context based security.
Definition 2. Authorization policy: suppose for a particular customer a , a set of
information types, χ , χ ⊆ Ψ , represents the information types that a provider agent
concerns: either grant authorization because of the role of the customer agent or deny the
authorization because of the need of protecting certain information. The provider agent
must create authorizations ∂ '( a ) for all the information types that belong to χ : the
authorization of χ for a is complete. ∂ '( a ) is called authorization policy for a customer
a , ∂ '( a ) ⊆ ∂ ( a ) . Authorization set, ∂ ( a ) = ∂ ( a ) − ∂ '( a ) , is called optional
authorizations.
According to the “least authorization principle”, all optional authorizations should be
negative. Optional authorizations differ from the negative authorizations in a policy.
Unlike optional authorizations that do not have a clear reason other than “the information
is not useful for the agent”, negative authorizations in a policy have clear reasons to deny
the access and keep the information “confidential”.

IDR-L Based Authorization

Because interpretation of information and diagnose of dependent information
requirements are based on information dependency relationship (IDR), it is important to
consider IDR when defining the authorizations. However, the IDR that is used for
security concern differs from that is used for information sharing. To distinguish the two
IDR concepts, we call the IDR for security concern IDR-L (information dependency
relation— leak relation).
Definition 3. Information leakage: In a policy, an authorization ∂ = ( a, I , 0) is suppose to
prevent agent a from getting I. If a can infer I by other information, we say there is a
information leak for I. The information types that lead to the derivation of I are called
leak sources. The relation between the leak sources and information type I is called leak
relation. The probability of a leakage relation from a leak source to the information type I
is called leak risk.
 Toward Secure and Credible Information Sharing Using Information Supply Chains 9

A F A F A F

100% 100%100% 100%

V V
50% 60% 10% 5%

B C G B C G B C G

80% 40%

^ V Or node
70% 10%
10% 5%
D E ^ And node D E D E

Fig. 5a. Logical relations as an Fig. 5b. An IDR tree Fig. 5c. An IDR-L graph
and-or tree

Being a link for different types of information, IDR-L explicitly models how
information can be leaked from various leak sources. Unlike IDR, IDR-L is difficult to
derive according to the information relations (logic, composite, selective). We use Fig 5a,
5b, and 5c to clarify the differences among information relation, IDR and IDR-L. Fig 5a
is an and-or tree that represents logical relations among a set of information type nodes
{A…G}; Fig 5b is an IDR tree that is based on the and-or tree; Fig 5c is an IDR-L graph.
On one hand, we can tell the difference between an and-or tree and an IDR tree: an IDR
tree is more general than an and-or tree. For example, in Fig 5b, A depends on B and C; B
depends on D and E. From IDR perspective, the two dependencies are the same. Similar
to logic relation, information relations such as “composition, selective, aggregation” can
also form an information dependency relation (IDR). On the other hand, we can tell the
differences between an IDR tree and an IDR-L graph. An IDR tree is in one direction,
whereas an IDR-L graph is bi-directional. Dependency relation is one direction: A
depends on B, but B does not depend on A. Leak relation is bi-directional: B can certainly
(100% chance) derive A; A may derive B with certain probabilities (50%). Moreover,
IDR-L may not be in tree structures because there may be leak relation between sibling
nodes. For example, having {B, E} may be able to infer D.
Leak risks are difficult to calculate from the information relations. For example,
suppose information B can be derived from D and E. Without further knowledge, one
cannot calculate the degree of leak risk from D or E to B and vice versa. This is the why
our model does not include methods that can generate the IDR-L graph according to the
information relations such as logic relations. Leak relations should be estimated by the
security experts. From this perspective, our model is very different from existing
statistical database inference control models [1].
Additionally, the IDR-L model has not considered the combination conditions of leak
sources. For example, suppose B can be derived from {D, E}. Having information D
alone may impose a low risk of information leakage to B. However, having {D, E} at the
same time, the leakage risk for B will be significantly increased. Therefore, it appears to
be that the IDR-L model should consider this factor. Nevertheless authorizations that are
10 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

based on the assumption of combination conditions of leak sources are sensitive to

collaborated hacking.
B- B- B

100% 100% 100%

0% 0% 0% 0% 0% 0%

D+ E- D- E+ D+ E+

Fig. 6a. Authorization for Fig. 6b. Authorization for Fig. 6c. Authorization problem
Alice Bob when Alice collaborate with Bob

In a collaborated hacking, agents can obtain a piece of information without need to

obtain an authorization for that type of information and without need to violate
combination conditions. For example, Fig 6a and 6b specified authorization profiles for
Alice and Bob respectively. Both authorization profiles are based on the assumption of
combination conditions, which means individually they should not be able to derive B:
0% leak risk, but the leak risk of combination of {D, E} is 100%. If Alice and Bob do not
collaborate the leak risk should be 0%. However, if Alice collaborates with Bob (Fig 6c),
they will be able to derive B: Alice provides D, and Bob provides E. In addition to
combination condition that {D, E} can infer B, some time it is possible to use {B, D} to
infer E: use the parent node and some children nodes to infer other children nodes. Again,
this assumption is sensitive to collaborated hacking. Therefore we believe the
assumptions should be considered only after finding a way to prevent collaborated
hacking.

Leakage Check
The objective of using authorizations is to control the risk of information leak below an
acceptable level (acceptable leak risk).
Definition 4. Leak-proof: The authorizations that allow an agent a to access the leak
sources is called leak authorizations. All leak authorizations are positive. In an
authorization policy, if all the probabilities of information leakage are lower than the
acceptable leak risk, we call the authorization policy leak-proof.
Leak-proof is an important property that any authorization policy should have.
Although information leakage has been discussed in [13] under an XML publishing
context (not about security), the methods are simply based on logical inferences, and they
have not considered the probability of leak risk. In contrast, our goal is to protect leakage
of information types with negative authorizations: lower the risks of leakage to a level
that is smaller than acceptable leak risk. An acceptable leakage can be defined at a)
policy levels: all information types have the same acceptable leak risk level, b)
information type levels: each information type has its own acceptable leak risk level
depends on the nature of the information type; or c) at information instance levels: each
 Toward Secure and Credible Information Sharing Using Information Supply Chains 11

individual information instance has an acceptable leak risk level depends on the criticality
of the information. In this paper, we define acceptable leak risk at policy level. Algorithm
1 can check if an authorization policy is leak-proof.
Algorithm 1. Leakage check
Note :
1) leak_sources( I ) and leak_risk( L, I ) are specified in the IDR- L tree .
2) acceptable _ leak _ risk is given.
leakage_check(∂ '( a )) :
1. for all negative authorizations ∂ ( a, I , 0)
2. if (max_leakage_risk( I ) > acceptable _ leak _ risk ) return false;
3. return true;
max_leakage_risk( I ) :
1. if leak_sources(I) is empty return 0;
2. else return max(expected_leak_risk(∀L , I )), L ∈ leak_sources( I );
expected_leak_risk( L, I ) :
1. if (∂ ( a, L, p ) , p = 1) return leak_risk( L, I );
2. else if (∂ ( a, L, p ) , p = 0) return 0;
3. else return max_leakage_risk( L ) × leak_risk( L, I );

Theorem 1. A policy that passes the leak check that is specified as algorithm 1 is leak-
proof.
Proof: According to the IDR-L graph, algorithm 1 enforces that the maximum risk of
leakage for any risky information types (authorizations are negative) is below the
acceptable leak risk. Hence, the result satisfies the definition of leak-proof. Therefore,
authorization policies that passed the check should be leak-proof.
Algorithm 1 does not consider the optional authorizations because as they will be set
as negative they can cause authorization leakages: optional authorizations may lead to
violation of leak-proof. However, generally, people should not care about the leakage to
information types that are defined in optional authorizations.
Leak-proof is critical for an information supply chain because the ISC framework
assumes that information can be derived based on the IDR-L. Derivative or leakage
relations can introduce chances for unauthorized information access. In Fig 5c, a policy
that includes ( Bob, C ,1) and ( Bob, F , 0) is not leak-proof. There is a definite chance for
Bob to know information of type F if Bob obtains information of C. As suggested by
theorem 1, with algorithm 1, an agent can find leakages and prevent problems that are
caused by derivative leak relations.
12 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

3.2. IDR Based Trust Model

In an information supply chain, an agent may have to use information that is from an
unfamiliar source. The decision on whether or not to trust a piece of information or an
information source is becoming a challenging yet critical problem. The key is to be able
to evaluate credibility of information and information sources. In this section, we first
introduce an approach to evaluate credibility of information by conflicts and evidences.
Being able to assess the credibility of information is important for an ISC because
credibility reflects the quality of information and high quality of information is the key to
make sound decisions. As the nature of credibility is fuzzy, we study this issue with a
quantitative model. After describing the information credibility model, we show how a
piece of information can be corroborated with multiple information sources. Last, we
give an adaptive model to evaluate the credibility of each information source.

Credibility of Information
We assume that credibility of information is determined by evidences and conflicts.
Generally, the more evidence that can support the information, the more credible the
information is. In the ISC framework, a piece of implied information has its evidences.
We call the credibility that is attributed to evidence “positive credibility”. In addition,
information may conflict with other information. We call the credibility that is attributed
to conflicts “negative credibility”.
Definition 5. Conflict: The knowledge that is used to identify contradictory information
is called restrictions. If a set of information violates a defined restriction, we say each
information instance that is included in the information set causes a conflict. The more
conflicts a piece of information causes, the less credible it is.
For example, two information instances, ((current_location Bob school)) and
((current_location Bob home)), conflict each other because they violate the restriction
that Bob cannot be at school and at home at the same time.
Definition 6. Information credibility: Credibility of information can be defined
+ −
as η (i ) = η + η , where
• η (i ) represents credibility of information i
+
• η represents positive credibility from evidences
−
• η represents negative credibility from conflicts

The credibility value varies in a range, (0, 1). A credibility value approaching 0
indicates that the information is not credible at all. While a credibility approaching 1
means that the information is highly credible. Using evidences and conflicts, we can
define a credibility model for any type of information. Fig 7a show a credibility model
for an information type I1, which has two types of potential evidences: set (E1, E2, E3)
and set (E1, E2, E4). Each set is called evidence branch. Information of type I1 may
conflict with other information. For example, I1 and I2 may cause conflict C3. However,
 Toward Secure and Credible Information Sharing Using Information Supply Chains 13

as we do not distinguish I1 or I2, we simplify the diagram by only showing the conflicts:
C1, C2, and C3.
It is worth to note that evidences are information and they have their own credibility
values, which is based on their own evidences and conflicts. E4 may have evidences from
E5 and E6; it may cause conflicts of type C4. Furthermore, conflicts are special types of
information that they can not be used to derive normal information or conflicts. In
another word, conflicts are first order predicates.
Using this model, we can analyze the evidences and conflicts for a particular
information instance. Fig 7b shows a credibility model for information i1-5, which is an
instance of information type I1. i1-5 has two sets of evidences: (e1-6, e2-5, e3-2) and (e1-
5, e2-5, e3-3). We call the number of the evidence set “evidence number”. The evidence
number for i1-5 is 2. Similar to evidence number, we call the number of conflict “conflict
number”. The conflict number for i1-5 is 3.

C1 C2 C3 C4 c1-4 c1-2 c2-5

^
I1 I2 i1-5

e1 e2 e3 e1 e2 e3
E1 E2 E3 E1 E2 E4
-6 -5 -2 -5 -5 -3

E5 E6

Fig. 7a. A credibility model for a information type Fig. 7b. A credibility model for a information
(I1) instance (i1-5)

+
Definition 7. Positive credibility: The positive credibility η , which stems from the
evidences, can be calculated based on the evidence number of a particular information i.
+
η varies from (0, 1)§. It is directly proportional to the evidence
+ −θ x
number: η ( x, θ ) = 1 − e , where
• η represents positive credibility from evidences
+

• θ represents information density factor

• x is the evidence number
We use this formula because not only the formula matches the range of credibility
value and the relation between credibility and the evidence number, but also by using an
+
information density factor θ we can adjust the steepness of the η  x curve. A higher
value of θ will increase the curve steepness, while a lower value of θ will cause a
gradual increase in steepness. For example, in Fig 8a, when θ =1, 5 evidences make the
credibility close to 1; when θ =0.5, 5 evidences make the credibility close to 0.9; when

+ +
§
When η is used to calculate information credibility, the range of η will be determined by a factor.
14 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

θ =0.25, the same number of evidences make the credibility barely to 0.3. We call θ
information density factor because the denser the information type is, the less θ should
be: more evidences is needed to get a high credibility value.

Fig. 8a. A positive credibility model Fig. 8b. A negative credibility model

−
Definition 8. Negative credibility: The negative credibility η , which stems from the
conflicts, can be calculated based on the number of conflicts caused by a particular
information i. The negative credibility varies from (-1, 0)**. It is directly proportional to
− −θ y
the conflict number and is given by the formula η ( y , θ ) = e − 1 , where
−
• η represents positive credibility from evidences
• θ is the information density factor
• y is the conflict number
Fig 8b shows a plot of the function for different values of x and θ .
+ −
By substituting the equations η and η , adding the weight factor ξ , we can rewrite
−θ x −θ y
η (i ) as η (i ) = ξ e + (1 − ξ )(e − 1) + 0.5 , where
• y is the conflict number
• x is the evidence number
ξ is the evidence weight factor, while (1- ξ ) is the conflict factor;
•
0 ≤ξ ≤1
Fig 9a, 9b, 9c, and 9d illustrate credibility models with different ξ values. When ξ =0.5,
the evidence number and the conflict number are equally weighted; when ξ =0.2 the
conflict number weight more than the evidence number, hence the credibility value drops
quickly as the increase of the conflict number; similarly, when ξ = 0.8, the evidence
number is more important; when ξ =1, credibility only varies according to the changes of
the evidence number, and indifferent to the conflict number.

− −
**
When η is used to calculate information credibility, the range of η will be determined by a factor.
 Toward Secure and Credible Information Sharing Using Information Supply Chains 15

Fig. 9a. A credibility model, ξ =0.5, θ =1 Fig. 9b. A credibility model, ξ =0.2, θ =1

Fig. 9c. A credibility model, ξ =0.8, θ =1 Fig. 9d. A credibility model, ξ =1, θ =1

An evidence also has its own credibility value, which should be considered when an
agent assessing the credibility of information that is based on this particular information.
In another word, in addition to the evidence number, the positive credibility of a piece of
information is also determined by how credible the evidences are. So we extend the
definition of positive credibility as the following formula:
n
∑ ( β j *η (ε j ))
+ j =1
η = , where
n
• β j represents confidence level in the dependency branch j, 0 < β j ≤ 1 .
β j = 1 , if all dependency branches are weighted equally.
• η (ε j ) represents the credibility of evidence set ε j
A positive credibility value is based on average credibility of evidence sets weighted by
confidence level: the higher the confidence levels in the evidence set, the more weight of
that evidence set’s credibility is. The credibility of evidence set ε j is defined as the
average of the product of the credibility and the importance factor for each evidence:
16 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

m
∑ (α k *η (ek ))
η (ε j ) = i = k , where
m
• an evidence set ε j has m evidence elements (individual information)

• α k is the importance factor for evidence ek , 0 < α k ≤ 1 . α k = 1 , if all

evidence elements are weighted equally.
• η (ek ) is the credibility of evidence ek
The credibility model of information i can finally be extended as
n
ξ ∑ ( β j *η (ε j ))
j =1 −θ y
η (i ) = + (1 − ξ )(e − 1) + 0.5
n

Corroborated Credibility and Trust Model

In addition to agent’s knowledge reasoning, other information sources (other information
providers) may corroborate a particular piece of information. We call a piece of
information be corroborated if it has more than one sources. For example, if both Alice
and Bob tell you that it is raining outside, we say the information “it is raining” is
corroborated. We assume that, generally, the more sources corroborate, the more credible
the information is. In addition, regarding each type of information, an agent should
maintain a trust level for each information source. For a particular type of information, an
agent may trust more on one agent over another.
Definition 9. Trust: Trust γ = ℜ( S , I ) specifies the degree of confidence on an
information source S for information type I, and 0 < γ < 1 .
Suppose there are n information providers giving information i. Each provider S j
delivers the information with its credibility value η S (i ) , an agent can get a corroborated
j
credibility ℑ(i ) for the information based on the following formula:
∑ (ℜ( Si , I ) × η Si (i ))
ℑ(i ) =
n
This trust model is similar to that in [3], which is based on evidences that come from
internal or external sources, or [7], which formalizes willingness to trust under the
decision of whether to collaborate with others or not. However, their ideas have not
considered information credibility for evaluating trust.
 Toward Secure and Credible Information Sharing Using Information Supply Chains 17

i1-5

η (i ) η (i ) η (i )
S1 1-5 S2 1-5 S3 1-5
S1 S2 S3

Fig. 10. Corroborate a piece of information with multiple information providers

In Fig 10, for example, suppose three sources S1, S2, and S3 are providing information i1-
5. Additionally, each source sends the credibility value that is assessed according to its
own knowledge: S1 as η (i1-5 ) , S2 as η (i1-5 ) , and S3 as η (i1-5 ) . Then, the
S1 S2 S3
corroborated value of information i1-5 can be calculated as
ℜ( S1, I ) × η (i ) + ℜ( S 2, I ) × η (i1-5 ) + ℜ( S 3, I ) × η (i1-5 )
ℑ(i1-5 ) = S1 1-5 S2 S3
3
A corroborated credibility is an average credibility value weighted by trust values. If
the information has evidences or self deduced, the corroborated credibility should
consider the credibility assessment by the agent itself:
∑ (ℜ( Si , I ) × η Si (i )) + η (i )
ℑ(i ) =
n +1
We assume an agent always trust itself: ℜ( self , I ) = 1 .

Trust Adjustment Model

Regarding a particular information type, the trust value for each information provider
should be adjusted after an agent can corroborate a piece of information of that type: if
the credibility value is close to the corroborated credibility value, the trust value or the
reputation [6] of the information provider should be increased. In contrast, if the variance
of credibility value between what the provider assessed and what is corroborated is big,
the provider’s trust value should be lowered.
Definition 10. Trust adjustment: Trust adjustment is defined as the following Gaussian
formula (Fig 11)
−δ 2
∆ (γ a ) = µ (e − τ ) , where

• µ is a small factor that allows smooth adjustment, usually less than 0.01
• δ = η a (i ) − ℑ(i ) is the variance of source a ’s credibility assessment on
information i.
18 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

• τ is a threshold that indicate the portion of negative adjustment. Its value

range from 0 to 1. The positive portion is 1- τ .

Fig. 11. The trust adjustment model

As we mentioned in section 2, fill rate itself is not sufficient in evaluating a service

provider’s performance because fill rate cannot exam quality aspects of the provided
information. Using the trust model of information providers, an agent can evaluate the
performance of its providers regarding a particular type of information. Therefore, the
agent can always choose providers with high trustworthiness.

4. Discussions
We have introduced the framework of information supply chain (ISC) and information
dependency relation (IDR) based authorization and credibility models. Under this
framework, we can extend our research for other relevant issues such as how to address
malicious attack from an insider member, how to develop a trust based authorization, and
how to keep a balance between sharing and security.
First, our current authorization model and credibility model are based on assumption
that there are no malicious attacks especially from an insider member or collaborated
members. For example, a member can easily build up it credibility and start to
disseminate rumors: falsified yet sensitive information, which can be used to derive high
level information. In such a case, contaminated information may be further propagated in
the whole supply chain. Therefore rumors may cause massive disruptions. Addressing
such attacks requires much more comprehensive security measurements such as intrusion
detection, operation under attacks, and system recovery.
Second, our current authorization model is based on needs, and the model is
disconnected with the trust model. The trust level of an information provider has not been
used when specifying an authorization. This is because authorizations that we are
currently look at is from pull perspective (access control for customers); whereas our
trust model is from push perspective (trust model for providers). However, a
comprehensive trust model from both push and pull perspective and a trust based
authorization is important for an information supply chain.
Last, two important evaluation criteria, fill rate and trust level, are somehow
contradictory with each other. If an agent demands high credibility of information it must
 Toward Secure and Credible Information Sharing Using Information Supply Chains 19

demand providers with high trust level. However, the higher the trust level, the fewer the
qualified providers. This can result in low fill rates, or a large portion of unsatisfied
demands. Therefore, high trust level requirements can undermine a supply chain’s fill
rates. How to find a balance between fill rate and trust level is a none-trivial research
issue. This issue is similar to the one in material supply chains that strict quality control
may undermine production capacities, which can cause low fill rates. By examining the
existing methods that are used to address this problem, we may be able to get some
insights to tackle the problem of balancing the fill rate and trust level for an information
supply chain.

5. Conclusion
Sharing information has to be both efficient and secure. On one hand, sharing
information requires clear understanding about what to share, whom to share with, how
to share, and when to share. The ISC framework explicitly captures these questions as
information requirements, so we expect that the systems developed under the framework
will enable the right information to be delivered to the right recipients in the right way
and at the right time. On the other hand, the ISC framework provides an information
dependency based authorization model that ensures security from information pull
perspective that only legitimate requirement can be satisfied, and a credibility model that
ensures security from information push perspective that only credible information can be
shared. As our next step, we will study other relevant issues including how to address
malicious attacks, how to develop a trust based authorization, and how to keep a balance
between sharing and security.

Acknowledgements
Peng Liu is partially supported by NSF CCR-TC-0233324 and DOE Early Career PI
Award.

References
1. Adam, M.R.: Security-Control Methods for Statistical Database: A Comparative Study.
ACM Computing Surveys (CSUR) (1989) 21(4)
2. Baird, Z., J. Barksdale, and M.A. Vatis: Creating a Trusted Information Network for
Homeland Security, (2003) The Markle foundation New York City
3. Bhargava, B. and Y. Zhong: Authorization Based on Evidence and Trust. in Data
Warehouse and Knowledge Management Conference(DaWak-2002) (2002) Aix en Provence,
France
4. Cahill, V., E. Gray, J.-M. Seigneur, C.D. Jensen, Y. Chen, B. Shand, N. Dimmock, A.
Twigg, J. Bacon, C. English, W. Wagealla, S. Terzis, P. Nixon, G.d.M. Serugendo, C. Bryce, M.
Carbone, K. Krukow, and M. Nielsen: Using Trust for Secure Collaboration in Uncertain
Environments. IEEE Pervasive Computing Magazine (2003) July-September p. 52-61
5. Chopra, S. and P. Meindl: Supply Chain Management: Strategy, Planning, and Operation
(2001 Pearson Education International
20 Shuang Sun, Peng Liu, Guruprasad Airy, Shizhuo Zhu, and John Yen

6. Dingledine, R., N. Mathewson, and P. Syverson: Reputation in Privacy Enhancing

Technologies. in the 12th annual conference on Computers, freedom and privacy (2002) San
Francisco, California ACM Press.1-6
7. Marsh, S.: Formalizing Trust as a Computational Concept, (1994) University of Stirling
Stirling, UK
8. Phillips, C.E., T.C. Ting, and S.A. Demurjian: Information sharing and security in
dynamic coalitions. in the seventh ACM symposium on Access control models and technologies
(SACMAT) (2002) Monterey, California, USA ACM Press.87-96
9. Sandhu, R., E. Coyne, H. Feinstein, and C. Youman: Role Based Access Control. IEEE
Computer (1996) 29(2)
10. Sun, S., X. Fan, and J. Yen: Sharing Intelligence Using Information Supply Chains, in
21st Century Information Technologies and Enabling Policies for Counter Terrorism, B. Popp and
J. Yen, Editors (2005) Wiley Inc. p. to appear
11. Sun, S. and J. Yen: Information Supply Chain: A Unified Framework for Information-
Sharing. in Intelligence and Security Informatics: IEEE International Conference on Intelligence
and Security Informatics, ISI 2005 (2005) Atlanta, GA, USA Springer-Verlag GmbH.422 - 428
12. Weick, K.E. and R.E. Daft, eds: The effectiveness of interpretation systems.
Organizational effectiveness: A comparison of multiple models, ed. K.S.C.D.A. Whetten (1983)
Academic Press New York. 71-94
13. Yang, X. and C. Li: Secure XML Publishing without Information Leakage in the
Presence of Data Inference. in the 30th International Conference on Very Large Data Bases
(VLDB) (2004) Toronto, Canada
14. Yen, J., X. Fan, S. Sun, R. Wang, C. Chen, K. Kamali, and R.A. Volz: Implementing
Shared Mental Models for Collaborative Teamwork. in the Workshop on Collaboration Agents:
Autonomous Agents for Collaborative Environments in the IEEE/WIC Intelligent Agent
Technology Conference (2003) Halifax, Canada.115-126