The Sociology of Sybils: Understanding Social Network-based Sybil Defenses

1
The Sociology of SybilsUnderstanding Social
Network-based Sybil Defenses

• Krishna P. Gummadi
• Networked Systems Research Group
• MPI-SWS

2
Sybil attack

• A fundamental problem in distributed systems
• Attacker creates many fake/sybil identities
• Many cases of real world attacks Digg, Youtube

Automated sybil attack on Youtube for 147!
3
Sybil defense

• Using a trusted central authority
• Tie identities to actual human beings
• Not always desirable
• Can be hard to find such authority
• Sensitive info may scare away users
• Potential bottleneck and target of attack
• Hard without a trusted central authority
• Impossible unless using special assumptions
  Douceur 02
• Resource challenges using CPU, b.w., memory are
  not sufficient
• Adversary can have much more resources than
  typical user
• Need some resource that is hard to obtain in
  abundance
• Links in a social network?

4
Leveraging social networksBasic insight

• Resource Constraint
• Bound on number of trust relationships between
  attackers and honest nodes
• Attacker cannot create arbitrarily large of
  edges between honest nodes and Sybil identities
• Assumption edges represent mutual trust
• E.g., colleagues, relatives in real-world
• Not online friends!

honest nodes
5
Several proposals to leverage social nets

• All rely on detecting the topological features
  resulting from the resource constraint
• SybilGuard Sigcomm 06
• SybilLimit Oakland SP 08
• Ostra NSDI 08
• SybilInfer NDSS 09
• SumUp NSDI 09
• Whanau NSDI 10
• MobId INFOCOM 10

6
Example SybilGuard

• The sub-graph of honest nodes is fast mixing

• Disproportionally small cut separating honest and
  Sybil nodes

honest nodes
Cannot search for such a cut using brute-force
7
How SybilGuard worksRandom walk intersection

• Verifier accepts a suspect if the two routes
  intersect
• W.h.p., verifiers route stays within honest
  region
• W.h.p., routes from two honest nodes intersect
• of accepted Sybils lt gw
• g of attack edges
• w random walk length

Verifier
Suspect
sybil nodes
honest nodes
Random walk length w
8
Another example SumUp

• A Sybil resilient vote aggregator
• A central party collects all votes and the social
  graph
• Goal extract a subset of votes
• include at most a few votes from Sybils
• include most votes from honest users

9
Step 1 Designate a vote collector
10
Step 2 Use max-flow to collect votes
11
Step 2 Use max-flow to collect votes
12
Step 3 Assign appropriate link capacities
13
Summary Sybil defense schemes

• A number of Sybil schemes already proposed
• More with each passing conference
• All schemes rely on two common assumptions
• Honest nodes they are fast mixing
• Sybils they do not mix quickly with honest nodes
• But, each relies on its own graph analysis
  algorithm
• E.g., back-traceable random walk intersection,
  bayesian inference from modified random walks,
  max-flow between nodes, betweenness centrality of
  nodes

14
Problem with state of the art

• Fast mixing assumption provides little insight
• Into how the schemes work
• Or what structural properties affect their
  effectiveness
• Neither does the evaluation of the Sybil
  algorithms
• Lots of sensitive parameters that impact results
• Each scheme evaluated on different data sets
• Each scheme performs differently on different
  data sets
• Evaluations assume different adversarial models

15
Rest of the talk

• Investigate several unanswered questions
• How do the different schemes compare against each
  other?
• Do they all find Sybils similarly?
• What types of network structures are vulnerable
  to Sybil attacks?
• How prevalent are such structures in real-world
  social networks?
• And discuss their implications

16
Results summary

• How do the different schemes compare against each
  other?
• Do they all find Sybils similarly?
• All Sybil schemes work by detecting tightly-knit
  node communities
• What types of network structures are vulnerable
  to Sybil attacks?
• When all honest nodes do not form a single
  cohesive community
• How prevalent are such structures in real-world
  social networks?
• Very prevalent! Real-world social communities
  have bounded size

17
Communities in social networks

• Group of users more densely connected than
  overall graph

18
Results summary

• How do the different schemes compare against each
  other?
• Do they all find Sybils similarly?
• All Sybil schemes work by detecting tightly-knit
  node communities
• What types of network structures are vulnerable
  to Sybil attacks?
• When all honest nodes do not form a single
  cohesive community
• How prevalent are such structures in real-world
  social networks?
• Very prevalent! Real-world social communities
  have bounded size

19
How Sybil defense schemes work

• At their core, Sybil schemes partition the
  network
• Into Sybils and non-Sybils
• Partitioning algorithms can be viewed as ranking
  nodes
• With a sliding cutoff determined by parameters

20
How Sybil defense schemes work

• Ranking is independent of an algorithms
  parameters
• Changing parameters yields different partitions

21
Comparing Sybil defense schemes

• Compare their node rankings at different
  partitionings
• How do the partitions formed by the first k nodes
  compare
• Metric Mutual information Strehl 02
• Varies between 0 and 1
• 0 gt no correlation between the partitionings
• 1 gt perfect match

22
Comparing Sybil defense schemes

• All Sybil schemes rank nodes in the local
  community before others
• No correlation between rankings within or outside
  local community

Toy topology with two well defined communities
23
Comparing Sybil defense schemes

• Using a Facebook subgraph
• Nodes from local community ranked before others
• Little correlation between rankings within
  outside the community

24
Comparing Sybil defense schemes

• Using an Astrophysicist network
• Nodes from local community ranked before others
• Little correlation between rankings within
  outside the community

25
Summary Comparing Sybil defense schemes

• All node rankings are biased towards decreasing
  conductance
• When multiple nodes are similarly well connected,
  their orderings can vary in different schemes
• Nodes in cohesive clusters around reference node
  are ranked before others in all schemes
• Sybil defense schemes are effectively detecting
  communities!

26
Rest of the talk

• Investigate several unanswered questions
• How do the different schemes compare against each
  other?
• Do they all find Sybils similarly?
• All Sybil schemes work by detecting tightly-knit
  node communities
• What types of network structures are vulnerable
  to Sybil attacks?
• How prevalent are such structures in real-world
  social networks?
• And discuss their implications

27
What networks are vulnerable to Sybil attacks?

• When non-Sybils are divided into multiple
  communities
• Cannot tell apart Sybils non-Sybils in a
  distant community
• Attackers can launch very effective targeted
  attacks

28
Do non-Sybils form multiple communities?

• Some real-world social networks have high
  modularity
• They exhibit well defined community structures

29
Are networks with stronger community structures
more vulnerable?

• Yes! Networks with higher modularity are more
  susceptible to attacks
• Independent of the Sybil defense scheme used

30
Rest of the talk

• Investigate several unanswered questions
• How do the different schemes compare against each
  other?
• Do they all find Sybils similarly?
• All Sybil schemes work by detecting tightly-knit
  node communities
• What types of network structures are vulnerable
  to Sybil attacks?
• When all honest nodes do not form a single
  cohesive community
• How prevalent are such structures in real-world
  social networks?
• And discuss their implications

31
How often do non-Sybils form one cohesive
community?

• Traditional methodology
• Analyze several real-world social network graphs
• Generalize the results to the universe of social
  networks
• A more scientific method
• Leverage insights from sociological theories on
  communities
• Test if their predictions hold in online social
  networks
• And then generalize the findings

32
Group attachment theory

• Explains how humans join and relate to groups
• Common-identity based groups
• Membership based on self interest or ideology
• E.g., NRA, Greenpeace, and PETA
• Tend to be loosely-knit and less cohesive
• Common-bond based groups
• Membership based on inter-personal ties, e.g.,
  family or kinship
• Tend to form tightly-knit communities within the
  network

33
Dunbars theory

• Limits the of stable social relationships a
  user can have
• To less than a couple of hundred
• Linked to size of neo-cortex region of the brain
• Observed throughout history since hunter-gatherer
  societies
• Also observed repeatedly in studies of OSN user
  activity
• Users might have a large number of contacts
• But, regularly interact with less than a couple
  of hundred of them
• Limits the size of cohesive common-bond based
  groups

34
Prediction and implication

• Strongly cohesive communities in real-world
  social networks will be necessarily small
• No larger than a few hundred nodes!
• If true, it imposes a limit on the number of
  non-Sybils we can detect with high accuracy
• Will be problematic as social networks grow large

35
Verifying the prediction

• In all networks, groups larger than a few 100
  nodes do not remain cohesive
• Small cohesive groups tend to be family and
  alumni groups
• Large groups are often on abstract topics like
  music or politics

Real-world data sets analyzed
36
Rest of the talk

• Investigate several unanswered questions
• How do the different schemes compare against each
  other?
• Do they all find Sybils similarly?
• All Sybil schemes work by detecting tightly-knit
  node communities
• What types of network structures are vulnerable
  to Sybil attacks?
• When all honest nodes do not form a single
  cohesive community
• How prevalent are such structures in real-world
  social networks?
• Very prevalent! Real-world social communities
  have bounded size
• And discuss their implications

37
Implications

• Fundamental limits on social network-based Sybil
  defenses
• Can reliably identify only a limited number of
  honest nodes
• In large networks, limits interactions to a small
  subset of honest nodes
• Might still be useful in certain scenarios, e.g.,
  white listing email from friends
• Social network-based Sybil defense is a misnomer!

38
Future directions

• Leverage information beyond social network
  structure
• E.g., inter-user activity can reveal the strength
  of ties and help eliminate links to Sybils
• Move towards Sybil tolerance
• Rather than preventing users from creating
  multiple identities
• Focus on limiting privileges

39
Summary

• We discussed social network-based Sybil defenses
• Lots of proposed schemes, but little
  understanding
• Of how they compare with each other
• Or what structural properties impact them
• Or how well they would work in real-world social
  networks
• We found that Sybil schemes
• Work by effectively detecting communities
• Are vulnerable in networks with well defined
  community structures
• Can find only a limited number of trustworthy
  nodes in real-world
• Our findings suggest that we need to move beyond
  using only the social network to defend against
  Sybil attacks

40
Thanks! Questions?

• Acknowledgements
• Joint work with Bimal Viswanath, Ansley Post, and
  Alan Mislove
• Thanks to Haifeng Yu and Nguyen Tran for
  illustrations of SybilGuard and SumUp Sybil
  defense schemes