security mechanisms for distributed computing systems
DESCRIPTION
2011/12/15. Security Mechanisms for Distributed Computing Systems. A9ID1007, Xu Ling Kobayashi Laboratory GSIS, TOHOKU UNIVERSITY. Background. Distributed computing systems (DCSs) Definition: A system where nodes share their computing power with each other to finish certain goals - PowerPoint PPT PresentationTRANSCRIPT
1
Security Mechanisms for Distributed Computing Systems
A9ID1007, Xu LingKobayashi Laboratory
GSIS, TOHOKU UNIVERSITY
2011/12/15
2
Background
• Distributed computing systems (DCSs) – Definition: A system where nodes share their
computing power with each other to finish certain goals
– Example: • P2P systems (Skype), • volunteer computing systems (SETI@home), • Grid, • Ad hoc systems • …
3
Background: Example DCS
Volunteer computing system• Host nodes dispatch
task to workers.• Workers compute the
tasks and return results to host nodes.
1*1=?
1*2=?1+1=?
1+2=?
host
host
worker
worker
worker
worker
1*1=1
1*2=21+1=2
1+2=3host
host
worker
worker
worker
worker
5
Background: False Result Attack (1)
• False result attack: Malicious nodes deliberately send incorrect data to honest nodes
honest worker
1*1=1
1*2=1001+1=100
1+2=3
maliciousnode
honest worker
maliciousworker
hosthost
1*1=?
1*2=?
honest worker
1+1=?
1+2=?
maliciousworker
honest worker
maliciousworker
hosthost
6
Background: False Result Attack (2)
• False result attack (definition):– One host node and
multiple workers.– The host dispatches
tasks to workers. Workers compute tasks and return returns to the host.
– Malicious workers return incorrect results to host.
honest worker
1+1=100
1+2=3
maliciousnode
host
worker worker worker (malicious)
host
1+1=?
1+1=21+1=2
1+1=100
1+1=?
1+1=?
7
Background: Existing Solution to FRA
• Existing solutions: Enable the host to distinguish malicious workers
• Quiz – based solutions– The host dispatches multiple tasks to each worker v– These tasks contains some special tasks called quizzes– The host checks the correctness of the answers of
quizzesNode v is honest only if the answers of the quizzes
return by v are correct• Problem:
– A Quiz should satisfy: the correctness of the answer of a quiz should be easy to check
– Unpractical: How to generate quizzes that satisfy this property is an open problem.
1+1=?1+2=?
11*11=? (quiz)
1+1=31+2=3
11*11=3 (quiz)
v
host11*11=121!v is malicious
8
Background: Sybil Attack• Sybil attack (SA)
– A few malicious users controls many Sybil nodes (malicious nodes) to break the system protocol
– Sybil nodes collude to break the system
1*1=1001+1=100
hosthost
1+1=100 1*1=100
SybilSybil
Sybilnode
Sybil
malicioususer
Example: Sybil Attack to DHT (1)
• Routing via intermediate hops
• Result is authenticated• Trade off table size
versus routing hops
st
{IDt}
{IDt}
{IDt}
{IP addr}PKt
Example: Sybil Attack to DHT (2)
• Attacker creates many pseudonyms
• Disrupts routing or stabilization
• Douceur, 2002: “without a logically centralized authority, Sybil attacks are always possible”
st
{IDt}
11
Background: Existing Solution to SA (1)
• Social network model based Sybil detecting (SSD)– Social network model:
• Nodes of the same types are closely connected• # of attack edges is small
Honest cluster Sybil cluster
Attack edges
12
Background: Existing Solution to SA (2)
• Social network model based Sybil detecting (SSD)– Goal: For each honest node v, enable v to judge the types
of other nodes– Assumption: The network topology of the DCS obeys SNM– Basic idea:
• # of attack edge is small communication between nodes of different types is weakened
• It is easy for v to communicate with honest nodes• It is hard for v to communicate with Sybil nodes • v can judge the types of other nodes
13
Background: Existing Solution to SA (3)
• Social network model based Sybil detecting (SSD)– Example SSD algorithm: SybilLimit
• Probing random walk (PRW): a message packet that moves in a random walk manner for a short distance
• Probing random walks have low escape rate• Each node disseminate a certain number of PRWs• For v, node u is honest iff the PRWs of v and u intersect
– Problem: the distinguishing accuracy is low• Sybil accept rate: Pr(honest nodes accept Sybil nodes)
Attack edgesuv
14
Objective
• Problem– For FRA: existing solutions are unpractical (Quiz)– For SA: distinguishing accuracy is low (SSD alg.)
• Objective: Design effective security mechanisms to resist FRA and SA on DCSs.– Design practical FRA resisting algorithms
• Use no quiz• Pr(the host accurately distinguishes honest workers and malicious workers)
– Design accurate SSD algorithms
15
Objective: Approaches
• Design practical FRA resisting algorithms • Replace quizzes with normal tasks
• Design accurate SSD algorithms • Idea: detect the attack edges
– Detect the attack edges– Detect Sybil nodes
• Design AED-based SSD algorithm for authorized DCSs• Design AED algorithm for unauthorized DCSs
uv
completely separate nodes of different types
16
• MSC: a Practical Spot Checking Mechanism for Resisting False Result Attack– Objective: enable the host to distinguish the types of workers without using
quizzes.– Evaluation metric: reliability of workers
• SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm– Objective: enable each honest node to distinguish the types of other nodes– Evaluation metric: Sybil accept rate
• RSC: an Attack Edge Detecting Algorithm for Sybil Resisting– Objective: enable each honest node to judge whether a certain incident
edge is an attack edge.– Evaluation metric: RWEBs of incident edges
17
Organization
1. Introduction2. MSC: a Practical Spot
Checking Mechanism for Resisting False Result Attack
3. SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm
4. RSC: an Attack Edge Detecting Algorithm for Sybil Resisting
5. Conclusion
worker 1 worker 2 worker 3 worker 4 (Malicious)
workers 1 are honest; worker 4 is malicious
Honest nodes Sybil nodes
v2
v1 is honest, v2 is Sybile1 is not AE, e2 is AE
v e2
v1
e1
19
Introduction• Background (review)
– False result attack (FRA)– Quiz
• Goal: enable the host to detect malicious workers
• Idea:– Use quizzes to detect malicious workers– The host checks the correctness of the answers
of quizzes
• Problem: how to generate quizzes that satisfy this property is an open problem.
• Objective: Design an algorithm that enables the host to detect malicious workers without using quizzes
1+1=?1+2=?
11*11=? (quiz)
1+1=31+2=3
11*11=3 (quiz)
v
host11*11=121!v is malicious
20
Mutual Spot Checking: Idea
• Use quizzes to detect malicious works using checking tasks (normal task) to detect malicious workers• The host checks the correctness of the answers of quizzes Workers check the correctness of the answers of checking tasks
21
Mutual Spot Checking: Algorithm
The host• Dispatches a task set to each
worker. • For each pair of two workers, v and
u, the task sets of v and u have some tasks in common (checking tasks)
• Increases the reliabilities of v and u if v and u return equal answers to their checking tasks (made a match).
using checking tasks (normal task) to detect malicious workers
The workers check the correctness of the checking tasks
Malicious workers make more mismatches have lower reliabilities be detected
An example
22
12 1
CT(c) t1 CT(a) CT(a) t2 CT(b) CT(b) t3 CT(c)
Peer BT2
Peer A T1
Peer CT3
host
1 00 0
Honest
Malicious
matchingmismatching!
Reliability
Running time
Reliability gap
Reliability change of peers
23
Change of Performance as the Number of Malicious Workers Increases
0. 00
0. 20
0. 40
0. 60
0. 80
1. 00
1. 20
0.40 0.45 0.50 0.55 0.60 0.63 0.68 0.73 0.78 0.83 0.88 0.93 0.98
Rel
iabi
lity
Pf
Reliability - Pf (w=0.4, Pc=0.5)
Honest Conspirator Non-Conspirator
• Number of malicious workers is small honest workers have highest reliabilities.
• Number of malicious worker is large conspirators have the highest reliabilities.
Under collusion: MSC can detect malicious nodes when # of malicious nodes is small (50% of the system)
Pf: Percentage of malicious workers in the system
24
Conclusion
• Objective: an algorithm that enables the host to detect malicious workers without quizzes
• MSC– Use normal tasks (checking task) to detect malicious workers– Let workers check the correctness of answers of quizzes
• Evaluation– No collusion : Can detect all malicious workers– Under colluding: Can detect all malicious workers when
malicious workers are less than half of the systemPublicationLing Xu, Hirouyki Takizawa, and Hiroaki Kobayashi: “A Reliability Model for Result Checking in Volunteer Computing”, Proceedings of DAS-P2P 2008 Workshop, pp.201-204, 2008.
26
Introduction
• Background (review)– Sybil attack– SSD algorithms
• Objective: Enables each honest node to distinguish the types of other nodes
• Idea: the attack edges weakens the communication between nodes of different types
• Problem: Low distinguishing accuracy– Observation: detecting the attack edges plays an important role in
designing accurate SSD algorithms
• Objective: an accurate AED-based SSD algorithm for authorized DCSs
uv
27
SybilDetector: Idea
• Observation– For node v, node u is Sybil (v,u)-SP will pass the attack edges
(v,u)-SP: a shortest path between the v and u
• Idea: For v to decide whether u is Sybil– Computes (v,u)-SPs – Detect the attack edges– Judge whether the (v,u)-SPs have passed the attack edges
Honest cluster Sybil cluster
vu
28
SybilDetector: Algorithm• Computes (v,u)-SPs
– Use existing distributed shortest path computing algorithms
• Detect the attack edges– Compute the shortest path betweenness (SPB) of each edge
SPB of edge e: # of shortest paths that pass e– Attack edges have higher SPBs– e is an attack edge the SPB of e is high
• Judge whether the (v,u)-SPs have passed the attack edges
v uaee
b(ae) = 18
b(e) = 8
sp
29
Evaluation• Performance metric
• Sybil accept rate (sar): the probability that honest node regard Sybil nodes to be honest
• Objective• SybilDetector has better accuracy than previous SSD
algorithms? Compare the performance of SybilDetector with that of SybilLimit
• How will the performance of SybilDetector be affected by g (# of attack edges) and snn (# of Sybil nodes)?
Honest cluster Sybil cluster
30
Network Configuration
• Create the honest region: A real world network topology• Create the Sybil region: synthetic network topologies• Connect the two regions with attack edges
Honest cluster Sybil cluster
Type Node number
Edge number
Real world social network topology
1,222 16,714
Synthetic random network
500 1,725
Honest region
Change of SAR as the Number of Attack Edges in the System Increases
• SAR increases with g– The SPBs of attack edges decrease– Less Sybil are detected
• SAR(SybilDetector)<<SAR(SybilLimit)– 50x improvement
10x decrease in SAR
0
0.2
0.4
0.6
0.8
1
1.2
12 36 61 85 109134158183207232256g
real1222rn500, SAR
sar(SybilLimit)
sar(SybilDetector)
50x decrease in SAR
31
32
Change of SAR as the Number of Sybil Nodes in the System Increases
• As snn increases, SAR of SD decreases– The SPBs of attack edges increase– More Sybil node are detected
• SAR(SybilDetector)<<SAR(SybilLimit)– 4x~180x improvement
0
0.2
0.4
0.6
0.8
1
1.2
snn
real1222g36, SAR
sar(SybilLimit)
sar(SybilDetector)
180 x decreases in SAR
4 x decreases in SAR
33
Conclusion
• Sybil attack is a critical threat to decentralized DCSs• Objective: enable each honest node to detect Sybil
nodes• Proposed SybilDetector, a Sybil resisting algorithm
– Remarkably (4x~180x in the simulation) decreased sar, compared with the representative existing solution
PublicationLing Xu, Satayapiwat Chainan, Hiroyuki Takizawa, Hiroaki Kobayashi, ”Resisting Sybil Attack By Social Network and Network Clustering,” saint, pp.15-21, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet, 2010
35
Introduction: Background (1)• Accuracy of SSD algorithms can be improved by detecting attack
edges• Definition
– Edge betweenness metric: a metric that measures the extent to which an edge lies on paths between nodes pairs
Example: shortest path edge betweenness (SPEB)– Detecting property: for an EBM, if the metric values of attack edges are
notably higher than these of non-attack edges, this EBM satisfies detecting property.
Example: shortest path edge betweenness (SPEB)• Design an AED algorithm
– Design an EBM that satisfies the detecting property– Securely compute the metric values of edges in a distributed manner.
36
Introduction: Background (2)
• In authorized DCSs, SPB-AED can detect the attack edges• Problem: an AED algorithm for unauthorized DCSs is needed
– Need an EBM that • satisfies the detecting property• can be securely computed in a distributed manner
– No such an EBM is known• Only SPEB is known to satisfy the detecting property
• Objective: design an attack edge detecting algorithm for unauthorized DCSs– For each honest node v, v judges whether a certain incident edge is
an attack edge
37
Approach
• For each honest node v, v judges whether a certain incident edge e is an attack edge• Determine the detecting metric• Computes the RWEB of each incident edge• The probability that e is an attack edge is proportional to
the RWEB of e
38
Related Work
• Random walk edge betweenness (RWEB)– Each pair of nodes disseminate an absorbing random walk (ARW) to
each other – RWEB of edge e: RWEB of e is the PURE number of random walk that
pass e
– RWEB has some good properties, but whether RWEB is an detecting metric is unknown
(v,u)-SP(v,u)-ARW
v u
e
RWEB(e) = 0
39
Determine Detecting Metric
• Conjecture: RWEB is a candidate detecting metric– RWEB may satisfy the detecting property
• ARWs between nodes of different types must pass the attack edges
– Compute RWEBs in unauthorized DCSs is possible• Sybil nodes has less influence on random walk paths
than on shortest paths It is easier to compute RWEBs than to compute SPEBs
b c
a
C1 C2b c
a
C1 C2
40
Compute RWEBs Securely: Basic RSC
• Basic RSC (for node v)– For each node u, disseminates one (v,u)-ARW– For each incident edge e, calculate RWEB(e) by
counting the # of times that e is passed by ARWs
(v,u)-SP(v,u)-ARW
v u
41
Compute RWEBs Securely: Resist Attacks
• Attacks to basic RSC: Sybil nodes can reduces the RWEBs of attack edges– Let ae=(v,u) is an attack edge. v is honest and u is Sybil.– On receiving an ARW, arw, from v, u simply relays arw back to v.
• Solution [Distance Limitation (DL)]: for each (s,t)-ARW, arw, s rejects t if arw has moved M steps
• Fact: under DL, Sybil nodes should not launch attacks– If t is Sybil, launching attacks makes t be rejected– If t is honest, launching attacks increases RWEBs of attack edges
• Fact: under DL, if s and t are honest, Pr(s rejects t) is low– M steps is sufficient for arw to reaches t
s t
v um
mRWEB( ) 0e
42
Evaluation• Metric
– Attack edge betweenness (aeb): Average RWEB of attack edges
– Honest edge betweenness (heb): Average RWEB of honest edges
• Network– Create the honest region: A real
world network topology– Create the Sybil region: synthetic
network topologies– Connect the two regions with
attack edges
Type Node number
Edge number
Real world social network topology
1222 16714
Synthetic random network
500 1725
Honest region
Honest cluster Sybil cluster
43
• RSC is able to detect the attack edges
00.10.20.30.40.50.60.70.80.9
12 36 61 85 109
134
158
183
207
232
256
281
305
329
354
378
403
427
452
g
real1222rn500, edge betweenness
heb
aeb
44
Application of RSC• Example: use RSC to construct accurate SSD algorithms• SOHL (An existing SSD algorithm for unauthorized DCSs)
– Use probing random walks (PRWs) as constructing component• A PRW: a message packet that moves in a random walk manner for a short
distance• PRWs have a low escape rate
– Algorithm: each node v• disseminates a large number of PRWs• regards the ending nodes of the PRWs as honest nodes• regards other nodes as Sybil nodes
– Performance of SOHL is proportional to the escape rate of probing random walks
Attack edgesuv
45
Application of RSC (continue)
• Example: use RSC to construct accurate SSD algorithms for unauthorized DCSs
• Idea– Reduce the escape rate of probing random walks: Reduce
the probability that probing random walks passing the edges of high betweennesses
– Call the new algorithm RSSR
Attack edgesuv
46
Performance Comparison: SOHL & RSSR
• As g increases, SAR increases– Average btns of attack edges decreases– Escape rate increases– Accept more Sybil nodes
• SAR(RSSR) << SAR(SOHL)– Attack edges can be effectively detected
00.10.20.30.40.50.60.70.80.9
1
12 36 61 85 109
134
158
183
207
232
256
281
305
329
354
378
403
427
452
g
real1222rn500, SAR
sar(sohl)
sar(rssr)
3x decreases in SAR28x decrease in SAR
Honest cluster Sybil cluster
47
Conclusion
• Problem: there is no attack edge detecting algorithm for unauthorized DCSs
• Contribution: – RSC, an attack edge detecting algorithm for
unauthorized DCSs• Use RWEB to detect attack edges• Securely compute RWEBs of edges in a distributed
manner
– Provides an example to show how RSC can be used to construct accurate unauthorized SSD algorithms
49
Conclusion
• FRA and SA are security threats to DCSs– Existing solutions to FRA (Quiz) are unpractical– Existing solutions to SA (SSD) are not accurate
• Objective: design more effective mechanisms to resist FRA and SA
• Contributions– Designed MSC: practical algorithms that enables the host detect
malicious workers– Designed SybilDetector: accurate SSD algorithm for authorized DCSs– Designed RSC: attack edge detecting algorithm, which can be used
to construct accurate SSD algorithms for unauthorized DCSs– Validated the power of attack edge detecting