1
Security Mechanisms for Distributed Computing Systems
A9ID1007, Xu LingKobayashi Laboratory
GSIS, TOHOKU UNIVERSITY
2011/12/15
2
Chapter 1
Introduction
3
Distributed Computing System
• Distributed computing systems (DCSs): A system where nodes cooperate with each other to finish certain goals
• Example: volunteer computing system
4
Volunteer Computing System
• Utilizes the idling computing resources on the network to finish computing intensive tasks
worker 1 worker 2 worker 3 worker 4
host
Task 1 Task 2 Task 3 Task 4Result 1 Result 2 Result 3 Result 4
The structure of a typical volunteer computing system
Task 1Task 2
Task n
5
Classification of DCSs• Centralized DCSs:
– Feature: • has some central servers to manage the system• easy to manage
– Example: Volunteer computing system
• Decentralized DCSs: – Features:
• has no central server; all nodes take the same responsibility to maintain the system
• High scalability– Example: Peer to peer system (Skype, bitTorrent)
6
Security Problems in DCSs• In a DCS, malicious nodes may exist and will launch
attacks against the system
• Two representative attacks against DCSs– False result attack (for both centralized and decentralized DCSs)
• Malicious nodes send incorrect data to other nodes deliberately to interrupt the system
– Sybil attack (mainly in decentralized DCSs)• In decentralized DCSs, it is easy for malicious nodes to join the system• A large number of malicious nodes collude to break the system
protocol• Malicious nodes are called Sybil nodes in this attack
7
Research Objective
• Address the critical security problems of DCSs– False result attack– Sybil attack
• Approach– For false result attack: enable honest nodes to detect
malicious nodes honest nodes can expel malicious nodes out of the system
– For Sybil attack: enable honest nodes to detect Sybil nodes Honest nodes can expel Sybil nodes out of the system
8
Dissertation Organization• Chapter 1 Introduction
• Chapter 2 MSC: A False Result Resisting Algorithm
• Chapter 3 SybilDetector: A Shortest Path and Attack Edge Detecting Based Sybil Detecting Algorithm
• Chapter 4 RSSR: A Random Walk and Attack Edge Detecting Based Sybil Detecting Algorithm
• Chapter 5 Conclusion
The Sybil attack
The false result attack
Advantage
SybilDetector Higher efficiency
RSSR No need of trustful third party
9
Chapter 2
MSC: A False Result Resisting Algorithm
10
Introduction
• Computing model of DCSs– The system has a host node and multiple worker nodes– The host dispatches tasks to workers– Workers compute the received tasks and return answers to
the host• Problem
– Malicious workers may return incorrect answers to the host– Malicious workers can collude (cooperate to find the best
strategy) to break the system protocol• Objective: enable the host to detect malicious workers
11
Existing Solution
• Quiz-Based Spot Checking– The host dispatches multiple tasks to each worker v– These tasks contains some special tasks called quizzes– The host checks the correctness of the answers of quizzes
Node v is honest only if the answers of the quizzes return by v are correct
– Problem: • A Quiz should satisfy: the correctness of the answer of a
quiz should be easy to check• How to generate quizzes that satisfy this property is an
open problem.
12
Address the Problems of Existing Solutions
• Quiz-Based Spot Checking– Dispatches a task set to
each worker v
– The task set contains some special tasks called quizzes
– Checks the correctness of the answers of quizzes
Let workers themselves to check the correctness of the quizzes
Use normal tasks as quizzes
13
Algorithm OutlineThe host• Dispatches a task set to each
worker. • For each pair of two workers, v and
u, the task sets of v and u have some tasks in common (checking tasks)
• Increases the reliabilities of v and u if v and u return equal answers to their checking tasks (made a match).
Let workers themselves to check the correctness of the quizzes
Use normal tasks as quizzes (checking tasks)
Malicious workers make more mismatches have lower reliabilities be detected
14
Analysis
• More practical than Quiz-based spot checking– No need to generate the quizzes
• Effective: – Without collusion : Can detect all malicious workers– Under colluding: Can detect all malicious workers when
malicious workers are less than half of the system
15
Evaluation
• Performance metric– average reliability of honest nodes – average reliability of malicious nodes
• Questions to answers– How will the performance changes as the number
malicious workers increases?
16
Strategy of Workers
• Honest worker– always return correct answer
• Malicious non-conspirator– compute w% of the tasks it received
• Malicious conspirator– Two conspirators can find and compute their
common checking tasks
17
Change of Performance as the Number of Malicious Workers Increases
0. 00
0. 20
0. 40
0. 60
0. 80
1. 00
1. 20
0.40 0.45 0.50 0.55 0.60 0.63 0.68 0.73 0.78 0.83 0.88 0.93 0.98
Rel
iabi
lity
Pf
Reliability - Pf (w=0.4, Pc=0.5)
Honest Conspirator Non-Conspirator
• Number of malicious workers is small honest workers have highest reliabilities.
• Number of malicious worker is large conspirators have the highest reliabilities.
Under collusion: MSC can detect malicious nodes when # of malicious nodes is small (50% of the system)
Pf: Percentage of malicious workers in the system
18
Conclusion
• Objective: design an algorithm to detect malicious workers for the false result attack
• MSC, a malicious worker detecting algorithm– More practical than previous solution– Effective:
• Without collusion : Can detect all malicious workers• Under colluding: Can detect all malicious workers when malicious
workers are less than half of the system
PublicationLing Xu, Hirouyki Takizawa, and Hiroaki Kobayashi: “A Reliability Model for Result Checking in Volunteer Computing”, Proceedings of DAS-P2P 2008 Workshop, pp.201-204, 2008.
19
Chapter 3
SybilDetector: A Shortest Path and Edge Detecting Based Sybil Detecting Algorithm
20
Introduction
• Problem: Sybil attack is a critical threat to DCSs– A large number of malicious nodes exist in the system, and
collude to interrupt the system– Collude nodes are called Sybil nodes
• Objective: a Sybil detecting algorithm – Enables each honest node to detect other Sybil nodes
21
Related Work
• Social network model[Yu2008]
– nodes of the same types are closely connected– nodes of different types are connected by a small number of
attack edges
• Example[Danezis05]: in many P2P systems– To join the system, the new node has to attach to an existing node– Sybil node can only attach to existing Sybil nodesThe number of attack edges is small
Honest cluster Sybil cluster
Attack edges
22
Assumption• The system obeys the social network model• The system has trustful third parties
23
SybilDetector
• Observation– For node v, node u is Sybil (v,u)-SP will pass the attack edges
(v,u)-SP: a shortest path between the v and u
• Idea: For v to decide whether u is Sybil– Computes (v,u)-SPs – Detect the attack edges– Judge whether the (v,u)-SPs have passed the attack edges
Honest cluster Sybil cluster
vu
24
Algorithm: For v to decide whether u is Sybil
• Computes (v,u)-SPs – Use existing distributed
shortest path computing algorithms
• Detect the attack edges– Compute the shortest path betweenness of each edge
SPB of edge e: # of shortest paths that pass e– Attack edges have higher SPBs
• (v,u)-SPs have passed edges of high betweennesses u is Sybil
v uaee
b(ae) = 18
b(e) = 8
sp
25
Evaluation• Compare the performances of SybilDetector and SybilLimit
• SybilLimit: a representative Sybil detecting algorithm• Performance metric
• Sybil accept rate (sar): the probability that honest node regard Sybil nodes to be honest
• Questions to answer: • What is the influence of the number of attack edges in the
system?• What is the influence of the number of Sybil nodes in the
system?
Honest cluster Sybil cluster
26
Network Configuration
• Create the honest region: A real world network topology
• Create the Sybil region: synthetic network topologies• Connect the two regions with attack edges
Honest cluster Sybil cluster
Type Node number
Edge number
Real world social network topology
1222 16714
Synthetic random network
500 1725
Honest region
Change of SAR as the Number of Attack Edges in the System Increases
• SAR increases with g– The btns of attack edges decrease– Less Sybil are detected
• SAR(SybilDetector)<<SAR(SybilLimit)– 50x improvement
10x decrease in SAR
0
0.2
0.4
0.6
0.8
1
1.2
12 36 61 85 109134158183207232256g
real1222rn500, SAR
sar(SybilLimit)
sar(SybilDetector)
50x decrease in SAR
27
28
Change of SAR as the Number of Sybil Nodes in the System Increases
• As snn increases, SAR of SD decreases– The btns of attack edges increase– More Sybil node detected
• SAR(SybilDetector)<<SAR(SybilLimit)– 4x~180x improvement
0
0.2
0.4
0.6
0.8
1
1.2
snn
real1222g36, SAR
sar(SybilLimit)
sar(SybilDetector)
180 x decreases in SAR
4 x decreases in SAR
29
Conclusion
• Sybil attack is a critical threat to decentralized DCSs• Objective: enable each honest node to detect Sybil
nodes• Proposed SybilDetector, a Sybil resisting algorithm
– Made great (4x~180x in the simulation) increase in the Sybil detecting accuracy, compared with the representative existing solution
PublicationLing Xu, Satayapiwat Chainan, Hiroyuki Takizawa, Hiroaki Kobayashi, ”Resisting Sybil Attack By Social Network and Network Clustering,” saint, pp.15-21, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet, 2010
30
Chapter 4
RSSR: A Random Walk and Attack Edge Detecting Based Sybil Detecting Algorithm
31
Introduction
• SybilDetector– An effective Sybil detecting algorithm – Problem: needs trustful third parties (to compute
shortest paths)unpractical in some DCSs (e.g., P2P systems)
• Objective: A Sybil detecting algorithm– Remove the need of trustful 3rd partydo not use shortest path use random walk instead
32
Existing Sybil Detecting Algorithm: SOHL
• Probing random walk: a message packet that moves in a random walk manner for a short distance– Has a low escape rate– Ends at a random honest node w.h.p
• SOHL: each honest node v – Disseminates a large number of probing random walks– Ending nodes of the random walks honest nodes w.h.p– Other nodes Sybil nodes w.h.p
vu Number of attack
edges is smallescape rate is low
33
Idea
• Improve the performance of SOHL– Detect the attack edges – Prevent probing random walks from passing the
detected edges
vu Number of attack
edge is smallescape rate is low
34
RSSR• Detect attack edges
– Compute the Random walk betweenness • Each pair of nodes disseminate a random walk
to each other.• RWB of e: the number of times random walk
messages passing e– Attack edges have higher RWB’s
• Prevent probing random walks from passing the detected edges– Reduce the probability that probing
random walks passing the edges of high betweennesses
Do not compute shortest path betweenness
No need of trustful 3rd party any more
35
Evaluation• Compare the performance of SOHL and RSSR• Performance metric
• Sybil accept rate: the probability that Sybil nodes are regarded honest nodes.
• Questions to answer: • What is the influence of number of attack edges in
the system on the performance?
Honest cluster Sybil cluster
36
Network Configuration• Create the honest region: A real world network topology• Create the Sybil region: synthetic network topologies• Connect the two regions with attack edges
Honest cluster Sybil cluster
Type Node number
Edge number
Real world social network topology
1222 16714
Synthetic random network
500 1725
Honest region
37
Change of Sybil Accept Rate as the Number of Attack Edges Increases
• As g increases, SAR increases– Average btns of attack edges decreases– Escape rate increases– Accept more Sybil nodes
• SAR(RSSR) << SAR(SOHL)– Attack edges can be effectively detected
00.10.20.30.40.50.60.70.80.9
1
12 36 61 85 109
134
158
183
207
232
256
281
305
329
354
378
403
427
452
g
real1222rn500, SAR
sar(sohl)
sar(rssr)
3x decreases in SAR28x decrease in SAR
Honest cluster Sybil cluster
38
Conclusion
• Objective: a Sybil detecting algorithm without trustful 3rd parties
• Proposed RSSR, a Sybil detecting algorithm– Practical: no need of trustful third party
• Shortest path (SybilDetector) Random Walk (RSSR)– Effective: increased the Sybil detecting accuracy of a
representative existing solution by 3~28 timesPublicationLing Xu, Ryusuke EGAWA, Hiroyuki TAKIZAWA, Hiroaki KOBAYASHI, “A Network Clustering Algorithm for Sybil-Attack Resisting”, IEICE Transactions, special section, Parallel and Distributed Computing and Networking
39
Chapter 5
Conclusion
40
Conclusion
• Objective: address critical security threats to DCSs– False result attack– Sybil attack
• Approach– Detect malicious workers False result attack
• MSC (Chapter 2)– Detect Sybil nodes Sybil attack
• SybilDetector (Chapter 3)• RSSR (Chapter 4)
41
Future Work
• Short term – More theoretical analysis of the performances of
SybilDetector and RSSR• Long term
– Extend the social network model (more than two clusters)
42
Publication• Ling Xu, Hirouyki Takizawa, and Hiroaki Kobayashi: “A Reliability Model for
Result Checking in Volunteer Computing”, Proceedings of DAS-P2P 2008 Workshop, pp.201-204, 2008.
• Ling Xu, Satayapiwat Chainan, Hiroyuki Takizawa, Hiroaki Kobayashi, ”Resisting Sybil Attack By Social Network and Network Clustering,” saint, pp.15-21, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet, 2010.
• Ling Xu, Ryusuke EGAWA, Hiroyuki TAKIZAWA, Hiroaki KOBAYASHI, “A Network Clustering Algorithm for Sybil-Attack Resisting”, IEICE Transactions, special section, Parallel and Distributed Computing and Networking.
43
Reference• [Yu2008] Haifeng Yu, Phillip B. Gibbons, Michael Kaminsky,
and Feng Xiao. Sybillimit: A near-optimal social network defense against sybil attacks. In Proc. of IEEE Security & Privacy, 2008
• [Danezis05] G. Danezis, C. Lesniewski-Laas, M. F. Kaashoek, and R. Anderson. Sybil-resistant DHT routing. In European Symposium On Research In Computer Security, 2005
Top Related