Collusion-resilient credit-based reputation for peer-to-peer - - PowerPoint PPT Presentation

Collusion-resilient credit-based reputation for peer-to-peer content distribution

Nguyen Tran, Jinyang Li, Lakshminarayanan Subramanian New York University NetEcon’10

1

Incentive in P2P CDNs

A solved problem?

• Yes

– BitTorrent tit-for-tat provides incentives for nodes to upload during download nodes to upload during download

• No

– No incentives for nodes to act as seeders (seeder promotion problem)

2

Incentive in P2P CDNs

A solved problem?

• Yes

– BitTorrent tit-for-tat provides incentives for nodes to upload during download nodes to upload during download

• No

– No incentives for nodes to act as seeders (seeder promotion problem)

3

Private vs public BitTorrent communities

CDF

PirateBay TorrentLeech

4

Average download speed [Kbps]

More seeders better performance

Robust reputations seeder promotion

• Private BitTorrent

– Nodes report their contribution vulnerable

• Graph-based reputation (Page-rank, max-flow)
• Graph-based reputation (Page-rank, max-flow)

– not capture node contribution – vulnerable to collusion

5

Credo: a credit-based reputation mechanism

• capture node contribution correctly
• resilient to attacks (Sybil attack and collusion)

6

Credo’s system architecture

7

central server

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

8

central server

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

9

central server

A

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

10

central server

A seeder

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

upload 11

central server

upload upload upload

A seeder

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

upload 12

central server

upload upload upload

A seeder

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

13

central server

A

download download

leecher

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

14

central server

A

download download

leecher

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

15

Rep (# uploads) (# ) downloads = −

central server

A

download download

leecher

Credo’s system architecture

• Sybil-resilient node admission

using social network (SybilLimit

[S&P’08], SumUp [NSDI’09], GateKeeper [PODC’10])

each adversary can bring in few Sybils

16

Rep (# uploads) (# ) downloads = −

central server

A

download download

leecher

Seeders choose the highest reputation leecher to serve

Seeders collect credits in exchange for uploads

A C D E

17

credit pool credit pool

signed token

B B

Nodes issue their own credits

A B C D E

18

credit pool credit pool B

18

Nodes issue their own credits

A B C D E

19

credit pool credit pool B

19

Rep (# ) (# ) credit earned issued credit = −

Nodes issue their own credits

A B C D E

20

credit pool credit pool B

20

Rep (# ) 2 (# ) credit earned issued credit = −

Nodes issue their own credits

A B C D E

21

credit pool credit pool B

21

Rep (# ) 2 (# ) credit earned issued credit = −

To encourage nodes to use credits in credit pools before issuing new credits

Sybil attack

A C D E

22 X X2

Rep (# ) 2 (# ) credit earned issued credit = −

X1

B credit pool

X1 X1 X1 X2 X2 X2

Idea 1: Credit diversity

A C D E

23 X X2 X1

B credit pool

X1 X1 X1 X2 X2 X2

Rep (# different issuers) 2 (# ) issued credit = −

Credit diversity is not enough

A C D E

Y Y1 24 X X2 X1

B

Rep (# different issuers) 2 (# ) issued credit = −

Y2

Credit diversity is not enough

A C D E

Y Y1

colluders

25 X X2 X1

B

Rep (# different issuers) 2 (# ) issued credit = −

Y2

Credit diversity is not enough

A C D E

Y Y1

colluders

X X Y Y 26 X X2 X1

B

Rep (# different issuers) 2 (# ) issued credit = −

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Credit pool of attackers vs honest nodes

A C D E

Y Y1 X X Y Y 27 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Volume(c) : # of credits issued by the issuer of c

Volume = 6

Credit pool of attackers vs honest nodes

A C D E

Y Y1 X X Y Y 28 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Volume(c) : # of credits issued by the issuer of c

Credit pool of attackers vs honest nodes

A C D E

Y Y1 X X Y Y 29 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Volume(c) : # of credits issued by the issuer of c

6 6 6 6

Credit pool of attackers vs honest nodes

A C D E

Y Y1 X X Y Y 30 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Volume(c) : # of credits issued by the issuer of c

all are high volume credits

6 6 6 6

Credit pool of attackers vs honest nodes

A C D E

Y Y1 X X Y Y

3 3

31 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Volume(c) : # of credits issued by the issuer of c

all are high volume credits

6 6 6 6 6 3

Credit pool of attackers vs honest nodes

A C D E

Y Y1 X X Y Y C D B E

3 3

32 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Volume(c) : # of credits issued by the issuer of c

all are high volume credits B

6 6 6 6 6 3

Credit pool of attackers vs honest nodes

A C D E

Y Y1 X X Y Y C D B E

low volume

3 3

33 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2

Volume(c) : # of credits issued by the issuer of c

all are high volume credits B

high volume

6 6 6 6 6 3

Distribution of credits’ volume

• bability density

3 1013

1

34

Volume Prob

3 6

313

Expected volume distribution in a normal credit pool Volume distribution in an adversary’s credit pool

Idea 2: Modeling good behavior

• bability density

3 1013

35

Volume Prob

3 6

313

Expected volume distribution in a normal credit pool

Idea 2: Modeling good behavior

• bability density

3 1013

Central server samples a subset of peers and ask for # of issued credits

36

Volume Prob

3 6

313

Expected volume distribution in a normal credit pool

Idea 2: Modeling good behavior

• bability density

3 1013

37

Volume Prob

3 6

313

Expected volume distribution in a normal credit pool

Idea 2: Modeling good behavior

• bability density

3 1013

38

Volume Prob

3 6

313

Expected volume distribution in a normal credit pool Volume distribution in a credit pool

Idea 2: Modeling good behavior

• bability density

3 1013

filter credits 39

Volume Prob

3 6

313

Expected volume distribution in a normal credit pool Volume distribution in a credit pool

Idea 2: Modeling good behavior

• bability density

3 1013

filter credits 40

Volume Prob

3 6

313

Expected volume distribution in a normal credit pool Volume distribution in a credit pool

Rep (diversity of filtered pool) 2 (# ) issued credit = −

Effect on attackers

A C D E

Y Y1 X X Y Y C D B E

low volume

3 3

41 X X2 X1

B

Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 X1 X1 X1 X2 X2 X2 Y1 Y1 Y1 Y2 Y2 Y2 B

high volume

Sybils issue similar amount of credits as honest nodes

6 3 6 6 6 6 3 6 3 3

Credo’s security properties

• Suppose there are adversaries, each

brings in Sybils. They form a collusion size of , and do not contribute. s C k =

• k

s

42

Credo’s security properties

• Suppose there are adversaries, each

brings in Sybils. They form a collusion size of , and do not contribute.

– The reputation of each adversary is bounded

s C k =

• k

s

– The reputation of each adversary is bounded by the collusion size

43

C

Credo’s security properties

• Suppose there are adversaries, each

brings in Sybils. They form a collusion size of , and do not contribute.

– The reputation of each adversary is bounded

s C k =

• k

s

– The reputation of each adversary is bounded by the collusion size – Reputation of adversary decrease after download

44

(s ) x γ

• C

Credo’s security properties

• Suppose there are adversaries, each

brings in Sybils. They form a collusion size of , and do not contribute.

– The reputation of each adversary is bounded

s C k =

• k

s

– The reputation of each adversary is bounded by the collusion size – Reputation of adversary decrease after download

45

Average number of self- issued credits of an issuer A small constant

(s ) x γ

• C

Auditing to catch misbehavior

• Nodes can lie

– Double spend credits – Falsely report number of issued credits – Many others … – Many others …

• Audit to catch liars with provable evidence

(PeerReview) disincentivize nodes to lie

46

Credo reputation reflects node contribution

eputation

47

Node contribution Re

• Simulate 1 year of 3000 nodes network
• Continuously inject 100MB file and choose 300 nodes to download
• Use Maze data (2005) to model nodes’ demand
• Use BitTorrent data (2007) to model nodes’ upload capacity

# uploaded chunks - # downloaded chunks

Higher reputation faster download

ad time [sec]

48

Node contribution Downloa

Higher reputation faster download

ad time [sec] Limited by upload capacity

• f the initial seeder

49

Node contribution Downloa

Higher reputation faster download

ad time [sec] Limited by upload capacity

• f the initial seeder

Limited by queuing time

50

Node contribution Downloa

Credo is robust against collusion

nload time [sec]

honest nodes colluders

51

Node contribution Downlo

• 30 adversaries, each brings in 3 Sybil nodes
• Colluders do not upload
• Vary demand of colluders at each run of the simulation

More seeders better performance

CDF

52

• Experiment on 210 PlanetLab nodes
• Inject 25MB file at the beginning
• Nodes arrives every 15 second

Credo, nodes stay online BT, nodes go offline

Complete time [sec]

Related work

• Graph-based reputation

– Page-rank style: EigentTrust [WWW’03], multi-level tit-for-tat [IPTPS’06] – Max-flow style: SybilProof [P2PEcon’05], Feldman [EC’04] – Other: Onehop [NSDI’09] – Other: Onehop [NSDI’09]

• Currency

– Dandelion [Usenix’07], Pace [Conext’08], Ppay [CCS’03]

53

Conclusion

• Credo addresses seeder promotion

problem

– Higher reputation faster download

• Credo is a credit-based reputation system

– Reflect nodes’ net contribution correctly – Resilient to Sybil and collusion attacks

54