Trust Management in P2P

systems

Presenter: Lintao Liu

April 21th, 2003

Papers: Managing Trust in a P2P information syste

m Karl Aberer, et, Switzerland, 2001

Choosing Reputable Servents in a P2P network

A Reputation-Based Approach for Choosing Reliable Resources in P2P networks Fabrizio Cornelli, et. Italy, 2002

Cooperative Peer Groups in NICE Seungjoon Lee, et. UMD, 2003

And more…

Problems Definition Peer-to-Peer is a fully distributed system:

With no central coordination No central database No global view of the system Peers are autonomous, and may be anonymous Peers are unreliable Transactions are performed between Peers

How to make a transaction more likely to succeed (not cheated)? Choose the node which is more reliable

Trust Management And Reputation Trust Management:

any mechanism that allows to establish mutual trust.

Reputation: a measure that is derived from direct or

indirect knowledge on earlier transactions.

Reputation-based trust management: one specific form of Trust Management.

More for anonymity Reputations must be associated with self-

appointed Identifiers rather than with externally obtained identities.

Peers are not required to keep a stable identifier (along with its reputation), but: Good peers should benefit from a persistent ID Malicious peers should not get much

advantage by changing their ID to avoid bad reputation

Basic Elements in a Trust Management System

Global Trust Model: How to describe whether an agent is

trustworthy? Binary or Real or Discrete? Local Algorithm to determine trust:

Computational procedure to determine the trust (Or determine the unreliability of a agent)

Data and Comm. Management: How to store and exchange the data which is

necessary for the local algorithm? (Earlier transaction data)

Paper 1:

Manage Trustin a P2P information system

Trust Model:

Binary trust When a transaction fails,

The honest peer will file a complaint about the cheater.

The dishonest one can also file a complaint. The reputation of an agent p could be:

T(p) = |{c(p,q)}| * |{c(q,p)}| (q is any peer) But it requires global knowledge.

Data Management P-Grid

Peers organized as a virtual binary search tree (Scan and Chord can also perform this task)

Basic idea: Given a node ID, one node can be located which is

responsible to store some information about that node ID.(P-Grid mechanism)

A complaint can be inserted at any node, but it will be routed to one responsible node. And complaints can be retrieved with the same way.

So, this mechanism is fully distributed and it uses the underlying P-Grid to mange complaints

Local computation of Trust Complaints can be retrieved using the data

management mechanism. But, the node (say, A) which provides the

complaints can be malicious Because of the same problem, you can verify whether A

is malicious Solution:

Making r replicas If enough replicas say that p is trustworthy, it’s done. Otherwise, continue to retrieve more data. No clear decision is made, then give up.

Algorithm: W = {(cri(q), cfi(q), ai, fi)|i=1, …w}

ai,…aw are witness of q Cri(q) is the number of complaints sent from q to ai cfi(q) is the number of complaints send from ai to q

Paper 2:

Choosing Reputable Servents in a P2P network

Basic Idea: Designed for Gnutella Using a polling protocol to decide the re

putation After get all queryhits, select some interesti

ng results (nodes which have the query data), ask other peers to vote on those results.

Binary vote (but still can be other type) Contact the node with highest reputatio

n to retrieve the data

basic Polling Protocol:

Basic Polling Protocol: (Ctd..) Polling message:

Poll(T, PKpoll): polling message PollReplay({(IP, port, Votes)}pkpool)

Verify vote: TrueVote(Votesj) TrueVoteReplay(response)

Challenge: Challenge(r) Response([r]sks, PKs)

Enhanced pooling protocol:

Enhanced Polling Protocol: Polling message:

Poll(T, PKpoll): polling message PollReplay({[(IP, port, Votes, serv_id)]ski, pki)}pkpool) Basically the vote peer includes PK and its own IP/Port info So, the initiator can verify the voter

Verify vote: AreYou(serv_id) AreYouReply(response)

Challenge: the same

Data Structures Experience_repository:

(serv_id, num_plus, num_minus) Vote: Different criteria

Binary (1 or 0) vote 1 only when num_minus = 0

Credibility_repository (serv_id, num_agree, num_disagree) Used to check whether a node is malicious

Removing suspects from poll

IP-address clustering is not good A lot of peers may use proxies from some ISP

companies like AOL. Compute an aggregation (arithmetic mean)

of votes from a cluster of votes, where weights are inversely related to cluster size

Then, A random sample of voters are checked If some voters are not found, increase the

sample size If no voters are found, abort the procedure

Security improvement Distribution of Tampered with

Information David declares some files it doesn’t have

and response with bad data Prevent by the bad reputation he will get

Man in the Middle Attack: Public/private keys are used to prevent such

attack Same for any communication

Paper 3:

A reputation-based Approach for Choosing Reliable Resources in P2P networks

Basic Idea: Servents can have a reputation. Resources

can also have a reputation. Quite similar to the previous paper Experience repositories:

Resource repository (resource_id, value) (value is binary) Resource Id is the digest of the content

Servent repository (serv_id, num_plus, num_minus)

XREP protocol: Binary vote Phase 1: Resource searching

QueryHit includes both node and resource info

Phase 2: Resource selection & vote polling Same with the previous paper

Vote Evaluation Including check valid vote

Challenging and download data

Combinaing servent/resource based reputation:

Reputations’ life cycle: New res from good nodes usually are good

Impact on peers anonymity: Sev-based reputation prefers the ID to be persistent, while re

s-based doesn’t require that Cold-start:

With res-based reputation, new nodes can participate in distribution of well known resources (for a good rep)

Performance bottlenecks More serious in ser-based reputation Res-based reputation can help to resolve that

Blacklisting: Connect the bad resources with the initiator

Security Issues: Attacks to P2P systems:

Self-replication Answering requests with bad contents

Man in the Middle Attacks to reputation-based systems

Pseudospoofing: using different ID to send bad data

Digesting can stop the propagation of bad content ID Stealth:

? Not very clear about that Shilling:

One using several IDs (work as several malicious nodes) to cheat other nodes.

This will be found with valid vote checking

Questions…

Paper 4: Cooperative Peer Groups in NICE

Basic Idea:

After each transaction between A and B: A sends B a cookie stating the quality of

the transaction B does the same thing to A

For later transaction between A and C: A shows C the cookies that A has C does the same things

More…

How/who to store those cookies? How to get cookies?

Basic algorithm and refinement How to assign values to cookies?