1 Kai Hwang, USC, May 2007 Trust Management in P2P and Grid Computing Kai Hwang, University of...

11Kai Hwang, USC, May 2007Kai Hwang, USC, May 2007

Trust Management in Trust Management in P2P and Grid ComputingP2P and Grid Computing

Kai Hwang, Kai Hwang, University of Southern CaliforniaUniversity of Southern California

Presentation Outline:Presentation Outline:

Evolution of Massively Distributed Evolution of Massively Distributed Computing Systems Computing Systems

Trust integration and security binding issuesTrust integration and security binding issues

Security-aware job scheduling in GridsSecurity-aware job scheduling in Grids

P2P Reputation Aggregation SystemsP2P Reputation Aggregation Systems

Further Challenges in Trusted Computing Further Challenges in Trusted Computing

Keynote addressKeynote address at the at the IEEE First Workshop on Trust and Reputation IEEE First Workshop on Trust and Reputation Management in Massively Distributed Computing SystemsManagement in Massively Distributed Computing Systems (TRAM-2007), (TRAM-2007), in conjunction with the in conjunction with the IEEE ICDCS-2007IEEE ICDCS-2007, Toronto, June 29, 2007 , Toronto, June 29, 2007

Kai Hwang, IEEE-TRAM Workshop June 29, 2007Kai Hwang, IEEE-TRAM Workshop June 29, 2007 22

Presentation OutlinePresentation Outline: : (Related Publications)(Related Publications)

Trust management and security-aware job scheduling in P2P Trust management and security-aware job scheduling in P2P

and Grid Systems -- and Grid Systems -- ((IEEE Internet ComputingIEEE Internet Computing, Nov. 2005, , Nov. 2005,

IEEE-TC,IEEE-TC, June 2006, June 2006, Journal of Grid ComputingJournal of Grid Computing, Sept. 2005), Sept. 2005)

Reputation systems for structured andReputation systems for structured and

unstructured P2P networks unstructured P2P networks

((IPDPS-2006, IPDPS-2007IPDPS-2006, IPDPS-2007, , IEEE-TPDS IEEE-TPDS April 2007, April 2007,

IEEE-TKDE IEEE-TKDE submitted Jan. 2007) submitted Jan. 2007)

Copyright protection in P2P networks using secure file Copyright protection in P2P networks using secure file

indexing and content poisoning – indexing and content poisoning – ((IEEE-TRAM WorkshopIEEE-TRAM Workshop with with

ICDCS-2007, IEEE-TMM, revised March 2007ICDCS-2007, IEEE-TMM, revised March 2007))

All papers downloadable fromAll papers downloadable from http://GridSec.usc.eduhttp://GridSec.usc.edu


Evolution from HPC and Clusters to Distributed Evolution from HPC and Clusters to Distributed P2P/Grid Computing and Web ServicesP2P/Grid Computing and Web Services

Mainly for supercompuing

Disparate SystemsResource SharingGeographically SparseWithin a Framework

Distributed Computing

High –Perf. Computing

Disparate Systems

(Sharing)Homogeneous

P2P Clusters

Mainly for file sharing

Geographically Sparse

Resource Sharing

(Close to each other)

Web Services

GRID

Heterogeneous Applications

(Lack of framework)


P2P Systems, Computational Grids, and P2P Grids

Features P2P Systems Grids P2P Grids

Architecture, Connectivity

Flexible topology,

highly scalable,

autonomous users

Static configuration with limited scalability

P2P flexibility with Grid resource sharing initiatives

Control and Resource Discovery

Distributed control, client-oriented, free in and out, and self-organizing peers

Centralized control, server or supercomputer -oriented with registered participants

Policy-based control, operating with both P2P and Grid resource management

Security, Privacy,

Reliability

Distrusted peers, insecure P2P interactions, and anonymity

Guaranteed trust, more secure with federated users and accountability

Peer-layer reputation system and Grid-layer security infrastructure

Applications and Job

Management

General, content delivery, file sharing, download services

Scientific computing, global problem solving, and hierarchical job management

Support desktop, distributed Grid computing, and community services

Represen-tative

Systems

Gnutella, Chord, CAN, Tapestry, SETI@home, etc.

TeraGrid , GriPhyN Grid, LHC Grid , e-Science, Vaga Grid

Entropia, P2P Grid, PC Grid , Linger Longer


Some Killer Applications in Some Killer Applications in Grids and P2P NetworksGrids and P2P Networks


P2

P &

Gri

dA

pp

licati

on

s

Distributed Hash Table (Chord)

New Approaches to Distributed and New Approaches to Distributed and Network-Centric ComputingNetwork-Centric Computing

Multi-Attribute Addressable Network

Distributed Aggregation Tree Distributed

Cardinality Counting

Dis

trib

ute

d I

nd

exin

g

an

d A

gg

reg

ati

on

Tech

niq

ues

Grid Resource Monitoring & Discovery

Distributed RDF

Repository

Collaborative Worm Signature

Generation

P2P ReplicaLocation Service


The Need of Establishing Cyber Trust The Need of Establishing Cyber Trust

Intrusion

Remote Office

Customer

Supplier

Distributor

Sales rep

Theft of serviceSSSSSSS

Denial of service

Masquerade

Back doors

SabotageSnooping

Disgruntled employees

Viruses

Eavesdropping

Industrial espionage


Trust IntegrationTrust Integration over a DHT Overlayover a DHT Overlay

Cooperating gateways working together to establish VPN tunnels for trust integration

Physical backbone

DHT Overlay Ring

Trust Vector

Trust vector propagation

User application and SeGO server negotiation

V

SeGO Server Hosts

VPN Gateway

Site S3

Site S2

Site S1

Site S4

V

V

V

V


Security Binding in Computing GridsSecurity Binding in Computing Grids Evaluating site trust index using a Evaluating site trust index using a fuzzy-logic based trust modelfuzzy-logic based trust model Fuzzy trust aggregation at the Fuzzy trust aggregation at the intra-site intra-site andand inter-site inter-site levels levels

Matching Job Security demand with

resources conditions

Matching Job Security demand with

resources conditions

Site Trust Index

Defense Capability

SiteReputation

Intersiteaggregation

Intrasiteaggregation

IDS related

Capabilities

Anti-Virus Capabilities

FirewallCapabilities

Secure ExecutionCapabilities

Prior Job Execution

Success Rate

Cumulative Utilization

Job Turnaround

Time

Job Slowdown

Ratio

((IEEE Internet ComputingIEEE Internet Computing, Nov. 2005, , Nov. 2005, IEEE-TC,IEEE-TC, June 2006, June 2006, Journal of Grid ComputingJournal of Grid Computing, Sept. 2005), Sept. 2005)


Trusted Grid Job SchedulingTrusted Grid Job Scheduling Secure mapping of user jobs onto the Grid sites — the job Secure mapping of user jobs onto the Grid sites — the job security demandsecurity demand (SD) (SD) and and

the site the site trust indextrust index (TI) are attributed to many security measures and trust (TI) are attributed to many security measures and trust parametersparameters

A practical Grid job scheduler should be A practical Grid job scheduler should be risk-resilientrisk-resilient by considering SD and TI by considering SD and TI when mapping jobs to siteswhen mapping jobs to sites

Trust Index of resource sites:Site reputation, prior job success rate, firewalls, intrusion detection, attack history, false alarms, system vulnerability, crypto library, security update frequency, etc.

Security Demand of user jobs:Job sensitivity, peer authentication, encrypted messaging, access control, data integrity, user requirements, job application environment, etc.

User jobs demanding security assurance

Grid resource sites with trust assessed by peers

Job Scheduler


Two Example Time-Driven Heuristics to Two Example Time-Driven Heuristics to demonstrate the Security Binding Processdemonstrate the Security Binding Process

Min-min heuristics: Min-min heuristics: For each job, the resource site that has the earliest For each job, the resource site that has the earliest

expected completion time is applied first. The job that expected completion time is applied first. The job that

has the minimum earliest expected completion time is has the minimum earliest expected completion time is

executed first to the selected resource site. executed first to the selected resource site.

Sufferage heuristics: Sufferage heuristics: Based on the policy to select a site to a job that would Based on the policy to select a site to a job that would

“suffer” the most in terms of expected completion “suffer” the most in terms of expected completion

time, if that particular site is not assigned yet time, if that particular site is not assigned yet


Genetic Algorithm (GA)Genetic Algorithm (GA)

Genetic Algorithms (GAs) are based on the concept Genetic Algorithms (GAs) are based on the concept of searching through a large solution space for of searching through a large solution space for acceptable solutions. acceptable solutions.

GA is suitable for job scheduling in heterogeneous GA is suitable for job scheduling in heterogeneous computing and Grid environments. computing and Grid environments. It is powerful for generating good solution. It is powerful for generating good solution.

How a GA works?

0

1

0

1

0

1

1

0

0

1

0

0

0

1

0

0

1

0

0

1

0.3 0.6 0.9 0.6

Initial Population

1

1

0

0

1

0

0

0

1

0

0

1

0

0

1

0.9 0.6 0.9 0.6

After selection

0

0

0

1

0

1

1

0

1

0

0

0

0

1

0

0

1

0

0

1

1.0 0.4 0.9 0.6

After crossover

0

0

0

0

1

1

1

0

1

0

1

0

0

1

0

0

1

0

0

1

1.0 0.4 0.8 0.6

After mutation

0

0

0

0

1


Genetic Algorithms (GA)Genetic Algorithms (GA) Problem: the initial population is randomly Problem: the initial population is randomly

generated, the whole process takes toogenerated, the whole process takes toolong a time to converge long a time to converge

Evolution times

Solution quality

Random initial population

Good solution is found

Can we start from somewhere here?

How?How How aboutaboutusing using historical historical data ?data ?


Risk-Resilient Scheduling AlgorithmsRisk-Resilient Scheduling Algorithms

PolicyPolicy Heuristic AlgorithmsHeuristic Algorithms Genetic AlgorithmsGenetic Algorithms

RiskyRisky

Risky-Heuristic:Risky-Heuristic: Jobs are scheduled Jobs are scheduled based on a heuristic algorithm without based on a heuristic algorithm without considering any risk factors. considering any risk factors.

Risky-STGA: Risky-STGA: Jobs are scheduled Jobs are scheduled based on space-time genetic algorithm based on space-time genetic algorithm without considering any risk factors.without considering any risk factors.

PreemptivePreemptive P-Heuristic:P-Heuristic: The job is scheduled to a The job is scheduled to a site that can be preempted due to site that can be preempted due to insecure conditionsinsecure conditions.. Resubmit the failed Resubmit the failed jobs to other available sites.jobs to other available sites.

P-STGA: P-STGA: Job is scheduled based on Job is scheduled based on STGA that allows preemption under STGA that allows preemption under insecure conditionsinsecure conditions.. Resubmit the Resubmit the failed jobs to other available sites. failed jobs to other available sites.

ReplicationReplication R-Heuristic:R-Heuristic: Replicated jobs may be Replicated jobs may be dispatched to multiple sites to prevent dispatched to multiple sites to prevent possible job failures.possible job failures.

R-STGA:R-STGA: STGA that allows replicated STGA that allows replicated jobs to be dispatched to multiple sites jobs to be dispatched to multiple sites to prevent possible job failures.to prevent possible job failures.

Delay-tolerantDelay-tolerant DT-Heuristic:DT-Heuristic: When a failure is When a failure is observed, the scheduler allows job to be observed, the scheduler allows job to be delayed for a preset period of time delayed for a preset period of time before rescheduling the job. before rescheduling the job.

DT-STGA:DT-STGA: STGA that allows job be STGA that allows job be delayed for a preset period of time delayed for a preset period of time before rescheduling the job. before rescheduling the job.


Performance Metrics Performance Metrics for evaluating the for evaluating the

quality of Trusted P2P/Grid Computingquality of Trusted P2P/Grid Computing

Serious hackers

O

1- Utilization [0, 1.0]

Response Time [0, 4.2105s]

Failure Rate [0, 1.0]

Slowdown Ratio [0, 152]

Makespan [0, 3.3106s]

QoS of P2P/Grid ServicesQoS of P2P/Grid Services


Performance Results of 7 Job Scheduling Performance Results of 7 Job Scheduling Algorithms over the NAS WorkloadAlgorithms over the NAS Workload

1 2 3 4 5 6 7

0

1x106

2x106

3x106

4x106

5x106

6x106

7x106

ST

GA

Su

ffe

rag

ek-

Ag

gre

ssiv

e

Su

ffe

rag

eC

on

serv

ativ

e

Su

ffe

rag

eA

gg

ress

ive

Min

-min

Ag

gre

ssiv

e

Min

-min

k-A

gg

ress

ive

Min

-min

Co

nse

rva

tive

Ma

kesp

an

(se

con

ds)

1 2 3 4 5 6 7

0.0

2.0x105

4.0x105

6.0x105

8.0x105

1.0x106

1.2x106

1.4x106

ST

GA

Su

ffe

rag

eR

isky

Su

ffe

rag

ef-

Ris

ky

Su

ffe

rag

eS

ecu

re

Min

-min

Ris

ky

Min

-min

f-R

isky

Min

-min

Se

cure

Avg

re

spo

nse

tim

e (

sec)

(a) Makespan(a) Makespan in secondsin seconds (b) Average response time in seconds(b) Average response time in seconds


Open-Resource Peer-to-Peer NetworksOpen-Resource Peer-to-Peer Networks

In a P2P system, every node acts as both client and server, submitting requests and providing part of the resources

No central coordination or no central database available and no peer has a global view of the entire system.

Overlay Network


Cybertrust Demands in Cybertrust Demands in Peer to Peer Computing Peer to Peer Computing

Scalable killer applicationsScalable killer applications on P2P systems on P2P systems

Fast containment of Internet worm outbreaksFast containment of Internet worm outbreaks

Defense against DDoS flooding AttacksDefense against DDoS flooding Attacks

Need Reputation Systems for Need Reputation Systems for P2P networks P2P networks

Copyright protectionCopyright protection in P2P content delivery in P2P content delivery


P2P Reputation SystemsP2P Reputation Systems Existing ApproachesExisting Approaches

Collecting, aggregating and disseminating feedbacks among Collecting, aggregating and disseminating feedbacks among

peers -- EigenTrust, PeerTrust, PowerTrust, GossipTrust, etc.peers -- EigenTrust, PeerTrust, PowerTrust, GossipTrust, etc.

Common limitations:Common limitations:

Ignore the feedback properties of P2P systems Ignore the feedback properties of P2P systems

Assume an arbitrary feedback distributionAssume an arbitrary feedback distribution

Not in agreement with the reality!Not in agreement with the reality!

Goal: Goal: Scalable, Robust, and Secure Scalable, Robust, and Secure

reputation applications reputation applications


Transitive Reputation AggregationTransitive Reputation Aggregation

Ask friend’s friends about the reputation of a peer in the system

Ask your friends j

What they think

of node k

And weight each friend’s opinion by

how much you trust him

j

jkij rrrik

'

0

0

0

0

0

0

0

0

0

0

0

0

Node 1

Node 2

Node 4

000000

0

Node 6

j

jkij rrrik

'

While |V(i) – V(i-1)| > δ,

V(i+1) = RTV(i)


Grid PSA Benchmark ExperimentsGrid PSA Benchmark Experiments

Trusted P2P Grid Computing

Job Makespan in second


Reputation Systems for Reputation Systems for Unstructured Unstructured P2P NetworksP2P Networks

MotivationMotivation

The Peer-to-Peer (P2P) architectures that are most The Peer-to-Peer (P2P) architectures that are most

prevalent in today’s Internet are decentralized and prevalent in today’s Internet are decentralized and

unstructuredunstructured

Challenges :Challenges :

Short of secure hashing and fast lookup mechanismsShort of secure hashing and fast lookup mechanisms

Most Scalable Reputation System were designed for Most Scalable Reputation System were designed for

structured structured (DHT-based) P2P networks(DHT-based) P2P networks

EigenTrust, PeerTrust, PowerTrust , …….EigenTrust, PeerTrust, PowerTrust , …….


The GossipTrust SystemThe GossipTrust System Scalable, Robust and Secure reputation system for structured Scalable, Robust and Secure reputation system for structured

P2P networks P2P networks ((IPDPS-2007, IEEE-TKDE submitted 2007IPDPS-2007, IEEE-TKDE submitted 2007))


Gossip Protocol for Reputation AggregationGossip Protocol for Reputation Aggregation

Make minimal assumptions about the characteristics of Make minimal assumptions about the characteristics of

networks and hostsnetworks and hosts

Tolerate the link and node failuresTolerate the link and node failures

Support the computation of aggregate functions like weighted Support the computation of aggregate functions like weighted

sum, average value and maximum over large collection of sum, average value and maximum over large collection of

distributed numeric values distributed numeric values

One thread sends the halved One thread sends the halved gossip pairgossip pair {½ {½ xxii ( (kk), ½ ), ½ wwii ( (kk)} to )} to

itself (node itself (node ii) and to a randomly selected node in the network. ) and to a randomly selected node in the network.

Another thread receives the halved pairs from other nodes and Another thread receives the halved pairs from other nodes and

computes the updated computes the updated xxii((kk+1) and +1) and wwii((kk+1) +1)

xxii is the is the local scorelocal score and and wwii is the is the consensus factorconsensus factor


Gossip-based Reputation AggregationGossip-based Reputation Aggregation

d ≤ logb with b =

λ2/ λ1, where λ1 and λ2

are the largest and

second largest

eigenvalues of the

trust matrix S

g = O(log2n)


Gossip AggregationGossip Aggregation

The updated global score The updated global score

of node of node N2N2 is calculated as is calculated as

vv22((t+1t+1) = ) = vv11(t)×(t)×0.20.2 + + vv22(t)×(t)×0 0

+ + vv33(t)×(t)×0.6 = (1/2)0.6 = (1/2) × ×0.2 + 0.2 +

(1/6)(1/6) × ×0.6 = 0.2 0.6 = 0.2


Bloom-filter based Reputation StorageBloom-filter based Reputation Storage Bloom filters for reputation retrievalBloom filters for reputation retrieval

Example:Example: a P2P network with 6 nodes, labeled as {0, 1, ..., 5}. a P2P network with 6 nodes, labeled as {0, 1, ..., 5}. v0v0 = 0.05, = 0.05, v1v1 =0.2, =0.2, v2=v2=0.3, 0.3, v3v3 = 0.1, = 0.1, v4v4 =0.3, =0.3, v5=0.05v5=0.05.. Categories 1: {0, 1, 3, 5} and Category 2: {2, 4}Categories 1: {0, 1, 3, 5} and Category 2: {2, 4} mm = 8 bits per filter. = 8 bits per filter. h1h1((xx) = ) = x x ModMod (8) and (8) and h2h2((xx) = ) = xx+2+2


Bloom filter-based Reputation Storage Bloom filter-based Reputation Storage


Convergence Rate vs. Gossip ErrorConvergence Rate vs. Gossip Error


Aggregation Error vs. Malicious PeersAggregation Error vs. Malicious Peers


Further R/D ExtensionsFurther R/D Extensions The architecture of PowerTrust and the GossipTrust can The architecture of PowerTrust and the GossipTrust can

be merged to support both structured and unstructured be merged to support both structured and unstructured P2P networksP2P networks

Prototyping of the PowerTrust, GossipTrust , or a Prototyping of the PowerTrust, GossipTrust , or a combined system. combined system.

Benchmark Evaluation of the prototype systemsBenchmark Evaluation of the prototype systems

Effectiveness of gossip protocol for reputation Effectiveness of gossip protocol for reputation aggregation in P2P networks aggregation in P2P networks

Fast aggregation algorithms, efficient reputation Fast aggregation algorithms, efficient reputation storage with Bloom filters, and secure communication storage with Bloom filters, and secure communication with identity-based cryptography with identity-based cryptography


Research Extensions Research Extensions (Continued)(Continued)

Coping with peer abuses and selfishnessCoping with peer abuses and selfishness

Game theoretic and benchmark studies Game theoretic and benchmark studies

Supporting object-based reputationsSupporting object-based reputations

Validating the authenticity of an object (files)Validating the authenticity of an object (files)

Distinguishing between quality-of-service Distinguishing between quality-of-service

and quality of feedbackand quality of feedback

Exploring new killer P2P applicationsExploring new killer P2P applications suchsuch

as copyright protection in P2P content delivery as copyright protection in P2P content delivery


Conclusions:Conclusions: Our security binding technique is applied to improve any Our security binding technique is applied to improve any

time-driven time-driven heuristics for parallel on-line job scheduling heuristics for parallel on-line job scheduling in in an open risky Grid computing environment. an open risky Grid computing environment.

Both NAS and PSA benchmark results show the superiority of Both NAS and PSA benchmark results show the superiority of

STGA over the heuristics algorithms applied. STGA over the heuristics algorithms applied.

It isIt is more resilient to tolerate job delays by calculated risky more resilient to tolerate job delays by calculated risky

conditioning, instead of resorting to job preemption, conditioning, instead of resorting to job preemption,

replication, or assuming unrealistic risk-free operations. replication, or assuming unrealistic risk-free operations.

Peer-based reputation systems are needed for both structured Peer-based reputation systems are needed for both structured

and unstructured P2P networks. Object-based reputation and unstructured P2P networks. Object-based reputation

systems are new challenges systems are new challenges

1 Kai Hwang, USC, May 2007 Trust Management in P2P and Grid Computing Kai Hwang, University of...

Documents

Transcript of 1 Kai Hwang, USC, May 2007 Trust Management in P2P and Grid Computing Kai Hwang, University of...