480 likes | 598 Views
2011/12/15. Security Mechanisms for Distributed Computing Systems. A9ID1007, Xu Ling Kobayashi Laboratory GSIS, TOHOKU UNIVERSITY. Background. Distributed computing systems (DCSs) Definition: A system where nodes share their computing power with each other to finish certain goals
E N D
2011/12/15 Security Mechanisms for Distributed Computing Systems A9ID1007, Xu Ling Kobayashi Laboratory GSIS, TOHOKU UNIVERSITY
Background • Distributed computing systems (DCSs) • Definition: A system where nodes share their computing power with each other to finish certain goals • Example: • P2P systems (Skype), • volunteer computing systems (SETI@home), • Grid, • Ad hoc systems • …
Background: Example DCS worker worker 1*1=? 1+2=? host worker Volunteer computing system • Host nodes dispatch task to workers. • Workers compute the tasks and return results to host nodes. 1+1=? 1*2=? worker host worker worker 1*1=1 1+2=3 host 1+1=2 worker 1*2=2 worker host
Background: False Result Attack (1) honest worker honest worker 1*1=? 1+2=? • False result attack: Malicious nodes deliberately send incorrect data to honest nodes 1+1=? 1*2=? host host malicious worker malicious worker honest worker honest worker 1*1=1 1+2=3 1+1=100 1*2=100 host host malicious node malicious worker
Background: False Result Attack (2) honest worker • False result attack (definition): • One host node and multiple workers. • The host dispatches tasks to workers. Workers compute tasks and return returns to the host. • Malicious workers return incorrect results to host. 1+2=3 1+1=100 host malicious node host 1+1=? 1+1=100 1+1=? 1+1=2 1+1=2 1+1=? worker worker (malicious) worker
Background: Existing Solution to FRA 11*11=121! v is malicious • Existing solutions: Enable the host to distinguish malicious workers • Quiz – based solutions • The host dispatches multiple tasks to each worker v • These tasks contains some special tasks called quizzes • The host checks the correctness of the answers of quizzes Node v is honest only if the answers of the quizzes return by v are correct • Problem: • A Quiz should satisfy: the correctness of the answer of a quiz should be easy to check • Unpractical: How to generate quizzes that satisfy this property is an open problem. host 1+1=? 1+1=3 1+2=? 1+2=3 11*11=? (quiz) 11*11=3 (quiz) v
Background: Sybil Attack • Sybil attack (SA) • A few malicious users controls many Sybil nodes (malicious nodes) to break the system protocol • Sybil nodes collude to break the system malicious user 1+1=100 Sybil 1*1=100 host Sybil host 1*1=100 1+1=100 Sybil Sybil node
Example: Sybil Attack to DHT (1) • Routing via intermediate hops • Result is authenticated • Trade off table size versus routing hops s {IP addr}PKt t {IDt} {IDt} {IDt}
Example: Sybil Attack to DHT (2) • Attacker creates many pseudonyms • Disrupts routing or stabilization • Douceur, 2002: “without a logically centralized authority, Sybil attacks are always possible” s t {IDt}
Background: Existing Solution to SA (1) • Social network model based Sybil detecting (SSD) • Social network model: • Nodes of the same types are closely connected • # of attack edges is small Attack edges Sybil cluster Honest cluster
Background: Existing Solution to SA (2) • Social network model based Sybil detecting (SSD) • Goal: For each honest node v, enable v to judge the types of other nodes • Assumption: The network topology of the DCS obeys SNM • Basic idea: • # of attack edge is small communication between nodes of different types is weakened • It is easy for v to communicate with honest nodes • It is hard for v to communicate with Sybil nodes • v can judge the types of other nodes
Background: Existing Solution to SA (3) • Social network model based Sybil detecting (SSD) • Example SSD algorithm: SybilLimit • Probing random walk (PRW): a message packet that moves in a random walk manner for a short distance • Probing random walks have low escape rate • Each node disseminate a certain number of PRWs • For v, node u is honest iff the PRWs of v and u intersect • Problem: the distinguishing accuracy is low • Sybil accept rate: Pr(honest nodes accept Sybil nodes) u v Attack edges
Objective • Problem • For FRA: existing solutions are unpractical (Quiz) • For SA: distinguishing accuracy is low (SSD alg.) • Objective: Design effective security mechanisms to resist FRA and SA on DCSs. • Design practical FRA resisting algorithms • Use no quiz • Pr(the host accurately distinguishes honest workers and malicious workers) • Design accurate SSD algorithms
Objective: Approaches • Design practical FRA resisting algorithms • Replace quizzes with normal tasks • Design accurate SSD algorithms • Idea: detect the attack edges • Detect the attack edges • Detect Sybil nodes • Design AED-based SSD algorithm for authorized DCSs • Design AED algorithm for unauthorized DCSs completely separate nodes of different types u v
MSC: a Practical Spot Checking Mechanism for Resisting False Result Attack • Objective: enable the host to distinguish the types of workers without using quizzes. • Evaluation metric: reliability of workers • SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm • Objective: enable each honest node to distinguish the types of other nodes • Evaluation metric: Sybil accept rate • RSC: an Attack Edge Detecting Algorithm for Sybil Resisting • Objective: enable each honest node to judge whether a certain incident edge is an attack edge. • Evaluation metric: RWEBs of incident edges
Organization workers 1 are honest; worker 4 is malicious • Introduction • MSC: a Practical Spot Checking Mechanism for Resisting False Result Attack • SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm • RSC: an Attack Edge Detecting Algorithm for Sybil Resisting • Conclusion worker 2 worker 3 worker 4 (Malicious) worker 1 v1 is honest, v2 is Sybil e1 is not AE, e2 is AE v2 v e2 e1 v1 Honest nodes Sybil nodes
MSC: an Practical Spot Checking Mechanism for Resisting False Result Attack
Introduction 11*11=121! v is malicious host • Background (review) • False result attack (FRA) • Quiz • Goal: enable the host to detect malicious workers • Idea: • Use quizzes to detect malicious workers • The host checks the correctness of the answers of quizzes • Problem: how to generate quizzes that satisfy this property is an open problem. • Objective: Design an algorithm that enables the host to detect malicious workers without using quizzes 1+1=? 1+1=3 1+2=? 1+2=3 11*11=? (quiz) 11*11=3 (quiz) v
Mutual Spot Checking: Idea • Use quizzes to detect malicious works using checking tasks (normal task) to detect malicious workers • The host checks the correctness of the answers of quizzes Workers check the correctness of the answers of checking tasks
Mutual Spot Checking: Algorithm The host • Dispatches a task set to each worker. • For each pair of two workers, v and u, the task sets of v and u have some tasks in common (checking tasks) • Increases the reliabilities of v and u if v and u return equal answers to their checking tasks (made a match). using checking tasks (normal task) to detect malicious workers The workers check the correctness of the checking tasks Malicious workers make more mismatches have lower reliabilities be detected
2 0 0 1 0 1 1 Reliability gap Honest Malicious An example Reliability change of peers Reliability host Running time Peer A T1 Peer B T2 Peer C T3 CT(c) t1 CT(a) CT(b) t3 CT(c) CT(a) t2 CT(b) mismatching! matching
Change of Performance as the Number of Malicious Workers Increases • Pf: Percentage of malicious workers in the system • Number of malicious workers is small honest workers have highest reliabilities. • Number of malicious worker is large conspirators have the highest reliabilities. • Under collusion: MSC can detect malicious nodes when # of malicious nodes is small (50% of the system)
Conclusion • Objective: an algorithm that enables the host to detect malicious workers without quizzes • MSC • Use normal tasks (checking task) to detect malicious workers • Let workers check the correctness of answers of quizzes • Evaluation • No collusion : Can detect all malicious workers • Under colluding: Can detect all malicious workers when malicious workers are less than half of the system Publication Ling Xu, Hirouyki Takizawa, and Hiroaki Kobayashi: “A Reliability Model for Result Checking in Volunteer Computing”, Proceedings of DAS-P2P 2008 Workshop, pp.201-204, 2008.
SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm
Introduction • Background (review) • Sybil attack • SSD algorithms • Objective: Enables each honest node to distinguish the types of other nodes • Idea: the attack edges weakens the communication between nodes of different types • Problem: Low distinguishing accuracy • Observation: detecting the attack edges plays an important role in designing accurate SSD algorithms • Objective: an accurate AED-based SSD algorithm for authorized DCSs u v
SybilDetector: Idea • Observation • For node v, node u is Sybil (v,u)-SP will pass the attack edges (v,u)-SP: a shortest path between the v and u • Idea: For v to decide whether u is Sybil • Computes (v,u)-SPs • Detect the attack edges • Judge whether the (v,u)-SPs have passed the attack edges u v Honest cluster Sybil cluster
SybilDetector: Algorithm • Computes (v,u)-SPs • Use existing distributed shortest path computing algorithms • Detect the attack edges • Compute the shortest path betweenness (SPB) of each edge SPB of edge e: # of shortest paths that pass e • Attack edges have higher SPBs • e is an attack edge the SPB of e is high • Judge whether the (v,u)-SPs have passed the attack edges sp ae u v e b(ae) = 18 b(e) = 8
Evaluation Honest cluster Sybil cluster • Performance metric • Sybil accept rate (sar): the probability that honest node regard Sybil nodes to be honest • Objective • SybilDetector has better accuracy than previous SSD algorithms? Compare the performance of SybilDetector with that of SybilLimit • How will the performance of SybilDetector be affected by g (# of attack edges) and snn (# of Sybil nodes)?
Network Configuration • Create the honest region: A real world network topology • Create the Sybil region: synthetic network topologies • Connect the two regions with attack edges Honest region Honest cluster Sybil cluster
Change of SAR as the Number of Attack Edges in the System Increases 50x decrease in SAR • SAR increases with g • The SPBs of attack edges decrease • Less Sybil are detected • SAR(SybilDetector)<<SAR(SybilLimit) • 50x improvement 10x decrease in SAR
Change of SAR as the Number of Sybil Nodes in the System Increases • As snn increases, SAR of SD decreases • The SPBs of attack edges increase • More Sybil node are detected • SAR(SybilDetector)<<SAR(SybilLimit) • 4x~180x improvement 4 x decreases in SAR 180 x decreases in SAR
Conclusion Publication Ling Xu, SatayapiwatChainan, Hiroyuki Takizawa, Hiroaki Kobayashi, ”Resisting Sybil Attack By Social Network and Network Clustering,” saint, pp.15-21, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet, 2010 • Sybil attack is a critical threat to decentralized DCSs • Objective: enable each honest node to detect Sybil nodes • Proposed SybilDetector, a Sybil resisting algorithm • Remarkably (4x~180x in the simulation) decreased sar, compared with the representative existing solution
Introduction: Background (1) • Accuracy of SSD algorithms can be improved by detecting attack edges • Definition • Edge betweenness metric: a metric that measures the extent to which an edge lies on paths between nodes pairs Example: shortest path edge betweenness (SPEB) • Detecting property: for an EBM, if the metric values of attack edges are notably higher than these of non-attack edges, this EBM satisfies detecting property. Example: shortest path edge betweenness (SPEB) • Design an AED algorithm • Design an EBM that satisfies the detecting property • Securely compute the metric values of edges in a distributed manner.
Introduction: Background (2) • In authorized DCSs, SPB-AED can detect the attack edges • Problem: an AED algorithm for unauthorized DCSs is needed • Need an EBM that • satisfies the detecting property • can be securely computed in a distributed manner • No such an EBM is known • Only SPEB is known to satisfy the detecting property • Objective: design an attack edge detecting algorithm for unauthorized DCSs • For each honest node v, v judges whether a certain incident edge is an attack edge
Approach • For each honest node v, v judges whether a certain incident edge e is an attack edge • Determine the detecting metric • Computes the RWEB of each incident edge • The probability that e is an attack edge is proportional to the RWEB of e
Related Work • Random walk edge betweenness (RWEB) • Each pair of nodes disseminate an absorbing random walk (ARW) to each other • RWEB of edge e: RWEB of e is the PURE number of random walk that pass e • RWEB has some good properties, but whether RWEB is an detecting metric is unknown e (v,u)-SP (v,u)-ARW v u RWEB(e) = 0
Determine Detecting Metric • Conjecture: RWEB is a candidate detecting metric • RWEB may satisfy the detecting property • ARWs between nodes of different types must pass the attack edges • Compute RWEBs in unauthorized DCSs is possible • Sybil nodes has less influence on random walk paths than on shortest paths It is easier to compute RWEBs than to compute SPEBs a a C1 C2 C1 C2 b b c c
Compute RWEBs Securely: Basic RSC • Basic RSC (for node v) • For each node u, disseminates one (v,u)-ARW • For each incident edge e, calculate RWEB(e) by counting the # of times that e is passed by ARWs (v,u)-SP (v,u)-ARW v u
Compute RWEBs Securely: Resist Attacks • Attacks to basic RSC: Sybil nodes can reduces the RWEBs of attack edges • Let ae=(v,u) is an attack edge. v is honest and u is Sybil. • On receiving an ARW, arw, from v, u simply relays arw back to v. • Solution [Distance Limitation (DL)]: for each (s,t)-ARW, arw, s rejects t if arw has moved M steps • Fact: under DL, Sybil nodes should not launch attacks • If t is Sybil, launching attacks makes t be rejected • If t is honest, launching attacks increases RWEBs of attack edges • Fact: under DL, if s and t are honest, Pr(s rejects t) is low • M steps is sufficient for arw to reaches t v m u s t m
Evaluation • Metric • Attack edge betweenness (aeb): Average RWEB of attack edges • Honest edge betweenness (heb): Average RWEB of honest edges • Network • Create the honest region: A real world network topology • Create the Sybil region: synthetic network topologies • Connect the two regions with attack edges Honest region Honest cluster Sybil cluster
Application of RSC • Example: use RSC to construct accurate SSD algorithms • SOHL (An existing SSD algorithm for unauthorized DCSs) • Use probing random walks(PRWs) as constructing component • A PRW: a message packet that moves in a random walk manner for a short distance • PRWs have a low escape rate • Algorithm: each node v • disseminates a large number of PRWs • regards the ending nodes of the PRWs as honest nodes • regards other nodes as Sybil nodes • Performance of SOHL is proportional to the escape rate of probing random walks u v Attack edges
Application of RSC (continue) • Example: use RSC to construct accurate SSD algorithms for unauthorized DCSs • Idea • Reduce the escape rate of probing random walks: Reduce the probability that probing random walks passing the edges of high betweennesses • Call the new algorithm RSSR u v Attack edges
Performance Comparison: SOHL & RSSR • As g increases, SAR increases • Average btns of attack edges decreases • Escape rate increases • Accept more Sybil nodes • SAR(RSSR) << SAR(SOHL) • Attack edges can be effectively detected 28x decrease in SAR 3x decreases in SAR Honest cluster Sybil cluster
Conclusion • Problem: there is no attack edge detecting algorithm for unauthorized DCSs • Contribution: • RSC, an attack edge detecting algorithm for unauthorized DCSs • Use RWEB to detect attack edges • Securely compute RWEBs of edges in a distributed manner • Provides an example to show how RSC can be used to construct accurate unauthorized SSD algorithms
Conclusion • FRA and SA are security threats to DCSs • Existing solutions to FRA (Quiz) are unpractical • Existing solutions to SA (SSD) are not accurate • Objective: design more effective mechanisms to resist FRA and SA • Contributions • Designed MSC: practical algorithms that enables the host detect malicious workers • Designed SybilDetector: accurate SSD algorithm for authorized DCSs • Designed RSC: attack edge detecting algorithm, which can be used to construct accurate SSD algorithms for unauthorized DCSs • Validated the power of attack edge detecting