sybillimit: a near-optimal social network defense against sybil attacks
DESCRIPTION
SybilLimit: A Near-Optimal Social Network Defense Against Sybil Attacks. Haifeng Yu National University of Singapore Phillip B. Gibbons Intel Research Pittsburgh Michael Kaminsky Intel Research Pittsburgh Feng Xiao National University of Singapore. launch sybil attack. - PowerPoint PPT PresentationTRANSCRIPT
SybilLimit: A Near-Optimal Social SybilLimit: A Near-Optimal Social Network Defense Against Sybil AttacksNetwork Defense Against Sybil Attacks
Haifeng Yu National University of Singapore
Phillip B. Gibbons Intel Research Pittsburgh
Michael Kaminsky Intel Research Pittsburgh
Feng Xiao National University of Singapore
Haifeng Yu, National University of Singapore 2
Background: Sybil AttackBackground: Sybil Attack Sybil attack: Single user
pretends many fake/sybil identities Already observed in real-world
p2p systems
Sybil identities can become a large fraction of all identities “Out-vote” honest users in
collaborative tasks
launchsybilattack
honest
malicious
Haifeng Yu, National University of Singapore 3
Background: Defending Against Sybil AttackBackground: Defending Against Sybil Attack Using trusted central authority to tie identities to
human beings – not always desirable
Much harder without a trusted central authority [Douceur’02] Resource challenges not sufficient IP address-based approach not sufficient
Widely considered as real & challenging: Over 40 papers acknowledging the problem of sybil
attack, without having a distributed solution
Haifeng Yu, National University of Singapore 4
SybilGuard / SybilLimit Basic Insight: SybilGuard / SybilLimit Basic Insight: Leveraging Social NetworksLeveraging Social Networks
Nodes = identities Undirected edges = strong
mutual trust E.g., colleagues, relatives in
real-world Not online friends !
SybilGuard [SIGCOMM’06] / SybilLimit [Oakland’08]:The first to leverage social networks for thwarting sybil attacks with provable guarantees.
Haifeng Yu, National University of Singapore 5
Attack ModelAttack Model
malicioususers
honestnodes
Observation: Adversary cannot create extra edges between honest nodes and sybil nodes
attack edges
n honest users: One identity/node each Malicious users: Multiple identities each (sybil nodes)
sybil nodes
sybil nodes may collude – the adversary
Haifeng Yu, National University of Singapore 6
SybilGuard/SybilLimit Basic InsightSybilGuard/SybilLimit Basic Insight
honest nodes sybil nodes
Dis-proportionally small cut disconnecting a large number of identities
But cannot search brute-force…attack
edges
Haifeng Yu, National University of Singapore 7
SybilGuard / SybilLimit End GuaranteesSybilGuard / SybilLimit End Guarantees Completely decentralized Enables any given verifier node to decide
whether to accept any given suspect node Accept: Provide service to / receive service from Ideally: Accept and only accept honest nodes –
unfortunately not possible
SybilGuard / SybilLimit provably Bound # of accepted sybil nodes (w.h.p.) Accept all honest nodes except a small fraction
(w.h.p.)
Haifeng Yu, National University of Singapore 8
Example Application ScenariosExample Application Scenarios
If # of sybil nodes accepted
Then applications can do
< n/2 byzantine consensus
< n majority voting
< n/c for some constant c secure DHT [Awerbuch’06, Castro’02,
Fiat’05]
… …
Haifeng Yu, National University of Singapore 9
total number of attack edges
SybilGuard [SIGCOMM’06]
SybilLimit [Oakland’08]
nnOg log/ )log( nn )(log n
)(log nunbounded
# sybil nodes accepted (smaller is better) per attack edge
nn log/
nnO log/
g between
and
g
~2000 ~10
~10
SybilLimit Contribution 1: “Pushing the Limit” SybilLimit Contribution 1: “Pushing the Limit”
We also prove that SybilLimit is away from optimal)(log nO
Haifeng Yu, National University of Singapore 10
OutlineOutline
Motivation, basic insight, and end guarantees
SybilLimit Contribution 1: “Pushing the Limit” The near-optimal SybilLimit design
SybilLimit Contribution 2: Validation on Real-World Social Networks
Haifeng Yu, National University of Singapore 11
Identity Registration in SybilLimitIdentity Registration in SybilLimit Each node (honest or sybil) has a locally
generated public/private key pair “Identity”: V accepts S = V accepts S’s public key KS
We do not assume/need PKI
In SybilLimit, every suspect S “registers” KS on some other nodes
Haifeng Yu, National University of Singapore 12
SybilLimit: Strawman Design – Step 1SybilLimit: Strawman Design – Step 1
Ensure that sybil nodes (collectively) register only on limited number of honest nodes Still provide enough
“registration opportunities” for honest nodes
sybil regionhonest region
K: registered keys of sybil nodes
K K
K
KK
K
K K
K
K
K
K
K
KK K
K: registered keys of honest nodes
Haifeng Yu, National University of Singapore 13
SybilLimit: Strawman Design – Step 2SybilLimit: Strawman Design – Step 2
Accept S only if KS is register on sufficiently many honest nodes Without knowing where
the honest region is !
Circular design? We can break this circle…
K K
K
KK
K
K K
K
K
K
K
K
KK K
sybil regionhonest region
K: registered keys of sybil nodesK: registered keys of honest nodes
Haifeng Yu, National University of Singapore 14
Three Interrelated Key TechniquesThree Interrelated Key Techniques Technique 1: Use the tails of random routes
for registration Will achieve Step 1 Random routes are from SybilGuard Novelty: The use of tails Novelty: The use of multiple independent instances
of shorter random routes
Haifeng Yu, National University of Singapore 15
Three Interrelated Key TechniquesThree Interrelated Key Techniques Technique 2: Use intersection condition and
balance condition to verify suspects Will break the circular design and achieve Step 2 SybilGuard also has intersection condition Novelty: Intersection on edges Novelty: SybilGuard has no balance condition
Technique 3: Use benchmarking technique to estimate unknown parameters Breaks another seemingly circular design… Novelty: SybilGuard has no such technique
Haifeng Yu, National University of Singapore 16
Three Interrelated Key TechniquesThree Interrelated Key Techniques Technique 1: Use the tails of random routes
for registration Will achieve Step 1 Random routes are from SybilGuard Novelty: The use of tails Novelty: The use of multiple independent instances
of shorter random routes
Haifeng Yu, National University of Singapore 17
Random 1 to 1 mapping between incoming edge and outgoing edge
Random Route: ConvergenceRandom Route: Convergence
a db ac bd c
d ee df f
a
b
c
d e
f
randomized routing table
Using routing table gives Convergence Property: Routes merge if crossing the same edge
Haifeng Yu, National University of Singapore 18
Registering Public Keys with TailsRegistering Public Keys with Tails Every node initiates a “secure” random route of length w from itself
See paper for discussion on w See paper for how to make it “secure”
A B C D
edge “CD” is the tail of A’s random routew = 3
D records KA under name “CD”
Haifeng Yu, National University of Singapore 19
Tails of Sybil SuspectsTails of Sybil Suspects Imagine that every sybil suspect initiates a
random route from itself
total 1 tainted tail
honestnodes
sybilnodes
tainted tail
Haifeng Yu, National University of Singapore 20
Counting The Number of Tainted TailsCounting The Number of Tainted Tails
Claim: There are at most w tainted tails per attack edge Convergence: At most w tainted tails per attack edge Regardless of whether sybil nodes follow the protocol
honestnodes
sybilnodes
attack edge
Haifeng Yu, National University of Singapore 21
Back to the Strawman Design Step 1Back to the Strawman Design Step 1 # of K ’s gw
Independent of # sybil nodes
# of K ’s n – gw From “backtrace-ability”
property of random routes
See paper…honest region
K
K
K
K
K
K
KStep 1 achieved !
K: registered keys of sybil nodesK: registered keys of honest nodes
Haifeng Yu, National University of Singapore 22
OutlineOutline SybilLimit Contribution 1: “Pushing the Limit”
Independent instances, intersection condition, balance condition, benchmarking technique
Avoids multiple seemingly circular designs (hardest part…)
Also see paper for Performance overheads… Near-optimality …
SybilLimit Contribution 2: Validation on Real-World Social Networks
Haifeng Yu, National University of Singapore 23
Validation on Real-World Social NetworksValidation on Real-World Social Networks
SybilGuard / SybilLimit assumption: Honest nodes are not behind disproportionally small cuts Rigorously: Social networks (without sybil nodes) have
small mixing time Mixing time affects # sybil nodes accepted and #
honest nodes accepted Synthetic social networks – proof in [SIGCOMM’06]
Real-world social networks? Social communities, social groups, ….
Haifeng Yu, National University of Singapore 24
Simulation SetupSimulation Setup
We experiment with: Different number and placement of attack edges Different graph sizes -- full size to 100-node sub-graphs
Sybil attackers use the optimal strategy
# nodes # edges
Friendster 0.9M 7.8M
Livejournal 0.9M 8.7M
DBLP 0.1M 0.6M
Crawled online social networks used in experiments
Haifeng Yu, National University of Singapore 25
Brief Summary of Simulation ResultsBrief Summary of Simulation Results In all cases we experimented with:
Fraction of honest nodes accepted: ~95%
# sybil nodes accepted: ~10 per attack edge for Friendster and LiveJournal ~15 per attack edge for DBLP
Haifeng Yu, National University of Singapore 26
ConclusionsConclusions
Sybil attack: Widely considered as a real and challenging problem
SybilLimit: Fully decentralized defense protocol based on social networks Provable near-optimal guarantees Experimental validation on real-world social networks
Future work: Implement SybilLimit with real apps