Hiding the Rumor Source in Anonymous Messagingswoh.web.engr.illinois.edu/slide_itw2015.pdf ·...

Hiding the Rumor Source in Anonymous MessagingSewoong Oh University of Illinois at Urbana-Champaign

Giulia Fanti P. ViswanathPeter Kairouz K. Ramchandran

Anonymous Social Media provide meta-data privacy

Existing anonymous messaging apps

10 m

iles

Threat is real

Anonymous messaging meets social filtering

Diffusion of rumor/contagion

Social network/contact network


message author

can we locate the message author?

Rumor source detection

1T =

5T = 4T = 4T =

3T =

6T =

6T =

TimingSnapshot

meta-datatime from to control10:12 Alice Spy1 101101

10:25 Bob Spy2 10100111:01 Mary Spy3 100100

Snapshot-based adversary

16

Snapshot reveals the source

▪ message author is likely to be in the “center”

Rumor Centrality [Shah, Zaman ’11]

low likelihood

high likelihood

Similar performance using Jordan centrality [Zhu, Ying ’13]

Our Goal (on infinite regular trees)

P(Detection) =

1

NT

Adaptive Diffusion

Diffusion

logNT

logP(detection)

Setting

▪ Contact network is infinite, regular, tree▪ Adversary has the contact network and the snapshot▪ Protocol is allowed to infect any 1-hop neighbors at each time

Line graph

Line graph: diffusion


p p


▪ equivalent to two independent random walks

Adversary with snapshot

nodes with the message


Maximum likelihood detection

Likelihoods

Line graph: adaptive diffusion

-1-2 0 1 2


each neighbor is infected w.p. 1/2

-1-2 0 1 2


Node 1 receives message at T = 1

-1-2 0 1 2


-1-2 0 1 2

pinfect =h+ 1

T + 1

▪ Adaptive diffusion prescribes to pass at adaptive rate


▪ node 2 receives the message

-1-2 0 1 2


-1-2 0 1 2

pinfect =h+ 1

T + 1


▪ equivalent to Polya’s urn process▪ adaptive and asymmetric: Nodes that are infected earlier,

spread faster

-1-2 0 1 2

Given snapshot


Maximum likelihood detection

Likelihoods

diffusion

adaptive diffusion

probability of detection ⇠ 1

N

▪ [Shah & Zaman ’11]

Probability of detection using Rumor Centrality

number of nodes with the message

spread with fixed probability p

Probability of detection using Jordan centrality

number of nodes with the message

spread with probability

p(h, t) =h+ 1

t+ 1

Analytical bound

▪ Strategy: ▪ Design the infection to be a symmetric ball of depth T/2 ▪ Such that the source is equally likely to be any node at

any given time T

T = 4

Virtual source

▪ initially, the author is also the virtual source▪ and randomly selects a neighbor to be next virtual source

T = 0

T = 2

▪ at T=2, the virtual source passes the message to all its neighbors

keeping the virtual source token passing the virtual source token

▪ at T=2, the protocol has two options

T = 2

keeping the virtual source token passing the virtual source token

with probability ↵d,T,h with probability 1� ↵d,T,h

49

Passing the virtual source token

T = 2

50

T = 3


51


T = 4h = 2

Keeping the virtual source token

T = 2


T = 3

54


T = 4h = 1

Adversary with snapshot

can the adversary locate the message author?

Maximum likelihood estimation

low likelihood

high likelihood

▪ If virtual source is kept with prob.

▪ nodes that receive message faster, spread faster

↵d,T,h =(d� 1)

T2 +1�h � 1

(d� 1)T2 +1 � 1

57

Theorem. [Fanti, Kairouz, Oh, Viswanath 2015]

On an infinite d-regular tree, 1. adaptive diffusion spreads fast,

2. achieves almost perfect obfuscation

3. The expected distance between the estimated and the true source is T/2

P(Detection) =

1

NT � 1

NT ' (d� 1)T/2

Maximum likelihood estimation

58

v⇤

T = 0 dv =

⇢3 w.p. 0.55 w.p. 0.5

GT

What if the tree is irregular?

59

v⇤

T = 1 dv =

⇢3 w.p. 0.55 w.p. 0.5

GT

60

v⇤

T = 2 dv =

⇢3 w.p. 0.55 w.p. 0.5

GT

61

v⇤

T = 3 dv =

⇢3 w.p. 0.55 w.p. 0.5

GT

62

v⇤

T = 4 dv =

⇢3 w.p. 0.55 w.p. 0.5

GT

63

T = 4 dv =

⇢3 w.p. 0.55 w.p. 0.5

GT

v̂ML = arg max

v2@GT

1

dvsY

w2�(vs,v)\{vs,v}

(dw � 1)

| {z }F (GT )

64

T = 4 dv =

⇢3 w.p. 0.55 w.p. 0.5

GT

v̂ML = arg max

v2@GT

1

dvsY

w2�(vs,v)\{vs,v}

(dw � 1)

| {z }F (GT )

F (GT ) =1

5⇥ 2

65

Does adaptive diffusion still achieve perfect obfuscation?

100 101 102 10310−3

10−2

10−1

Number of Infected Nodes (N)

Prob

abilit

y of

Det

ectio

n (P

D)

(3,5)=>(0.5,0.5), do=5(3,6)=>(0.5,0.5), do=6(3,7)=>(0.5,0.5), do=7(3,10)=>(0.5,0.5), do=101/N

dv =

⇢3 w.p. 0.55 w.p. 0.5

dv =

⇢3 w.p. 0.510 w.p. 0.5

66

▪Probability of detection:

P(v̂ML = v⇤) =X

GT

P(GT )P(v̂ML = v⇤|GT )| {z }F (GT )

= E(F (GT ))

F (GT ) = max

v2@GT

1

dvsY

w2�(vs,v)\{vs,v}

(dw � 1)

Galton-Watson tree GT

67

If dv

=

(dmin w.p. pmin

.

.

.

.

.

.

, and (dmin � 1)pmin � 1, then

P(v̂ML = v⇤) = EGT

"max

v2@GT

1

dvs

Y

w2�(vs,v)\{vs,v}

(dw

� 1)

#

= (dmin � 1)

�T+o(T )

100 101 102 10310−3

10−2

10−1

Number of Infected Nodes (N)

Prob

abilit

y of

Det

ectio

n (P

D)

(3,5)=>(0.5,0.5), do=5(3,6)=>(0.5,0.5), do=6(3,7)=>(0.5,0.5), do=7(3,10)=>(0.5,0.5), do=101/N

dv =

⇢3 w.p. 0.55 w.p. 0.5

dv =

⇢3 w.p. 0.510 w.p. 0.5

Corollary

68

Proof idea for

dv =

⇢3 w.p. 0.55 w.p. 0.5

dv =

⇢3 w.p. 0.51 w.p. 0.5

X

X

minv2@GT

Y

w2�(vs,v)\{vs,v}

(dw

� 1) = (dmin � 1)T+o(T )

Messaging App: Wildfire

Alice

anonymous, distributed, secure implementation

Bob

Mary

Alice Faith Saul

Alice Faith Mike Saul

Bob Carol Mary

Wildfire empowers devices by removing central service providersIt also has stronger anonymity properties than Secret, Whisper, and Yik Yak.

Like

Wildfire empowers devices by removing central service providers

It also has stronger anonymity properties than Secret, Whisper, and Yik Yak.

Wildfire empowers devices by removing central service providers

It also has stronger anonymity properties than Secret, Whisper, and Yik Yak.

Like

Like

Hiding the Rumor Source in Anonymous Messagingswoh.web.engr.illinois.edu/slide_itw2015.pdf ·...

Documents

Transcript of Hiding the Rumor Source in Anonymous Messagingswoh.web.engr.illinois.edu/slide_itw2015.pdf ·...