SybilGuard:%20Defending%20Against%20Sybil%20Attacks%20via%20Social%20Networks - PowerPoint PPT Presentation

About This Presentation
Title:

SybilGuard:%20Defending%20Against%20Sybil%20Attacks%20via%20Social%20Networks

Description:

Random routes direct random walk for all nodes. Pre-computed random permutation ... Node A performs short random walk (e.g. 10 hops) at node B ... – PowerPoint PPT presentation

Number of Views:379
Avg rating:3.0/5.0
Slides: 42
Provided by: chan76
Category:

less

Transcript and Presenter's Notes

Title: SybilGuard:%20Defending%20Against%20Sybil%20Attacks%20via%20Social%20Networks


1
SybilGuard Defending Against Sybil Attacks via
Social Networks
  • Haifeng Yu
  • Michael Kaminsky
  • Phillip B. Gibbons
  • Abraham Flaxman
  • Presented by
  • John Mak, Janet Yung

2
Outline
  • Introduction to Sybil Attack
  • Model Problem formulation
  • Sybil Guard Overview
  • Simulation Result Analysis
  • Conclusion
  • Our views

3
Introduction to Sybil Attack
  • P2p and decentralized, distributed systems
    particularly vulnerable
  • Malicious user obtains multiple fake identities
  • Gain large influence by out vote honest users

4
Introduction to Sybil Attack
  • Malicious user obtains multiple fake identities
  • Malicious behavior becomes a norm (e.g. Byzantine
    failures)
  • Many protocols assume lt 1/3 malicious nodes
  • Easily create 1/3 nodes ? Break defense

5
Introduction to Sybil Attack
  • Centralized authority
  • Control Sybil attack easily
  • Verify real life credential
  • Hard for worldwide to trust
  • Single point of failure bottleneck, DOS
  • Scare away potential users requires sensitive
    information

6
Introduction to Sybil Attack
  • Decentralized approach is hard
  • Harvest (Steal) IP addresses
  • No common IP prefix ? Hard to filter
  • Advertise BGP route on unused block of IP address
  • Botnet - Co-opt large number of end-user machines

7
Introduction to Sybil Attack
  • Not very successful defense approaches
  • Resource-challenge approach (computational
    puzzles)
  • Network coordinates
  • Reputation system based on historical behavior

8
Model Problem Formulation
  • Users
  • n honest users single identity
  • 1 malicious user multiple identities
  • Identity
  • Also called node
  • Sybil identity malicious users identity
  • Defense system
  • Verifier node V accept another node S
  • Ideally, V only accept honest nodes.

9
Model Problem Formulation
  • Bounding no. of sybil groups
  • Divide all nodes into at most g equivalence
    groups
  • Sybil Group equivalence group contains at least
    one Sybil node
  • Defense system guarantees no. of groups, without
    need to know if the group is sybil

10
Model Problem Formulation
  • Bounding size of Sybil Group
  • at most w nodes in a group
  • limit no. of sybil nodes accepted each node can
    accept
  • Summary
  • decentralized
  • honest node accepts, and is accepted by most
    other honest nodes
  • honest node accepts a bounded number of sybil
    nodes.

11
Social Network
  • Consists of users (nodes)
  • Human established trust relationships
  • Nodes connected by an edge (friend)
  • Real life relationship can bound both the number
    and size of sybil groups
  • Usually degree 30
  • Malicious user fools honest user to trust him/her
  • an attack edge connected a malicious user and an
    honest user

12
SybilGuard Overview
  • Ensures honest user share at most one edge with
    sybil nodes created by a malicious user
  • A protocol enables honest nodes to accept a large
    fraction of the other honest nodes
  • SybilGuard does not increase or decrease the
    number of edges in the social network as a result
    of its execution

13
SybilGuard Overview
  • Random routes direct random walk for all nodes
  • Pre-computed random permutation
  • one-to-one mapping from incoming edges to
    out-going edges
  • Random routes
  • convergence property
  • back-traceable property
  • Multiple random routes of a certain length (w)

14
Random route
  • Basis of SybilGuard
  • Honest node (verifier) decides whether or not to
    accept another node (suspect)
  • Honest nodes random route
  • highly likely to stay within the honest region
  • Highly likely to intersect within (w) steps
  • If there are (g) attack edges, the number of
    sybil groups is bounded by (g)

15
Fast mixing property
  • Assume social networks tend to be fast mixing,
    which necessarily means that subsets of honest
    nodes have good connectivity to the rest of the
    social network
  • Assume the verifier is itself an honest node

16
Attack edge
17
Key exchange
  • Each pair of friendly nodes shares a unique
    symmetric secret key (password) called the edge
    key
  • Key distribution is done out-of-band
  • Each honest node constrains its degree within
    some constant (e.g. 30) in order to prevent the
    adversary from increasing the number of attack
    edges (g) dramatically

18
Limits attack edges
  • Limited number of attack edges (g)
  • Adding new attack edge needs out-of-band
    verification
  • Malicious users
  • Hard to convince honest users to be friends
  • Quite difficult to do on a large scale

19
Common ways adversary may use to increase g
  • Befriending with honest users in real life
  • Convince honest node to accept sybil nodes as
    friends
  • Compromises a large fraction of nodes in the
    system.
  • The adversary does not even need to launch a
    sybil attack. SybilGuard will not help here.
  • Botnet
  • Challenging to acquire a botnet containing many
    nodes that already in the system.

20
Random route
  • Convergence property
  • Once two routes traverse the same edge along the
    same direction, they will merge and stay merged
    (i.e. the convergence property)
  • Back-traceable property
  • Using a permutation as the routing table further
    guarantees that the random routes are
    back-traceable
  • There can be only one route with length (w) that
    traverses the same section of route (e)

21
Problems of random route
  • Loop (same edge more than once)
  • Unlikely to form in a fast mixing graph
  • Enters the sybil region
  • Unlikely according toTHEOREM 1. For any
    connected and non-bipartite social network, the
    probability that a length-w random walk starting
    from a uniformly random honest node will ever
    traverse any of the g attack edges is upper
    bounded by gw/n. In particular, when w
    T(vnlogn) and g o(vn/logn), this probability is
    o(1).

22
SybilGuard Design
  • Use redundancy
  • Instead of performing one random route
  • A node with degree (d) performs random routes
    along each of its edges
  • Verifier V accept suspect S
  • If exist d/2 routes from the verifier node
  • One of Vs route accept S if that route intersect
    with one of Ss route

23
Registry table
  • Each node will maintain and propagate ones
    registry tables and witness tables to its
    neighbors
  • SybilGuard requires a node to register with all
    (w) nodes along each of its routes by using
    public key cryptography
  • When a verifier V wants to verify S, V will ask
    the intersection point between Ss route and Vs
    route whether S is indeed registered

24
Registry Witness tables
25
Bandwidth consumption
  • Studying a one million nodes social network
  • w2000
  • Data sent by each node for registry table is
    small
  • Bandwidth consumption acceptable
  • since the registry table updates are needed only
    when social trust relationships change

26
Witness table
  • Propagated and updated in a similar fashion as
    the registry table
  • Backward
  • Updated when a nodes IP address changes
  • Can be done lazily in the verification process

27
Verify process
  • For a node V to verify a node S
  • find the intersection nodes for all of its routes
    by the witness tables downstream
  • Authenticates the intersection node one by one by
    the private key
  • Ask that node to check if Ss public key is store
    in one of its registry tables.
  • If Ss public key is found, that route of V will
    accept S

28
Verify Process
  • If more than half of the route from V accept S,
  • node V will accept node S
  • V will interact will S later by request S to
    encrypt its message by its private key
  • For the sybil nodes region with (g) attack edges,
  • Polluted entries in registry tables bounded by
    gww/2
  • still less than half of the total number of
    entries ndw
  • even with gw tends to (n) with (d) being the
    degree of each node (d gt 2) and (n) being the
    total number of nodes

29
Route length w
  • Constraints
  • Must be sufficiently small to ensure remains
    entirely within the honest region
  • Must be sufficiently large to ensure that routes
    will intersect with high probability
  • w related to n
  • Challenging because we do not know n for a
    decentralized system

30
Route length w
  • Determine locally by sampling
  • Node A performs short random walk (e.g. 10 hops)
    at node B
  • Assume B is honest (with high probability)
  • A checks no. of hops for intersection with their
    random routes
  • A asks for the witness tables from B.
  • Repeat above, calculate median value.

31
Sybil Guard under Dynamics
  • Bypass offline nodes
  • V verify other node S
  • Probably multiple intersection points
  • V have at least one intersection point online
  • Propagate registry witness tables
  • User creation / deletion / ip address change
  • Infrequent changes
  • Lookahead route table
  • Store information of next K hops

32
Sybil Guard under Dynamics
  • Incremental routing table maintenance
  • Instead of re-create a new permutation
  • Make changes in current permutation
  • Add
  • X1 ? X2 ? X3 ? X4 ? (insert at end)
  • X1 ? X2 ? (insert here) ? X4 ? X3
  • Delete 3
  • Before X1 ? X2 ? X3 ? X4 ? X5
  • After X1 ? X2 ? X5 ? X4

33
Attacks Exploiting Node Dynamics
  • Potential attacks under Node Dynamics
  • Malicious user M change public key to key2
  • Suppose D?A?B?C
  • Suppose revoke key1
  • Random routes along all directions
  • Ds key3 will overwrite key2

34
Probability of Intersection
  • Kleinbergs synthetic social network model
  • a million-node graph with average node degree of
    24

35
Results with no Sybil Attackers
  • Probability of random routes being loops
  • Loop reduces effective length of random route
  • Loop is very rare
  • 99.3 of the routes do not form loops in their
    first 2500 hops

36
Results with no Sybil Attackers
  • Probably of honest node being accepted
  • at least one intersection point online
  • If at least 10 online/offline intersection points
    ? verification succeeds
  • In 1 million-node graph
  • w 300
  • probability 99.96 having gt10 intersections

37
Results with no Sybil Attackers
  • Estimate random route length w
  • Sampling technique to determine w
  • Node A choose a node B to determine w
  • Node B not necessarily uniformly random
  • Need to re-estimate daily

38
Probability of routes in honest region
  • 1 million-node graph
  • 100 for g lt2000 99.8 for g2500
  • 0.2 -- Nodes befriending with sybil attackers

39
Probability of honest nodes being accepted
  • Still 99.8 with 2500 attack edges
  • Redundancy is necessary

40
Our views
  • Hard to link real life to virtual network?
  • My real life friends may not join the virtual
    network
  • Maybe centralized authentication better?
  • 99.8 honest nodes accepted, but 0.2 not
    accepted.
  • The 0.2 is honest

41
Others views
  • Fast mixing assumption in social network
  • Japaneses social network may not mix with US
    social network?
Write a Comment
User Comments (0)
About PowerShow.com