Defending Sybil Attack in Peer2Peer Networks - PowerPoint PPT Presentation

About This Presentation
Title:

Defending Sybil Attack in Peer2Peer Networks

Description:

Title: PowerPoint Presentation Last modified by: popel Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show (4:3) Other titles – PowerPoint PPT presentation

Number of Views:151
Avg rating:3.0/5.0
Slides: 92
Provided by: tanviramin
Category:

less

Transcript and Presenter's Notes

Title: Defending Sybil Attack in Peer2Peer Networks


1
Defending Sybil Attack in Peer2Peer Networks
Distributed Search Techniques
Md. Tanvir Al Amin 04 09 05 2064 Shah Md. Rifat
Ahsan 10 09 05 2060 Adviser Dr. Reaz Ahmed
2
Sybil Attack
  • A fundamental problem in distributed systems.
  • Single user assumes many fake/sybil identities
  • Already observed in real-world p2p systems
  • Sybil identities can become a large fraction of
    all identities
  • Out-vote honest users in collaborative tasks

honest
malicious
3
Sybil attack
  • Present in both Application level and P2P
    Networking
  • Attacker creates many fake/sybil identities
  • Many cases of real world attacks Digg, Youtube
  • Several research works shown how easy it was to
    subvert DHT like Chord or Kademlia using Sybil
    Attack

Automated sybil attack on Youtube for 147!
4
Defending against Sybil attacks
  • Traditional solutions rely on central trusted
    authorities
  • Runs counter to open membership policies of OSNs
  • Recent proposals leverage social networks
  • Lots of research activity recently
  • Each optimized under assumptions about the graph
    structure
  • Each evaluated on different datasets

SybilGuard SIGCOMM06 SybilLimit
Oakland08 Ostra NSDI08 SumUp
NSDI09 SybilInfer NDSS09 Whanau
NSDI10 MobID INFOCOM10
All schemes analyze the graph structure to
isolate Sybils
5
Defending against Sybil attacks
  • Recent proposals leverage social networks
  • Key Insight Social links are hard to acquire in
    abundance
  • Look for small cuts in the graph
  • Conversely, look for communities around known
    trusted nodes
  • Dunbars Number
  • Power law node degrees

Links difficult to create
6
How Do Social Networks look like
7
SybilGuard Defending Against Sybil Attacksvia
Social Networks
  • Sybilguard is a system for detecting Sybil nodes
    in social graphs.
  • Features of Sybil Guard
  • SybilGuard enables an honest node to identify
    other nodes
  • Verifier node V can verify if suspect node S is
    malicious
  • Guaranteed bound on number of sybil groups
  • Guaranteed bound on size of sybil groups
  • Completely decentralize
  • Key Insight
  • 1. Use a social network to limit Sybils
  • 2.Social links are hard to acquire in abundance
  • 3.Look for small cuts in the graph

DBLP Network
8
Dunbars number
  • Limits the of stable social relationships a
    user can have
  • To less than a couple of hundred
  • Linked to size of neo-cortex region of the brain
  • Observed throughout history since hunter-gatherer
    societies
  • Roughly reported to be 150
  • Also observed repeatedly in studies of OSN user
    activity
  • Users might have a large number of contacts
  • But, regularly interact with less than a couple
    of hundred of them

9
Power-law node degrees
U.S. highways
U.S. Airlines
10
Path lengths and diameter
  • all major networks have short path length from
    4.25 5.88
  • six degrees of separation

Facebook, 4.2 million for Octorber 2007, 6.12 from
http//blog.paulwalk.net/2007/10/08/no-degrees-of-
separation/
11
Implications of Path lengths and diameter
The small diameter and path lengths of social
networks are likely to impact the design of
techniques for finding paths in such networks
12
Link degree correlations
  • high-degree nodes tend to connect to other
    high-degree nodes ? OR
  • high-degree nodes tend to connect to low-degree
    nodes ?
  • In real society the former theory is true.
  • By virtue of two metrics the scale-free metric
    and the assortativity.
  • Suggests that there exists a tightly-connected
    core of the high-degree nodes which connect to
    each other, with the lower-degree nodes on the
    fringes of the network.
  • The next question How big the core is

13
Implications of Link degree correlationsSpread
of Information
A Measurement-driven Analysis of Information
Propagation in the Flickr Social Network WWW
09
14
Densely connected core
  • the graphs have a densely connected core
    comprising of between 1 and 10 of the highest
    degree nodes such that removing this core
    completely disconnects the graph.

Sub logarithmic growth
15
Densely connected core
  • the graphs have a densely connected core
    comprising of between 1 and 10 of the highest
    degree nodes such that removing this core
    completely disconnects the graph.

Sub logarithmic growth
16
Implications of densely connected core
  • Network contains dense core of users
  • Core necessary for connectivity of 90 of users
  • Most short paths pass through core
  • Could be used for quickly disseminating
    information
  • So 10 at core
  • What about remaining nodes (90 at fringe)

17
What does the structure look like
the networks contain a densely connected core of
high-degree nodes and that this core links
small groups of strongly clustered, low-degree
nodes at the fringes of the network.
octopus
18
Mixing time
  • Random walk choose each hop randomly
  • Mixing time hops until uniform probability
  • Fast mixing network mixing time O(log n)

19
Sampling by random walks
  • A random walk has o(1) chance of escaping
  • True when g bounded by o(n/log n)
  • Of r walks, (1-o(1))r O(r) end nodes are good!
  • Cant distinguish good from bad nodes in set

Honest region
Sybil region
escaping paths
non-escaping path
20
Creating Social Link Is Hard
21
Social links maintained over Internet
22
Social network

23
Social network
Honest region
Attack edges

A malicious user fools an honest user Creates an
attack edge
24
Sybil resilience group attachment theory
  • Sybil schemes find bond groups around a trusted
    node
  • But, these are only a fraction of all honest
    nodes
  • Bond groups are hard for Sybils to infiltrate
  • Not the case with identity groups

25
SybilGuard
  • Yu, Kaminsky, Gibbons, Flaxman, Sigcomm 2006

26
Problem Formulation and Objective
  • Social network
  • n honest human users
  • 1 malicious users multiple sybil identities
  • SybilGuard enables an honest node to identify
    other nodes
  • Verifier node V can verify if suspect node S is
    malicious

27
SybilGuard
  • Guaranteed bound on number of sybil groups
  • Divides n nodes into m equivalence classes
  • A group is sybil if it contains 1 sybil nodes
  • Guaranteed bound on size of sybil groups
  • In a group, at most w sybil nodes
  • Completely decentralized
  • An honest node accepts honest nodes with high
    probability
  • Rejects malicious nodes with high probability
  • Accepts bounded number of sybil nodes

28
Random Routes
  • Foundation of SybilGuard different from random
    walk
  • Random route begins at a random edge of a node
  • At every node
  • For an incoming edge i, there is a unique
    outgoing edge j
  • Thus, input to output is one-to-one mapped
  • A node A with d neighbors uniformly randomly
    chooses a permutation x1,x2, . . . ,xd among
    all permutations of 1,2, . . . ,d.
  • If a random route comes from the ith edge, A uses
    edge xi as the next hop.

29
SybilGuard Algorithm
  • Attack Model
  • n honest users One identity/node each
  • Malicious users Multiple identities each (sybil
    nodes)
  • node A verify node B
  • A computes d random routes (length w)
  • B computes d random routes (length w)
  • If d/2 random routes intersects, accept S
  • Else reject S
  • If few attack edges, then a sybil nodes random
    route is less likely to reach honest region
  • And vice-versa

30
Main Assumptions of SybilGuard
Attack edges
Honest Nodes
Sybil Nodes
31
Properties of Random Routes
  • Convergence
  • Once two routes merge, they will remain merged
  • Routes are back-traceable
  • There can be only one route with length w that
    traverses e along the given direction at its ith
    hop
  • If two random routes ever share an edge in the
    same direction, then one of them must start in
    the middle of the other
  • Cycles can exist, but with low probability
  • Prob. (diameter k cycle) 1/d(k-2)

32
Sybilguard Algorithm
Steps 2 Choose a verifier (A) and a suspect
(B). A and B send out random walks of a certain
length (2). Look for intersections. A knows B is
not a Sybil because multiple paths intersect and
they do so at different nodes.
  • Step 1
  • Bootstrap the network.
  • All users exchange signed keys.
  • Key exchange implies that both parties are human
    and trustworthy.

32
33
SybilGuard Algorithm, cont.
B
33
34
SybilGuard Caveats
  • Bootstrapping requires human interaction.
  • Assumes short random walks lie mostly in the
    honest region
  • Results in poor threshold to colluding attackers.
  • In a million node network ,each attack edge
    accepts nearly 2000 sybil nodes.
  • In million node network , SybilGuard cannot bound
    the number of sybils at all if there are gt 15,000
    attack edges .

35
SybilLimitA Near-Optimal Social Network Defense
Against Sybil Attacks
36
SybilLimitA Near-Optimal Social Network Defense
Against Sybil Attacks
  • Motivation To mitigate the problems of
    SybilGuard.
  • Basic insight Social network (same as
    SybilGuard)
  • SybilLimit Novelity
  • 1. use many random routes but shorter ones.
  • 2. intersect edges not nodes
  • 3. limit how often each edge is used.

37
Identity Registration
  • Each node (honest or sybil) has a locally
    generated public/private key pair
  • Identity V accepts S means V
    accepts Ss public key KS
  • NO assumption/need PKI
  • Every suspect S registers KS on some other nodes

38
Registration Goals
K registered keys of sybil nodes
  • Ensure that sybil nodes (collectively) register
    only on limited number of honest nodes
  • Still provide enough registration opportunities
    for honest nodes

K registered keys of honest nodes
K
K
K
K
K
K
sybil region
honest region
39
Acceptance Criteria
K registered keys of sybil nodes
K registered keys of honest nodes
  • Accept S only if KS is register on sufficiently
    many honest nodes

K
K
K
K
K
K
K
K
K
K
K
K
K
K
K
K
sybil region
honest region
40
Key Idea
  • Take random walks of w
    hops
  • Honest nodes likely to remain in honest region
  • Sybil nodes must cross an attack edge to reach
    honest region
  • Register key at last hop of walk


41
Verification Procedure
S
V
3.common tail E?F
4 messages involved
V accepts S Tails intersect key
registered
42
Sybil nodes accepted
Attack edges SybilGuard SybilLimit



between
unbounded
and
unbounded
unbounded
43
SybilInfer How to Win the Zombie Wars!
  • Prateek Mittal, George Danezis (MSRC
    Intern) (MSR Cambridge)

44
SybilInfer
  • Work from UIUC and Microsoft Research
  • A centralized algorithm
  • Uses the fast mixing properties of social network
    to design a Bayesian Classifier
  • Classify nodes

45
Formal Model
  • Assign probabilities of cuts being honest
  • Using Bayes Theorem, we have that
  • Next Challenge Model

46
Formal Model
X
X
47
Sybil proof DHT
48
Distributed Hash Table
  • Interface PUT(key, value), GET(key)?value
  • Route to peer responsible for key

GET( sip//alice_at_foo )
PUT( sip//alice_at_foo, 18.26.4.9 )
49
DHTs are subject to the Sybil attack
  • Attacker creates many pseudonyms
  • Disrupts routing or stabilization

IDt
50
The Sybil attack on open DHTs
Brute-force attack
Clustering attack
51
Sybil Proof DHT
  • How to build a sybil resilient DHT ?

52
Works from MIT PDOS Group
  • Parallel and Distributed Operating Systems
  • Quest to build Sybil Proof DHT
  • Sybil-resistant DHT routing 2005
  • A Sybil proof One hop DHT SocialNets 2008
  • Whanau NSDI 2010

53
A Sybil proof one hop DHT
  • Motivation
  • SybilGuard/SybilLimitNot a DHT, but a general
    Sybil defense
  • Honest node accepts at most O(g log n) Sybils
  • Features
  • DHTs are subject to the Sybil attack
  • Social networks provide useful information
  • Created a Sybil-resistant one-hop DHT
  • Resistant to g o(n/log n) attack edges
  • Table sizes and routing BW O(vn log n)
  • Uses O(1) messages to route

54
Basic one-hop DHT design
  • Construct finger table by r random walks
  • Route to t by asking all fingers about t
  • If r O(vn log n), some finger knows t WHP
  • Adversary cannot interfere with routing

s
ts IP address
r
forwarded message from s
r
55
Properties of this solution
  • Finger table size r O( )
  • Bandwidth to construct O(r log n) bits
  • Bandwidth to query O(r) messages
  • Probability of failure 1/poly(n)

56
Whanau A Sybil-Proof Distributed Hash Table
  • Chris Lesniewski-Laas M. Frans Kaashoek NSDI 2010

57
Contribution
  • Whanau an efficient Sybil-proof DHT protocol
  • GET cost O(1) messages, one RTT latency
  • Cost to build routing tables O(vN log N)
    storage/bandwidth per node (for N keys)
  • Oblivious to number of Sybils!
  • Proof of correctness
  • PlanetLab implementation
  • Large-scale simulations vs. powerful attack

58
Social network
Honest region
Attack edges

59
Random walks
c.f. SybilLimit Yu et al 2008
60
Building tables using random walks
c.f. SybilLimit Yu et al 2008
  • What have we accomplished?
  • Small fraction (e.g. lt 50) of bad nodes in
    routing tables
  • Bad fraction is independent of number of Sybil
    nodes

61
key value


Put(key, value)
Put Queue
key
Setup
Lookup
value
Social Network
Routing Tables
62
Routing table structure
  • O(vn) fingers and O(vn) keys stored per node
  • Fingers have random IDs, cover all keys WHP
  • Lookup query closest finger to target key

Aardvark
Zyzzyva
Finger tables (ID, address)
Key tables (key,value)
Kelvin
Keynes
63
From social network to routing tables
  • Finger table randomly sample O(vn) nodes
  • Most samples are honest

ID IP address
64
Honest nodes pick IDs uniformly
Plenty of fingers near key
65
Sybil ID clustering attack
Many bad fingers near key
Hypothetical scenario 50 Sybil IDs, 50 honest
IDs
66
Honest layered IDs mimic Sybil IDs
Layer 0
Layer 1
67
Every range is balanced in some layer
Layer 0
Layer 1
68
Two layers is not quite enough
Layer 0
Layer 1
Ratio 1 honest 10 Sybils
Ratio 10 honest 100 Sybils
69
Log n parallel layers is enough
Layer 0
Layer 1
Layer 2
Layer L
  • log n layered IDs for each node
  • Lookup steps
  • Pick a random layer
  • Pick a finger to query
  • GOTO 1 until success or timeout

70
From Social relations to Routing Tables
key value


Put(key, value)
Put Queue
key
Setup
Lookup
value
Social Network
Routing Tables
71
Problems
  • Whanaus goal is to create a Sybil proof DHT
  • Which ensures delivery
  • Whanau uses the idea of random walk in fast
    mixing graphs
  • Whanau has changed the basic structure of DHT
  • Tables contain O(vn log n) entries !!
  • The DHT has become a one hop DHT
  • But O(vn) entries are insane !!
  • Think of a DHT with 100000000 users
  • How to handle churn ??

72
OuR IDEA of a sybil proof p2p Application
73
Problems of present solutions
  • SybilGuard and SybilLimit results in lots of
    false positives
  • The system should try to capture Sybil-like
    behavior.
  • Though sybil-like behavior is also not an
    indicator, but together with the other evidence,
    it should work stronger.
  • Whanau changes the basic structure of DHT to a
    multi-layer, ID unordered, one-hop one.
  • If one need to alter the structure of some DHT,
    it effectively means that the its structure has a
    inherent design flaw inside, which makes it
    vulnerable.

74
Problems of the present solutions
  • As a design methodology, open systems are often
    uncontrollable.
  • Systems with feedback stabilize easily. There
    should be a feedback mechanism via ratings which
    is  not present in any of the protocols.
  • In whanau, a node have to save O(sqrt(n) log n)
    nodes the finger table.
  • 108 members in a DHT is possible in the upcoming
    era of distributed systems, and far more members
    will be a commonl case when IPv6 will become
    general. Having a table size growing at this rate
    doesnt scale well.

75
Our Idea
  • Primarily, we dont want to change the basic
    structure of a DHT to apply security patches in
    it.
  • For a P2P application, our idea is to divide the
    responsibility in three layers.
  • Network-Access Layer
  • DHT Layer
  • Application Layer

76
Security
  • Security is imposed via four mechanism
  • Admission control at Application layer
  • Social trust, Friendship, controlled at
    Application layer
  • Application Object (Files or other shared items)
    rating and Rating behavior recording (determined
    at application layer)
  • Routing behavior rating, Query reply rating and
    rating behavior recording (determined at DHT
    Layer)

77
Security
  • A new node can not perform any DHT lookup, or can
    not perform in any DHT level ratings.
  • May or may not perform Application object
    ratings, depending on application policy
  • May not have full permissions capabilities at
    application (depending on the application
    policy).  
  • Can not make social relationships with another
    new or immature node

78
  • Explanation of the lookup process for immature
    nodes
  • Any friend of an immature node should work as
    the proxy for it (only for DHT lookup process).
    Content object / Shared files will be exchanged
    directly, but as the immatured nodes can not have
    acess to DHT.
  • All lookup for them will be done by its matured
    friends. It may want to load balance the queries
    among the friends. And the content / files shared
    by the child, will also be represented by their
    parents / friends. Any lookup of that content
    should return the IP address of a friend /
    parent.

79
  • However, the friend / parent will then provide
    the IP address of the child. Then the file
    transfer can work directly. However, based on the
    behavior of its provided content, first class
    citizens / DHT members will rate it. If the new
    node gets bad rating, its probability of becoming
    a DHT member will be less.

80
Our idea of a sybil proof dht
81
Our Idea
  • We are given a social graph
  • Each node knows about their friends in the social
    graph
  • Same assumptions about SybilGuard or Whanau
  • Fast mixing graphs
  • Small cut around attack edges
  • o(n/log n) attack edges at most

82
Our Motivation for DHT
  • Isnt it possible to keep the basic routing
    features of a DHT while making it sybil
    resilient?
  • O(log n) table size
  • Lookup should take O(log n)
  • We should use social information to build the DHT

83
Bootstrapping the DHT
  • Here comes the fundamental question
  • How to convert a given social graph into a DHT
  • So that the socially connected nodes are near
  • Socially far nodes are far in the DHT
  • Sybil nodes require significant amount of social
    engineering to be strongly connected members of a
    social group

84
A new type of DHT
  • We want to build a DHT
  • Where distance between two nodes in the DHT-Space
    is related to their social-distance
  • i.e, two friends in the social graph are expected
    to be one-hop distant in the DHT-Space
  • Most of the queries will be through friends
  • Hence, the probability of reaching a Sybil node
    is less
  • We use the idea of Plexus
  • A novel DHT routing based on linear block codes
  • Plexus A Scalable Peer-to-Peer Protocol Enabling
    Efficient Subset Search Reaz Ahmed and Raouf
    Boutaba
  • ACM/ IEEE TON Feb 2009

85
Plexus Index Clustering
Linear code, C ltn,k,dgt Cluster head ?
Codeword Generator matrix based routing
C set of cluster heads
lt7, 4, 3gt Hamming code
86
Linear Binary Code
  • C ltn, k, dgt linear binary code
  • n number of bits in a codeword
  • k dimension ? 2k codeword in code
  • d minimum distance between any pair of codeword
  • e.g., G24?24, 12, 8?
  • Generator Matrix G,
  • 2k codeword can be formed by applying XOR to any
    combination of these k codewords.

87
Plexus Routing Table
  • In a complete network each peer is responsible
    for a codeword
  • Peer with codeword X maintains links to k1 peers
    with IDs computed as
  • Xi X ? gi 1?? i ? k
  • Xk1 X ? g1 ? g2 ? ? gk
  • Xk1 is used for
  • Replication
  • Reducing routing cost

88
Plexus Routing
  • Observation C is closed under ? operation

X21X2?g1 X23X2?g3 X2kX2?gk
X231X23?g1 X235X23?g5 X23kX23?gk
X1X?g1 X2X?g2 XkX?gk
89
Strengths of Plexus Routing
  • Hamming distance based clustering indexing
  • Maximum routing hops (within a subnet)
  • ½ K in normal condition
  • ½ K 2 in presence of failure.
  • Disjoint routing paths
  • Source X destination Y
  • X?Y is disjoint from X?YK1
  • Alternate routing paths
  • Suitable for Multicasting
  • Improved fault resilience
  • Improved load balancing

90
Social Network to Plexus
  • Now, the problem reduces to assigning appropriate
    linear block codes to the nodes
  • How to do that ?

91
Naïve Idea
  • All nodes u know their friends F1(u). All nodes u
    send F1(u) to all of their friends.
  • At this point, Every node u, in addition to
    F1(u), can calculate its "mutual friend list" for
    each of its friends. For any two friends u, v  
  • Their mutual friend set is
  • Every node u, can also calculate F2(u), its exact
    two-hop distant friend list.

92
Naïve Idea
  • Each node u, sorts their friends according to an
    "influence metric. For each friend v of a node
    u, Influence(u,v)   Influence of v on u I (u,
    v)
  • it is highly probable that a sybil node will have
    very low influence on an honest node via attack
    edge due to very small number of mutual friends.
  • However not only sybils, but also a common friend
    of two groups will have low influence on both
    group (however, this case is not handled in any
    algorithms)

93
Naïve Idea
  • Each node u, calculates I(u,v) and I(v,u) for all
    its friends. There are 2deg(u) such quantities.
  • C(u) Those nodes for which u has more influence
    on v than v has on u
  • P(u) Those nodes for which v has more influence
    on u than u has on v.
  • and R(u) Those nodes for which u and v both has
    same influence on each other

94
Naïve Idea
  • max C(u) x The friend, on which u is
    maximum influential.
  • However, it doesnt mean x doesnt have a friend
    more influential than u. It means, u does not
    have a friend on which it has more influence than
    it has on x.
  • max P(u) y The friend which has the
    highest influence on u.
  • It also doesnt mean y doesnt have friends on
    which it has more influence than it has on u.
  • max R(u) z The friends which has same
    influence on u as u has on them.

95
Naïve Idea
  • lx   I(x,u)  Iy  I(u,y) ,  Iz I(u,z)
    I(z,u)MI Ix, Iy, IzIf Max MI   Ix u
    is an influencial nodeIy u is an
    influenced nodeIz u is an neutral node

96
Naïve Idea
  • Action D If u is influenceD, it decides not
    to generate any ID, and decides to take command
    from y. It sends a message to y that it has come
    into his control.Action L If u is an
    influentiaL node, it decides to generate ID for u
    and some of F1(u) and F2(u)Action N If u is
    Neutral, then decides Action L or Action D by a
    uniform bernoulli trial.

97
  • Now, u generates ID for itself, for those of
    Gang(u).
  • It will try to keep friend IDs as close as
    possible, also those of Gang(u) which are friends
    themselves will get close ID as  possible.
  • u will inform all of Gang(u) all the ids
    generated by it.
  • Members of Gang(u) will take care of id
    generation of their neighbors

98
  • But how to handle collision ?
  • Some gossip protocols needed !!

99
Naïve Idea
  • Thus Ids will be assigned in the code space
    according to their Social Groups
Write a Comment
User Comments (0)
About PowerShow.com