Real-time model checking for shill detection in live online auctions

Int’l Conf. Software Eng. Research and Practice | SERP’09 | 134 Real-Time Model Checking for Shill Detection in Live Online Auctions* Haiping Xu1, Christopher K. Bates1, and Sol M. Shatz2 1 Computer and Information Science Department University of Massachusetts Dartmouth, North Dartmouth, MA 02747, USA E-mail: {hxu, u_cbates}@umassd.edu 2 Computer Science Department University of Illinois at Chicago, Chicago, IL 60607, USA E-mail: shatz@uic.edu Abstract - Online auctions are vulnerable to shill bidders, who intend to artificially raise bidding prices, causing winning bidders to pay more than they should pay for auctioned items. Detection of such fraudulent behaviors is very difficult, especially when an auction is in progress, or “live”. This paper focuses on a formal technique to detect shilling behaviors in live online auctions. We define a monitoring agent that can continuously watch for abnormal bidding behaviors of a monitored bidder. To make the detection process efficient, we introduce a dynamic auction model (DAM), and use real-time model checking techniques to verify shilling behaviors specified in linear temporal logic (LTL). Finally, we present an algorithm for real-time shill detection, and use a case study to demonstrate the efficiency and effectiveness of our approach. Keywords: Online auctions, model checking, shilling behaviors, shill detection, real-time, software agents. 1 Introduction Auctions have been a popular mechanism for purchasing items for a long time, providing potential buyers with a means to purchase an item at a price lower than normal cost or to purchase a rare item not otherwise available. As auction activities around the world have begun to spread, it becomes more and more difficult to reach intended audiences as they could be far away from the places where the auctions are conducted. The Internet has provided a solution to this, giving access to an auction to anyone anywhere in the world. This has opened the auction environment to the e-commerce world. However, since anyone can participate in an auction using a fake identification, it becomes very difficult for an auction house to determine who is actually participating in an auction. Thus, security concerns become an important * This material is based upon work supported by the U.S. National Science Foundation under grant numbers CNS-0715648 and CNS0715657. issue, and fraudulent bidders, typically known as shill bidders, may damage the validity of an auction by raising the price higher than normal, in an attempt to earn the seller a higher profit. Detection of shill bidders can be very difficult as most shilling behaviors resemble normal bidding behaviors to avoid being detected. Previous attempts for shill detection include identifying patterns for shilling behaviors and searching for matched shilling behaviors by investigating auction histories [1, 2]. By studying bidding behaviors, it is possible to find shill patterns, and therefore to define corresponding shill detection rules and mechanism. However, previous efforts only focus on identifying shill bidders using historical auction data. Such approaches may be useful for identifying shill patterns, but they are not very effective in shill detection since any detection happens after the auction is completed. Unfortunately, a completed auction that involved shill bidding has already resulted in possible losses for bidders, and also damaged the reputation of the auction house. In contrast, in this paper, we introduce a formal approach to detecting shilling behaviors in auctions that are in progress, which we refer to as “live auctions.” Using our approach, we can take appropriate actions timely on shilling behaviors, e.g., giving a shill bidder a warning or canceling the involved live online auction. Our method is based on a model checking approach we proposed previously [2]. In our previous efforts, we demonstrated how to use model checking techniques to detect shill bidders using collected offline auction data, particularly from concurrent online auctions. In this paper, we extend our previous model by introducing a dynamic auction model (DAM) for real-time detection of shilling behaviors. In our approach, we first divide the duration of an online auction into three stages (i.e., early, middle and final stage), and then formally specify shilling behaviors in different stages in linear temporal logic (LTL). Finally, we run the SPIN model checker [3] on DAM in order to identify abnormal bidding behaviors. Note that DAM can be used to simulate an online auction using real-time auction data. As more and more shilling behaviors are identified for a monitored bidder, shilling scores for that Int’l Conf. Software Eng. Research and Practice | SERP’09 | bidder can be accumulated. When the total shilling score reaches certain limits, appropriate actions can be taken against the monitored bidder. For example, a high shilling score may result in a warning of suspected shilling behaviors, while a very high shilling score may result in cancellation of the involved online auction. Most previous work on shill detection in online auctions is based on analyzing large volumes of historical auction data to search for shill patterns. Kauffman and Wood used a statistical approach to detecting shilling behaviors and showed how the statistical data of a market would look if opportunistic behaviors do exist [4]. They also showed how to use an empirical model to test for questionable behaviors. However, one limitation of the approach is the need to review multiple auctions over a long period of time [5]. Furthermore, since the statistical approach was based on analyzing a large amount of historical auction data, it was not applicable to directly analyzing a particular auction where shilling behaviors might be involved. Similarly, Chau, et al. from Carnegie Mellon University proposed a shill detection method, called 2-Level Fraud Spotting (2LFS), which can be used to detect fraudsters in online auctions using data mining techniques by investigating historical auction data from eBay [1]. Other related work on shilling behaviors includes attempts to get around the shilling problem by designing sound mechanisms to decrease the incentives for shilling behaviors. For example, researchers have proposed reputation mechanisms in online auctions to deter opportunistic behaviors [6, 7]. However, acquainted users may put in good comments for each other, and thus, the reputation system can be easily manipulated. An improved reputation-based approach is to develop models that characterize sellers according to statistical metrics related to price inflation [8]. Unfortunately, such an approach is also not suitable to detect shill bidders in real-time because it is based on analyzing large volumes of auction data. Unlike the above approaches, our approach uses realtime auction data, so abnormal bidding behaviors can be captured timely. Our approach complements existing approaches, such as the statistical approach, for shill detection. Although statistical approaches require analysis of large volumes of historical auction data, they can effectively identify bidding patterns, which can be adopted as useful knowledge in our model checking approach. Other related work includes trustworthy management in e-commerce for securing online transactions and establishing trust in users by proposing different types of trust models. Trust management using reputation models are based on prior history of users and/or feedback gathered from other entities. Shmatikov and Talcott proposed a formal model that precisely defined the notion of reputation, and can be used to reason about trust [9]. Boukerche and Xu proposed an agent-based trust and reputation local storage strategy for wireless sensor networks, which can manage trust and reputation with minimal overhead in terms of extra messages and time delay [10]. Recently, we introduced a framework for 135 agent-based trust management (ATM) in online auctions [11]. In this paper, we enhance the ATM framework by providing a real-time model checking mechanism for monitoring agents, which can continuously watch for abnormal bidding behaviors and take actions accordingly. Since our detection mechanism only deals with real-time auction data, a monitoring agent can efficiently and effectively report shilling behaviors. 2 Agent-based shill detection Agent technology provides a programming paradigm for development of intelligent software with the capability of sensing, planning, scheduling, reasoning and decisionmaking. In order to automatically detect shilling behaviors in real-time and take appropriate actions autonomously, we define a monitoring agent for each bidder who registers with an auction house. Each monitoring agent is built with enough capability to work independently, and can keep track of live auctions that the bidder is involved with. As an auction progresses, a dynamic auction model for the monitored bidder is continuously updated based on realtime auction data, and verified by the monitoring agent against formal specifications of shilling behaviors. Figure 1 presents an overview of a monitoring agent using realtime model checking. Real-Time Model Checking Monitoring Agent Auction Base Model Dynamic Auction Model (k-1) update auction model Dyamic Auction Model (k) Real-Time Auction Data Incremental Auction Model results LTL Formula Library LTL List for Current Auction Stage SPIN Tool Actions Scoring & Decision Making Figure 1. Monitoring agent using real-time model checking From the figure, we can see that the dynamic auction model is initially created using an auction base model, which models the basic functionality of an online auction. The dynamic auction model is then updated each time the monitoring agent starts to perform verifications. The new dynamic auction model (for iteration k) is a combination of the previous dynamic auction model (for iteration k-1) and the incremental auction model created based on real-time auction data. A list of LTL formulas is then selected from an LTL formula library for verification of shilling behaviors. Finally, the monitoring agent uses the SPIN model checker to compute the verification results, and also makes decisions on taking appropriate actions. When the above process is complete, the dynamic auction model (k-1) is updated for the next iteration using Int’l Conf. Software Eng. Research and Practice | SERP’09 | 136 the dynamic auction model (k). The model checking results are also recorded for use in updating the incremental auction model in the next iteration. Thus, all previous verification results can be directly used for further verification in later iterations. Note that in order to select suitable LTL formulas for formal verification, we divide an auction duration into three stages, namely early stage, middle stage and final stage, which are defined as follows. Definition 2.1 Early Stage. The early stage of an online auction is defined as the first quarter of the auction duration. Typically there are only a few bids placed, but a shill bidder may be eager to drive up the auction price as early as possible. Definition 2.2 Middle Stage. Most of the online auction bidding activities occur at the middle stage of the auction duration. The middle stage is defined as [0.25T, 0.9T), where T is the duration of the auction. Most of the shilling behaviors are expected to be detected in this stage. Definition 2.3 Final Stage. The final stage of an online auction is defined as the last 10% of the auction time. In this stage, a shill only places bids occasionally and very carefully in order to avoid winning the auction. To make our approach efficient, the dynamic auction model only simulates the bidding activities for the current auction stage, because all shilling behaviors detected in previous stages have already been recorded in the model. 3 Real-time model checking for shill detection 3.1 Dynamic auction model The dynamic auction model (DAM) records bids and uses variables or flags to represent auction states. It also simulates a live online auction in real-time, as specified in PROMELA (Process Meta Language), which is a formal language that allows for the dynamic creation of concurrent processes [3]. DAM consists of two major components, namely the current dynamic auction model (CDAM), and the incremental auction model (IAM). The initial CDAM is instantiated using a base auction model, which provides the primary variable declarations as well as the code that simulates an online auction in real-time. Figure 2 illustrates the sample PROMELA code for an example initial current dynamic auction model. From the sample code, we can see that the declared variables are either related to the auction itself or to the monitored bidder. The model first defines an auction auc of type Auction that consists of variables such as startTime, endTime, estimatedPrice, and reservePrice. Then a list of bids bids is defined as an array of bids of type Bid, where we assume that the maximum number of bids in a single auction is 100. Additional system variables are defined, for example variable numberOfBids refers to the number of bids that have already been placed in the auction at the model checking time, and variable startingIndex is the index of the first bid for the current auction stage. Furthermore, in order to verify shilling behaviors of the monitored bidder, we define a set of variables for the monitored bidder, such as monitoredBid and monitoredInc, which are used when defining temporal formulas. /*type and variable declaration*/ typedef Auction { int startTime = 0; int endTime = 172800; short estimatedPrice = 1500; short reservePrice = 1350; short minIncrement = 5; } auc; typedef Bid{ short bidderID; // bidder’s identification short bidAmount; // bid amount in dollars int bidTime; // time when bid is placed } bids[100]; short numberOfBids; // number of bids so far short startingIndex; // for current stage int middleStageStart;// middle stage start time int finalStageStart; // final stage start time ... short monitoredBidderID = 000001; short monitoredBid;// bid amount in dollars short monitoredInc // bid increment bit bidFlag; // set to 1 if the current // bid is monitored ... /* placeholder for previous auction data */ ... /* previous model checking results */ ... proctype SimulateBiddingProcess() { int index = startingIndex; ... do ::(index < numberOfBids) -> d_step { bidFlag = 0; // reset bid status ... if ::(index > 0) -> previousBid=bids[index-1].bidAmount; ::(index == 0) -> previousBid = 0; fi; if /* bid is monitored */ ::(bids[index].bidderID == monitoredBidderID)-> monitoredIncrement =bids[index].bidAmount-previousBid; monitoredBid=bids[index].bidAmount; bidFlag = 1; fi; ... index++; } od; } Figure 2. Sample PROMELA code for an initial CDAM The real-time simulation of a live online auction is a simple replay of the auction activities occurred during the current auction stage. The simulation process is modeled by the SimulateBiddingProcess procedure, which is Int’l Conf. Software Eng. Research and Practice | SERP’09 | activated whenever a monitored bidder places a bid or when there is an auction transition (e.g., a transition from the early stage to the middle stage). The major task of this procedure is to set values for certain variables that are used by the model checker. For example, the flag bidFlag indicates if the current bid is placed by a monitored bidder, and monitoredInc stores the bid increment for the current monitored bid. Note that the real-time auction data and new model checking results are initially recorded in IAM, which will be stored in CDAM as previous auction data and previous model checking results each time the two models are combined. Figure 3 shows the sample PROMELA code for IAM, which represents the dynamic portion of a DAM. typedef ShillingBehavior { bit detected; int timeDetected; int detectionCount; } /* a list of shilling behaviors to be checked in the current auction stage */ ShillingBehavior BM1; ShillingBehavior BM2; ShillingBehavior BM3; ... proctype CreateIncrementModel(){ /* real time auction data */ bids[26].bidID = 000003; bids[26].bidAmt = 885; bids[26].bidTime = 50424; bids[27].bidID = 000004; bids[27].bidAmt = 900; bids[27].bidTime = 50580; ... numberOfBids = 30; // number of bids so far startingIndex = 21; // for middle stage ... /* update previous BM1.detected = 1; BM1.timeDetected = BM1.detectionCount BM2.detected = 0; BM2.timeDetected = BM2.detectionCount ... model checking results */ 48450; = 1; 0; = 0; } Figure 3. Sample PROMELA code for IAM As shown in Figure 3, IAM first defines the ShillingBehavior type, and then defines a set of shilling behaviors to be checked during the current auction stage, such as BM1 and BM2 (shilling behaviors in the middle auction stage, defined in Section 3.2). The major component of an IAM is the new real-time data collected from a live online auction as well as updated values for certain system variables, such as numberOfBids and startingIndex. Furthermore, the model checking results must be updated. For example, as shown in Figure 3, shilling behavior BM1 has been detected once previously at time 48450. Such information is critical in calculating shilling scores for the monitored bidder. 137 3.2 Real-time model checking When the SPIN model checker is initiated, LTL formulas representing shilling behaviors are incorporated into DAM. Each LTL formula to be checked is converted into a PROMELA never claim, which is appended to the end of the auction model [3, 4]. When the model checker is running, the never claim is verified against the auction model and returns whether the LTL formula is valid or invalid. If a formula is valid, it indicates the corresponding shilling behavior is detected; otherwise, no such shilling behavior is detected. The verification of the model is actually done by generating C code of the model through SPIN. Once the source code is generated, it is compiled into an executable verifier, which is then run by the monitoring agent to determine the validity of a specified behavior. This process is repeated as long as the auction is active. Each time a shilling behavior is detected, the monitored bidder’s shilling score is updated. When the score reaches a certain limit, an appropriate action must be taken. The scoring of different shilling behaviors is used to indicate how malicious a bidder is. Some behaviors that match as shilling behaviors are not severe because it is possible that the bidder may have no malicious intent at all. In this case, a low score is assigned when the behavior is detected. Some other shilling behaviors may appear at an earlier stage, and prove to be benign later in the auction. In this case, a temporary score is assigned, which may be discarded later if needed. As more shilling behaviors are identified during an online auction, a bidder’s shilling score will increase. As the score increases, more harsh actions can be taken for the bidder. For example, a warning can be issued to the monitored bidder if the bidder shows some malicious behaviors but the shilling score is still not sufficiently high. On the other hand, a higher score may indicate the involved auction has been significantly affected; thus, the auction must be cancelled in order to protect the interests of other bidders who have been involved in the auction. We summarize various shilling behaviors into three groups according to the three stages of an online auction, namely early stage, middle stage, and final stage. Tables 13 show a few examples of shilling behaviors in each auction stage. Table 1. Examples of shilling behaviors in early stage BID* BE1 BE2 Shilling Behavior (Early Stage) Bidding time very close to the start of an auction. Explanation: If a bid is placed on an auction very early, say within 4 hours after the start of the auction, then it is likely that the bidder has prior knowledge about the auction, and therefore is a likely shill. Bid close to the reserve price with no larger bids in the early stage. Explanation: A normal early stage bid would not likely jump to a value that is close to the reserve price. This behavior casts strong suspicion of intent to stimulate the auction and encourage more bidding. Int’l Conf. Software Eng. Research and Practice | SERP’09 | 138 BE3 Large number of bids compared to other bidders in the early stage. Explanation: A shill bidder may try to raise the price as much as possible since there is little risk in the early stage. This results in a large portion of the bids on the auction to be made by the shill bidder to outbid others. *BID: Behavior Identification Table 2. Examples of shilling behaviors in middle stage BID BM1 BM2 BM3 BM4 Shilling Behavior (Middle Stage) Bid close to the reserve price with no larger bids over the reserve price in the middle stage. Explanation: If the bidding price is not high enough, a shill may attempt to push the price higher with a bid close to the reserve price. BE2 detected, and no bids greater than the reserve price in the middle stage. Explanation: When the reserve price is reached, the shill bidder stops bidding in order to avoid winning the auction. BE2 detected, and bids with small bid increments over reserve price in the middle stage. Explanation: When the reserve price is reached, a shill bidder may try to drive the price up a little more with small increments to avoid winning the auction. A much larger bid than the estimated price in the middle stage. Explanation: A bid that is 20% over the estimated price during the middle stage is not likely made by a normal bidder with a normal increment amount. Table 3. Examples of shilling behaviors in final stage BID BF1 BF2 Shilling Behavior (Final Stage) BM1 or BM2 detected, and no bids greater than the reserve price in the final stage. Explanation: Similar to BM2, except that BF1 appears in the final stage. BM1 detected, and bids with small bid increments over the reserve price in the final stage. Explanation: Similar to BM3, except that BF2 appears in the final stage. We now provide some examples of LTL formulas to show how shilling behaviors can be formally specified. BE1: Bidding time very close to the start of an auction Shill bidders tend to place bids more at the beginning of an auction than the end [12], giving more time for other bidders to outbid the shill bids. While normal bidders may place bids on an auction close to the auction’s creation time, closer bids are a good indicator of prior knowledge about the auction. It is unlikely that a normal bidder would notice an auction right after the auction’s creation, while shill bidders may place bids on their own auctions very early to attract potential legitimate bidders. Detection: To detect this behavior, we use an LTL formula that represents a bid placed on an auction before the elapsed time of the auction has reached a certain time, say 4 hours. The formula defined below is modeled using existence LTL pattern “P becomes true before Q” [13]. #define p (bidFlag == 1) #define q (elapsedAuctionTime > 14400) ([]!q || (!q U (p && !q))) In this pattern, the formula holds true if event p (i.e., bidFlag == 1) becomes true before event q (elapsedAuctionTime is greater than 4 hours) occurs. Analysis: Once shilling behavior BE1 is detected, a quick analysis of the history can be done to determine how early the bid was placed. Based on the time that the bids were first placed on the auction, a shilling score is calculated. BM1: Bid close to the reserve price with no larger bids over the reserve price in the middle stage A reserve price is typically less than the estimated price of an auctioned item, which is defined in this paper as 90 percent of the estimated price. If the current bidding price has not yet been raised to the reserve price, a shill may attempt to push the price higher with bids close to the reserve price. However, placing bids higher than the reserve price could be risky for the shill bidder because the shill bidder may accidentally win the auction. Detection: The detection of this behavior is similar to that of behavior BE2, except that behavior BM1 appears in the middle stage. The LTL formula can be defined as follows. #define p ((monitoredBid >(0.8*auc.reservePrice)) &&(monitoredBid <= auc.reservePrice)) #define q (monitoredBid > auc.reservePrice) #define r (elapsedAuctionTime > middleStageStart) <>(r && (<>p && (!<>q))) Analysis: Let [0.8R, R] be a reserve price range, where R is the reserve price. With more bids in the reserve price range without exceeding R, a bidder can be more likely a shill because the bidder is trying to get the price as close to the reserve price as possible. In this case, the bidder should receive a high shilling score. This behavior can be further verified in the final stage. As described in Table 3, BF1 says that when BM1 or BM2 is detected in the middle stage, if the bidder does not place larger bid than the reserve price, the bidder should receive more shilling points. BF2: BM1 detected, and bids with small bid increments over the reserve price in the final stage As an auction draws to the end, a shill bidder may still attempt to gain the highest possible price from other bidders. To avoid driving some other bidders away and accidentally winning the auction, a shill bidder uses a very small increment, as allowed by the auction house. Detection: Detection of this behavior requires checking whether BM1 has been detected, and whether small bid increments appear after BM1 is detected, as well as identifying whether the monitored bid is greater than the reserve price or not. #define #define #define (<>q && p (monitoredInc < 10) q (BM1.detected == 1) r (monitoredBid > auc.reservePrice) ([](!(q && r)) || <>((q && r) && <>p))) Int’l Conf. Software Eng. Research and Practice | SERP’09 | Analysis: Detection of BM1 is critical for detecting shilling behavior BF2 because without behavior BM1, a bid with small bid increments over the reserve price in the final stage could be a very normal bidding behavior. 3.3 Algorithm for real-time shill detection The monitoring agent has two major tasks. The first task is to detect shilling behaviors of a monitored bidder in a live online auction, which is supported by using the SPIN model checker. The second task is to assign shilling scores if any shilling behavior is detected. The major tasks of a monitoring agent can be illustrated by the following algorithm for real-time shill detection. Algorithm: Real-Time Shill Detection 1. create an initial auction model for each involved auction 2. initialize shilling score ss = 0 for monitored bidder mb 3. set warning threshold wt and cancel-auction threshold ct 4. while (any involved auction auc is active) 5. if (monitoredBidEvent or endOfStageEvent occurs in auc) 6. generateIncrementalModel (auc) 7. DAM = CDAM ⊕ IAM 8. select a list of LTL formulas for current stage of auc 9. for each LTL formula for shilling behavior be 10. run SPIN model checker on DAM 11. if (valid) 12. ss += calculateShillingScore (be) 13. if (ss > wt) give warning to bidder mb 14. else if (ss > ct) cancel auction auc 15. update CDAM with DAM for the next iteration 16. save model checking results for IAM in next iteration 17. else blocking As shown in the algorithm, the initial shilling score ss of a monitored bidder is set to 0. The monitoring agent continuously monitors a bidder as long as any of the involved auctions is still active. Once a monitoredBidEvent or endOfStageEvent occurs in auction auc, the DAM for auc is generated by combing the two models CDAM and IAM (denoted by operator ⊕). A list of LTL formulas is selected for the current stage of auc, and each of them is checked using the SPIN model checker. If a certain shilling behavior is detected, a shilling score for that behavior is calculated and accumulated into the total shilling score ss. When ss exceeds the threshold for warning, the monitoring agent sends a warning message to the monitored bidder; on the other hand, if ss becomes larger than the threshold for canceling auction, all bidders on the involved auction will be notified, and the affected auction may be cancelled. 4 Experiments and analysis results To demonstrate the efficiency and effectiveness of our approach, we implemented the real-time model checking module in a monitoring agent. We used some testing auction data generated using a recently implemented software bidding agent that supports specification of model-based bidding strategies [14]. The interface of the software bidding agent allows specification 139 of complex and flexible bidding strategies including normal and shilling ones. The auctioned item in our experiments is a bundle of NintendoWii, Playstation3, and XBox 360 with an estimated price of $1,500 and a reserve price of $1,350. The duration of the agent-based online auction is 48 hours (i.e., 2 days). There are six agent bidders involved, namely Bidder 1 to Bidder 6 with user IDs from 000001 to 000006. Most of the bidders are normal bidders, which are specified with normal bidding strategies, but some bidders (i.e., Bidder 1 and 2) are specified with aggressive strategies that may involve certain shilling behaviors. The detailed procedure of specifying complex and flexible bidding strategy for bidding agents is beyond the scope of this paper, but can be found in our previous work [14]. We now simulate the auction data using CDAM and IAM that are dynamically generated in PROMELA as was described in Section 3.1, and let the model checking module automatically detect shilling behaviors in real-time. Figure 4 illustrates some model checking results for Bidder 1 (UserID: 000001) in the early stage of the agent-based online auction. Figure 4. Model checking results for Bidder 1 (ID: 000001) From Figure 4, we can see that shilling behavior BE1 and BE4 are detected for Bidder 1 in the early stage of the auction, and shilling scores are accumulated in real-time. Note that to simplify matters, we used a flat scoring strategy in our current implementation, where a constant value of 2 is added to the monitored bidder’s accumulative shilling score each time a shilling behavior is detected. A more complex strategy for scoring would give a more accurate scoring mechanism, which will be implemented in a future version of the real-time model checking module. Similarly, we run the model checking program for Bidder 2 and Bidder 3, and record the shilling scores of all three bidders over the auction time, as illustrated in Figure 5. Now if we set the threshold for warning as 15, Bidder 1 and 2 will receive a warning message around 18 and 35 hours after the auction starts, respectively (denoted by the two circles on the line with shilling score of 15 in Figure Int’l Conf. Software Eng. Research and Practice | SERP’09 | 140 5). If the threshold for cancelling an auction is set at 25, the auction will be cancelled around 2 hours before the auction ends (denoted by the circle on the line with shilling score of 25 in Figure 5). Since Bidder 3’s shilling score never exceeds 15, we consider this bidder to be a normal bidder. Note that the determination of the thresholds are somehow subjective in this example; however, as the simulation results show, warnings are typically issued in the middle stage of an auction, while the action of cancelling an auction, which is a serious decision, shall be taken in the final stage of the auction. [2] [3] [4] [5] 30 Bidder 1 Bidder 2 Bidder 3 Shilling Score (Points) 25 20 [6] 15 10 [7] 5 0 0 5 10 13 18 Auction Time (Hours) 32 46 [8] Figure 5. Comparison of shilling scores for three bidders. 5 Conclusions and future work Shilling behaviors are becoming a more and more serious problem in online auctions, which may greatly damage the reputation of an auction house. In this paper, we present a real-time model checking approach to detecting shilling behaviors in live online auctions. Our approach supports creation of a dynamic auction model in real-time and timely detection of shilling behaviors in order to take appropriate actions. Our experimental results show that our approach is effective and efficient, and it is our vision that a real-time model checking module can be easily incorporated into the agent-based trust management (ATM) framework for trustworthy online auctions [11]. In future work, we will implement the ATM framework with the real-time model checking approach introduced in this paper. We also plan to extend our current approach to develop a concurrent dynamic auction model (CoDAM) for multiple online auctions, and demonstrate how a shill bidder can be detected in real-time when concurrent online auctions are involved. 6 References [1] D. H. Chau, S. Pandit, and C. Faloutsos, “Detecting Fraudulent Personalities in Networks of Online Auctioneers,” In Proceedings of the 10th European Conference on Principles and Practice of Knowledge Discovery in Database (PKDD 2006), Berlin, Germany, September 2006, pp. 103-114. [9] [10] [11] [12] [13] [14] H. Xu and Y-T. Cheng, “Model Checking Bidding Behaviors in Internet Concurrent Auctions,” International Journal of Computer Systems Science & Engineering (IJCSSE), July 2007, Vol. 22, No. 4, pp. 179-191. G. J. Holzmann, “The Model Checker SPIN,” IEEE Transactions on Software Engineering, Vol. 23, No. 5, 1997, pp. 279-295. R. J. Kauffman and C. A. Wood, “Running up the Bid: Modeling Seller Opportunism in Internet Auctions,” In Proceedings of the Sixth Americas Conference on Information Systems (AMCIS 2000), M. Chung (Ed.), Long Beach, CA, 2000, pp. 929-935. R. Bapna and A. Gupta, “Online Auctions: A Closer Look,” In The E-Business Handbook, P. B. Lowry, R. J. Watson, and J. O. Cherrington (Eds.), St. Lucie Press, Boca Raton, FL, 2002, pp. 85-98. C. Dellarocas and P. Resnick, “Online Reputation Mechanisms: A Roadmap for Future Research,” Summary Report of the First Interdisciplinary Symposium on Online Reputation Mechanisms, April 26-27, 2003. C. A. Wood, M. Fan, and Y. Tan, “An Examination of the Reputation Systems for Online Auctions”, In Proceedings of the Workshop for Information Systems and Economics (WISE 2002), Spain, December 2002. S. Rubin, M. Christodorescu, V. Ganapathy, J. Giffin, N. Kidd, L. Kruger, and H. Wang “An Auctioning Reputation System Based on Anomaly Detection,” In Proceedings of the 12nd ACM Conference on Computer and Communication Security (CCS), Alexandria, VA, USA, November 2005. V. Shmatikov and C. Talcott, “Reputation-Based Trust Management,” Journal of Computer Security, Special Issue on Selected Papers of WITS 2003, Roberto Gorrieri (Ed.), Vol. 13, No. 1, 2005, pp. 167-190. A. Boukerche and L. Xu, “An Agent-based Trust and Reputation Management Scheme for Wireless Sensor Networks,” In Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM), Vol. 3, St. Louis, MO, November 2005, pp. 1857-1861. H. Xu, S. M. Shatz, and C. K. Bates, “A Framework for Agent-Based Trust Management in Online Auctions,” In Proceedings of the 5th International Conference on Information Technology: New Generations (ITNG 2008), Las Vegas, NV, April 7-9, 2008, pp. 149-155. J. Trevathan and W. Read, “Undesirable and Fraudulent Behaviour in Online Auctions,” In Proceedings of the International Conference on Security and Cryptography Conference, Portugal, August 2006, pp. 450-458. M. B. Dwyer, G. S. Avrunin, and J. C. Corbett, “Patterns in Property Specifications for Finite-State Verification,” In Proceedings of the 21st International Conference on Software Engineering (ICSE’99), Los Angeles, CA, 1999, pp. 16-22. B. J. Ford, H. Xu, C. K. Bates, and S. M. Shatz, “ModelBased Specification of Flexible and Complex Bidding Strategies in Agent-Based Online Auctions,” In Proceedings of the 6th International Conference on Information Technology: New Generations (ITNG 2009), Las Vegas, NV, April 27-29, 2009.