Bài giảng Computer Security - 8. Trust in P2P Systems

8. Trust in P2P SystemsProf. Bharat BhargavaCenter for Education and Research in Information Assurance and Security (CERIAS)andDepartment of Computer SciencesPurdue University bb@cs.purdue.eduCollaborators in the RAID Lab ( Ahmet Burak Can (Ph.D. Student)1Trust in P2P Systems Outline1) Introduction1.1) Mitigating Attacks in P2P Systems 1.2) Assumptions for Peer Interactions2) Contexts of Trust in P2P Systems3) Definitions for the Proposed Solution4) Trust Metrics5) Trust-based Decisions 6) Interaction Evaluation by Peers7) Recommendation Evaluation by Peers8) Simulation Experiments 8.1) Attacker Models for Simulation: Individual attackers/ Collaborators / Pseudospoofers 8.2) Experimental Results21) Introduction1.1) Mitigating Attacks in P2P SystemsMitigating attacks in a malicious P2P environmentUse trust relationships among peers to mitigate attacks in a malicious P2P environmentAlgorithms are needed to establish trust among peersResearch tasks:Propose trust metrics that reflect all aspects of trust.Develop distributed algorithms to manage trust relationships among peers and help them to make decisions using trust metricsDefine methods to evaluate interactions and trust information exchanged among peers (recommendations)31.2) Assumptions for Peer InteractionsPeers use no a priori information to establish trustNo pre-existing trust relationships among peersA peer must contribute and behave well to gain and preserve trust of another peerMalicious behavior of Peer 1 against Peer 2 can easily destroy trust of Peer 2 in Peer 1Trust metrics should have sufficient precisionRequired to rank peers accurately (according their trustworthiness)42) Contexts of Trust in P2P SystemsTwo contexts of trust — w.r.t. performing 2 different tasks:Providing services to other peers Giving recommendations to other peers.These contexts considered separatelyA peer might simultaneously be a good service provider and a bad recommender (or vice versa)53) Definitions for the Proposed SolutionA peer becomes an acquaintance of another peer after providing it a service (e.g., uploading a file)Using a service from a peer is called a service interactionAll peers are strangers to each other at the startA peer expands its set of acquaintances by using services from strangersA recommendation represents the acquaintance’s trust information about a strangerA peer requests recommendations about a stranger only from its acquaintancesReceiving a recommendation from an acquaintance is a recommendation interaction64) Trust Metrics (1)Reputation is the primary metric when deciding about strangers in the service contextRecommendations from acquaintances used to calculate reputation metricService trust is a metric to measure trustworthiness of a peer in the service contextA service provider is selected according to service trust and reputation metricService trust metric of a peer calculated based on its past service interactions and its reputation74) Trust Metrics (2)Recommendation trust is the primary metric to measure trustworthiness of a peer in the recommendation contextI.e., when selecting recommenders and evaluating recommendationsRecommendation trust metric of a peer calculated based on past recommendation interactions and its reputationAnalogously to service trust metric85) Trust-based Decisions (1)When making trust decisions, interactions and reputation are considered separately This helps when making a distinction between two trustworthy peersTrust decisions about a stranger are based on reputationTrust decisions about an acquaintance are based on its past interactions and reputationAs more interactions happen with an acquaintance, the experience derived through interactions becomes more important than its reputation95) Trust-based Decisions (2)Using available acquaintances by a peerIf no acquaintances - simply trust any stranger providing the requested serviceIf some acquaintances - calculate reputation of strangers based on recommendations of acquaintancesMay select one of the strangersMay choose not to entrust strangers if acquaintances can deliver the needed serviceAs more acquaintances become available – can become more selective106) Interaction Evaluation by PeersUsing all available information about interactions is helpful to calculate trust metrics more preciselyA peer should be able to express its level of satisfaction about an interactionConsidering several parametersE.g., online/offline periods, bandwidth, delay of the uploader in a file download operationService interactions might have varying importanceE.g., downloading a large file more important than downloading a small fileThe effect of an interaction on trust calculation fades as new interactions occur117) Recommendation Evaluation by PeersA recommendation makes a clear distinction between the recommender’s own experience and second-hand information collected from its acquaintancesThis distinction enables more precise calculation of reputationA recommendation contains the recommender’s level of confidence in the information providedIf the recommender has a low confidence, the recommendation is weakA weak recommendation’s effect on the calculated reputation value is less than a strong oneA recommending peer is no more liable than its confidence in its recommendationA recommendation from Peer 2 (the recommender) is evaluated by Peer 1 based on the value of recommendation trust metric that Peer 1 has for Peer 2128) Simulation ExperimentsA file sharing application was simulatedTo understand the proposed algorithms for mitigating attacks related to services and recommendationsThe results of several empirical studies are used to simulate peer, resource, and network parameters Some of the simulation parameters:Peer capabilities: bandwidth, number of shared filesPeer behavior: online/offline periods, waiting time for sessionsResource distribution: file sizes, popularity of filesConsidered attack scenarios: Individual, collaborative and pseudonym changing attacks scenariosSimulated nine different malicious behaviors138.1) Attacker Models for Simulation2 types of attacks:1) Service-based attack — uploading a virus infected or inauthentic file 2) Recommendation-based attack — giving misleading recommendationsTwo subtypes of misleading recommendations: Unfairly high recommendation: Giving a positively-biased trust value about the recommended peerUnfairly low recommendation: Giving a negatively-biased trust value about the recommended peerThree types of attackers:Individual attackersCollaboratorsPseudospoofers14a) Model of Individual AttackersIndividual attackers — perform attacks independently (does not cooperate with other attackers)Three individual attacker behaviors:Naïve attacker — always uploads infected/inauthentic files and gives unfairly low recommendations to othersDiscriminatory attacker — attacks a selected group of victimsAlways uploads infected/inauthentic files to them and gives unfairly low recommendations for themIt treats all other peers fairlyHypocritical attacker — uploads infected/inauthentic files and gives unfairly low recommendations with x% probability15b) Model of CollaboratorsCollaborators — malicious peers that coordinate attacks with other peersCollaborators never attack each otherAlways upload authentic files to each otherAlways give fair recommendations to other collaboratorsCollaborators always give unfairly high recommendations about each other to non-collaborating peersTry to convince good peers to download files from any one of the collaborators Three collaborator behaviors (analogous as for individual attackers)Naïve, Hypocritical, Discriminatory16c) Model of PseudospoofersPseudospoofer — a malicious peer which changes its pseudonym periodically to escape from being identifiedA pseudospoofer behaviors: Naïve / discriminatory / hypocriticalAnalogous to individual attacker behaviors178.2) Experimental ResultsIn a non-malicious network, reputation of a peer is proportional to its capabilities such as network bandwidth, average online period on the network and number of shared resourcesIn a malicious network, service and recommendation-based attacks affect reputation of a peer18a) Results for Individual Attackers All attacks of individual attackers are mitigated easilyHypocritical attacks take more time to detect than other individual attackers19b) Results for Collaborators (1)Detection of collaborators usually takes longer than detection of an individual attackerUnfairly high recommendations provides an advantage except naïve collaboratorsNaïve collaborators do not benefit from collaborationThey have zero reputation since they can not complete any service interactionHence they are not requested for any recommendationsCollaboration is partially successful in hypocritical and discriminatory behaviors20b) Results for Collaborators (2)Hypocritical collaborators succeeded to launch more service-based attacks at the start of experimentsAt the start, good peers do not have many acquaintances - collaborators deceive them easily by distributing unfairly high recommendations for each otherThen collaborators able to take advantage of unfairly heightened reputations to attract good peers for their “services” (= attacks)As good peers gain more good acquaintances, hypocritical collaborators are identified (and their attacks mitigated)21b) Results for Collaborators (3)Service-based attacks of discriminatory collaborators are mitigated easier than those of hypocritical onesVictims of discriminatory collaborators quickly identify themBut discriminatory collaborators gained a high recommendation trust value & were able to continue distributing misleading recommendationsCollaborators do not attack most good peersThus, good peers believe their recommendationsVictims give low recommendations for discriminatory collaboratorsHowever, good peers think that victims are giving misleading recommendations for discriminatory collaboratorsThus, discriminatory collaborators are able to continue distributing misleading recommendations22c) Results for PseudospoofersAttacks of pseudospoofers are as easily mitigated as those of individual attackersPeers gain more acquaintances and have less tendency to select strangers with timeThus, pseudospoofers are more isolated from good peers after each pseudonym changeExperimental results for Pseudospoofers 23d) Experim. Results – General RemarksDefining a context of trust increases a peer's ability to identify and mitigate attacks on the context-related tasksContext of trust can be used to increase a peer’s reasoning ability for different tasksSuch as routing, integrity checking and protecting privacy24THE END25