SybilGuard:%20Defending%20Against%20Sybil%20Attacks%20via%20Social%20Networks - PowerPoint PPT Presentation

About This Presentation

Title:

SybilGuard:%20Defending%20Against%20Sybil%20Attacks%20via%20Social%20Networks

Description:

Random routes direct random walk for all nodes. Pre-computed random permutation ... Node A performs short random walk (e.g. 10 hops) at node B ... – PowerPoint PPT presentation

Number of Views:379

Avg rating:3.0/5.0

Slides: 42

Provided by: chan76

Category:

more less

Transcript and Presenter's Notes

Title: SybilGuard:%20Defending%20Against%20Sybil%20Attacks%20via%20Social%20Networks

1
SybilGuard Defending Against Sybil Attacks via
Social Networks

Haifeng Yu
Michael Kaminsky
Phillip B. Gibbons
Abraham Flaxman
Presented by
John Mak, Janet Yung

2
Outline

Introduction to Sybil Attack
Model Problem formulation
Sybil Guard Overview
Simulation Result Analysis
Conclusion
Our views

3
Introduction to Sybil Attack

P2p and decentralized, distributed systems
particularly vulnerable
Malicious user obtains multiple fake identities
Gain large influence by out vote honest users

4
Introduction to Sybil Attack

Malicious user obtains multiple fake identities
Malicious behavior becomes a norm (e.g. Byzantine
failures)
Many protocols assume lt 1/3 malicious nodes
Easily create 1/3 nodes ? Break defense

5
Introduction to Sybil Attack

Centralized authority
Control Sybil attack easily
Verify real life credential
Hard for worldwide to trust
Single point of failure bottleneck, DOS
Scare away potential users requires sensitive
information

6
Introduction to Sybil Attack

Decentralized approach is hard
Harvest (Steal) IP addresses
No common IP prefix ? Hard to filter
Advertise BGP route on unused block of IP address
Botnet - Co-opt large number of end-user machines

7
Introduction to Sybil Attack

Not very successful defense approaches
Resource-challenge approach (computational
puzzles)
Network coordinates
Reputation system based on historical behavior

8
Model Problem Formulation

Users
n honest users single identity
1 malicious user multiple identities
Identity
Also called node
Sybil identity malicious users identity
Defense system
Verifier node V accept another node S
Ideally, V only accept honest nodes.

9
Model Problem Formulation

Bounding no. of sybil groups
Divide all nodes into at most g equivalence
groups
Sybil Group equivalence group contains at least
one Sybil node
Defense system guarantees no. of groups, without
need to know if the group is sybil

10
Model Problem Formulation

Bounding size of Sybil Group
at most w nodes in a group
limit no. of sybil nodes accepted each node can
accept
Summary
decentralized
honest node accepts, and is accepted by most
other honest nodes
honest node accepts a bounded number of sybil
nodes.

11
Social Network

Consists of users (nodes)
Human established trust relationships
Nodes connected by an edge (friend)
Real life relationship can bound both the number
and size of sybil groups
Usually degree 30
Malicious user fools honest user to trust him/her
an attack edge connected a malicious user and an
honest user

12
SybilGuard Overview

Ensures honest user share at most one edge with
sybil nodes created by a malicious user
A protocol enables honest nodes to accept a large
fraction of the other honest nodes
SybilGuard does not increase or decrease the
number of edges in the social network as a result
of its execution

13
SybilGuard Overview

Random routes direct random walk for all nodes
Pre-computed random permutation
one-to-one mapping from incoming edges to
out-going edges
Random routes
convergence property
back-traceable property
Multiple random routes of a certain length (w)

14
Random route

Basis of SybilGuard
Honest node (verifier) decides whether or not to
accept another node (suspect)
Honest nodes random route
highly likely to stay within the honest region
Highly likely to intersect within (w) steps
If there are (g) attack edges, the number of
sybil groups is bounded by (g)

15
Fast mixing property

Assume social networks tend to be fast mixing,
which necessarily means that subsets of honest
nodes have good connectivity to the rest of the
social network
Assume the verifier is itself an honest node

16
Attack edge
17
Key exchange

Each pair of friendly nodes shares a unique
symmetric secret key (password) called the edge
key
Key distribution is done out-of-band
Each honest node constrains its degree within
some constant (e.g. 30) in order to prevent the
adversary from increasing the number of attack
edges (g) dramatically

18
Limits attack edges

Limited number of attack edges (g)
Adding new attack edge needs out-of-band
verification
Malicious users
Hard to convince honest users to be friends
Quite difficult to do on a large scale

19
Common ways adversary may use to increase g

Befriending with honest users in real life
Convince honest node to accept sybil nodes as
friends
Compromises a large fraction of nodes in the
system.
The adversary does not even need to launch a
sybil attack. SybilGuard will not help here.
Botnet
Challenging to acquire a botnet containing many
nodes that already in the system.

20
Random route

Convergence property
Once two routes traverse the same edge along the
same direction, they will merge and stay merged
(i.e. the convergence property)
Back-traceable property
Using a permutation as the routing table further
guarantees that the random routes are
back-traceable
There can be only one route with length (w) that
traverses the same section of route (e)

21
Problems of random route

Loop (same edge more than once)
Unlikely to form in a fast mixing graph
Enters the sybil region
Unlikely according toTHEOREM 1. For any
connected and non-bipartite social network, the
probability that a length-w random walk starting
from a uniformly random honest node will ever
traverse any of the g attack edges is upper
bounded by gw/n. In particular, when w
T(vnlogn) and g o(vn/logn), this probability is
o(1).

22
SybilGuard Design

Use redundancy
Instead of performing one random route
A node with degree (d) performs random routes
along each of its edges
Verifier V accept suspect S
If exist d/2 routes from the verifier node
One of Vs route accept S if that route intersect
with one of Ss route

23
Registry table

Each node will maintain and propagate ones
registry tables and witness tables to its
neighbors
SybilGuard requires a node to register with all
(w) nodes along each of its routes by using
public key cryptography
When a verifier V wants to verify S, V will ask
the intersection point between Ss route and Vs
route whether S is indeed registered

24
Registry Witness tables
25
Bandwidth consumption

Studying a one million nodes social network
w2000
Data sent by each node for registry table is
small
Bandwidth consumption acceptable
since the registry table updates are needed only
when social trust relationships change

26
Witness table

Propagated and updated in a similar fashion as
the registry table
Backward
Updated when a nodes IP address changes
Can be done lazily in the verification process

27
Verify process

For a node V to verify a node S
find the intersection nodes for all of its routes
by the witness tables downstream
Authenticates the intersection node one by one by
the private key
Ask that node to check if Ss public key is store
in one of its registry tables.
If Ss public key is found, that route of V will
accept S

28
Verify Process

If more than half of the route from V accept S,
node V will accept node S
V will interact will S later by request S to
encrypt its message by its private key
For the sybil nodes region with (g) attack edges,
Polluted entries in registry tables bounded by
gww/2
still less than half of the total number of
entries ndw
even with gw tends to (n) with (d) being the
degree of each node (d gt 2) and (n) being the
total number of nodes

29
Route length w

Constraints
Must be sufficiently small to ensure remains
entirely within the honest region
Must be sufficiently large to ensure that routes
will intersect with high probability
w related to n
Challenging because we do not know n for a
decentralized system

30
Route length w