Experimental Study

Experiments (via simulations) were carried out to evaluate five properties of PRN: 1. The iterative method for approximating Riconverges. In particular, for a reasonably

large value of t, the difference between ÝÑ

Rt and ÝÑ

Rt 1 gets very small.

2. A node having links from others with high reputations will have high reputation. 3. Receiving negative feedback from others with positive reputations will reduce the

node’s reputation.

4. A node with low or negative reputation has small (or zero) impact on others’ repu- tations.

5. Being resilient against Sybil manipulation.

3.3.4.1 Experiments Setup

The trust graph G used in all the experiments contains 49, 290 nodes. It is derived from the Epinion data-set [94], which has almost 500, 000 users ratings. An user in Epinion is rated for her reviews about certain topics. The edges in G have values in t
1, 1u. The

fraction of negative edges in G, denoted as rNEdges, varies from 0.1 to 0.5.

The attacker is introduced to the network as a new node. The distributions of nodes having link from (and similarly to) the new node, called the edge distributions, have the

0 500 1000 1500 2000 2500 3000 3500 4000

negRatio=0.1 negRatio=0.3 negRatio=0.5

New node’s rank

Ratio of negative edges

Rank of the new node in graphs with differen ratio of negative edges Edge distribution = (0.25, 0.25, 0.25, 0.25)

Edge distribution = (0.1, 0.4, 0.4, 0.1) Edge distribution = (0.5, 0.2, 0.2, 0.1) Edge distribution = (0.1, 0.2, 0.2, 0.5)

Figure 3.3.2: Ranks of the new node with 7 positive incoming edges

form of pd1, d2, d3, d4q. In particular, a fraction of d1 nodes are from the top 25% nodes

with highest ranks, d2 from the next 26
50%, d3 from the next 51
75% and d4 from

the set of nodes ranked in the bottom 25%. The fraction of negative edges in the set of edges coming to and from the attacker is rNEdges.

A simple Sybil strategy is implemented, in which the number of Sybils varies from 3 to 10. The strategy is the same as the one depicted in Figure 3.2.1b, except the attacker does not remove its links to other nodes, nor does it create a link to itself.

Finally, as in PageRank and CPR, the value of ǫ is 0.15.

3.3.4.2 Results and Analysis

First, the experiments suggest that the iterative method converges quickly (Property 1). Interestingly, the rate of convergence is slower than that of PageRank. However, as the number of iterations increases beyond 60, the differences between the subsequent runs become insignificantly small.

Figure 3.3.2 and 3.3.3 show the ranks of the new node having 7 and 15 incoming edges, while varying nEdges and the edge distribution. The attacker’s reputation is highest and lowest when the edge distribution is p0.5, 0.2, 0.2, 0.1qand p0.1, 0.2, 0.2, 0.5q respectively.

0 500 1000 1500 2000 2500 3000 3500 4000

negRatio=0.1 negRatio=0.3 negRatio=0.5

New node’s rank

Ratio of negative edges

Rank of the new node in graphs with differen ratio of negative edges Edge distribution = (0.25, 0.25, 0.25, 0.25)

Edge distribution = (0.1, 0.4, 0.4, 0.1) Edge distribution = (0.5, 0.2, 0.2, 0.1) Edge distribution = (0.1, 0.2, 0.2, 0.5)

Figure 3.3.3: Ranks of the new node with 15 positive incoming edges

100 1000 10000 100000

100 1000 10000 100000

New rank after having a new negative edge

Original rank

Effect of negative incoming edges to nodes’ rank Origin node rank = 3153 Origin node rank = 18516 Origin node rank (with negative score) = 49291

Figure 3.3.4: The effect of negative edges on reputations. rNEdges 0.1

are from nodes with low reputations. These results suggest that a node receiving positive feedback from other nodes with high reputations also have high reputation (Property 2). It is interesting to notice that the new node’s rank increases with rNEdges, and with the number of incoming edges. The possible explanations are as follows. First, as rNEdges increases, more nodes are assigned negative reputations, and the variance in reputation values decreases. Second, adding more positive incoming links increases the reputation value, which subsequently improves the rank.

Figure 3.3.4 illustrates the effect of negative feedback on reputations. In the experi- ments, negative edges come from the attacker whose rank is 3153, 18516 or 49291. The

1000 10000 100000 46000 36000 21000 6000 New rank Original rank

Effect of the Sybil attack on the modified PageRank, the graph with 10% of negative edges No Sybil

3 Sybils 7 Sybils 10 Sybils

Figure 3.3.5: Effect of Sybils in the graph having negative edges

1000 10000 100000 46000 36000 21000 6000 New rank Original rank

Effect of the Sybil attack on PageRank, the graph has no negative edges No Sybil

3 Sybils 7 Sybils 10 Sybils

Figure 3.3.6: Effect of Sybils in the graph having no negative edges

nodes receiving the negative edges have their original ranks shown in the x
axis. Their

new ranks, after the edges are added, are represented in the y
axis. It can be seen that

the attacker with a higher rank can bring the other’s reputations down more substantially (Property 3). The attacker negative reputation has no impact on the other’s reputations (Property 4). For example, the attacker whose rank is 3153 brings the rank of another node from 2342 down to 29289. With the rank of 18516, it reduces the rank of another node from 1834 down to 6044. With negative reputation (ranked 49291), however, the attacker has no impact on the reputations of others.

graph having negative edges, in comparison to the resilience of PageRank in the positive graph depicted in Figure 3.3.6. The attacker in PRN gains higher rank than in PageRank, with the same number of Sybils, which can be explained by the smaller variance in the reputation values produced by PRN. The attacker’s rank produced PRN differs to the one computed by PageRank by less than an order of magnitude. Therefore, the Sybil resilience of PRN can be considered as comparable with that of PageRank (Property 5).

3.3.5

Related Work and Discussion

In [45] and [108], the authors proposed methods to propagate trust and distrust in P2P- like environments. It has been argued earlier in Section 3.3 that it can be misleading to represent trust and distrust as real-valued edges in the trust graph. Instead, by considering the edges as representing negative and positive feedback, both [45] and [108] offered different approaches that integrate negative feedback into reputation metrics. In [45], negative feedback is converted to positive and a new graph is constructed in addition to the original graph. Two sets of reputation values are evaluated on the two graphs and then combined together. As discussed in [108], this approach may yield counter-intuitive results. In particular, it super-imposes the computation of negative reputations after the computation of positive reputations, therefore allows for a node with equally high numbers of positive and negative feedback to have disproportionately large impact on others. In [108], an Advogato-like function that takes into account both types of feedback is presented. This reputation function is asymmetric, and therefore is different from PRN which is symmetric.

As discussed in Section 3.3.2 and Section 3.3.3, the word negative does not impose that negative feedback should only be represented by negative numbers. Section 3.3.3 has argued that it is not straightforward to simply take a range p0, xq „ p0, 1s to represent

negative feedback, and then to use the PageRank function as it is. It would be interesting to investigate on modifying PageRank or other advanced reputation function that use a range of positive numbers to represent negative feedback.

The results from Section 3.3.4 are encouraging, but only preliminary. More experi- ments are needed to further validate the properties of PRN. It would also be interesting to examine PRN’s performance in undirected graphs, which could lead to exploring a combination of PRN and CPR. Finally, a more formal analysis is necessary to study mathematical properties of PRN, or at least to conclude whether the iterative method used to compute PRN reputations (Equation 3.3.2) does indeed converge.

CHAPTER 4

DETECTION OF MISBEHAVIOR IN P2P USING

TRUSTED PLATFORM MODULES

Feedback mechanisms rely on peers’ abilities to evaluate outcomes of their transactions with each other. This implies the need for a peer to be able to securely detect if an- other has misbehaved in the transaction. This chapter discusses how peers can achieve such capabilities using security devices. It considers two case studies that demonstrate how nodes can misbehave in different ways. The chapter starts with an overview of the challenges in detecting misbehavior in structured P2P, and outlines the two case studies. Section 4.2 introduces the Trusted Computing paradigm and Trusted Platform Modules (TPMs). The following sections present in detail new protocols for each case studies that allow an honest peer to tell if another peer has misbehaved. These protocols are results of collaborative efforts involving Mark Ryan and Tom Chothia. Finally, Section 4.5 discusses the related works and open issues.

4.1

Overview

Recall that the reputation model, described in Section 3.1.1, consists of T — the set of transactions — and a partial function Rt : T Ñ R returning the rating that a peer

receives for a given transaction. For a transaction t, Rtptqrepresents the feedback given to

that Rt can be readily implemented in P2P settings. However, this section argues that in structured P2P, the implementation of Rt is not always straightforward.

This thesis investigates the nature of transactions and the realization of Rt at two layers of abstraction: routing layer and application layer. As shown in Figure 2.3.1, the routing layer implements the lookup protocol and returns the root node of a given search key. The application layer consists of protocols specific to the application. Most existing P2P applications based on structured overlays use Chord, Pastry or Kademlia. Given a key k, these overlays use very similar functions to determine the root node of k. In Chord, rootpkq is the node closest on the right of k in the ID ring. In Pastry or Kademlia, the

root node is the one with closest numerical or XOR distance to k. When the correctness of rootpkq is the main concern, any of these overlays can be chosen to study, because the

results in one overlay can be translated to the results in another overlay. In fact, this and the following chapters (except for Chapter 7) assume that Chord is the underlying the overlay.

At the routing layer, a transaction involves a peer asking another to route its query for a key k. It is assumed in this thesis that the routing protocol always terminates, which means that it is always possible to define the transaction’s outcome to be another node returned as the root node of k. The searching peer then gives ratings to other peers in the routing path. If the returned node is the correct destination node of k, positive feedback is given. Otherwise, the peers in the routing path are considered as having misbehaved, and are given negative feedback. However, detecting such misbehavior, or in other words verifying if the returned node is the correct root node, is difficult because peers do not have full knowledge of which nodes currently in the network. Furthermore, adversarial nodes might collude to impersonate the destination node.

At the application layer, a marketplace application based on structured P2P is con- sidered. In such a system, a seller publishes its offer for an item k to a listing node that is in fact the root node of k. A transaction involves a buyer finding the offers for a par- ticular item at the listing node. The transaction’s outcome is a list of offers for the items

that have been published by the sellers. It is difficult to verify if the list is complete, because the listing node has total control over the offers and can decide not to report them. If the list returned to the buyer is incomplete, the listing node is considered as having misbehaved, and negative feedback is given accordingly.

The main focus of this thesis is on protocols that make the misbehavior mentioned above detectable by honest peers. This chapter presents protocols based on Trusted Platform Modules (TPMs). At the routing layer, the TPMs are used for guaranteeing the freshness of the neighbor information. At the application layer, the TPMs are used for building undeniable histories of transactions that can be verified by the buyer. More efficient protocols using a new type of secure hardware are discussed in Chapter 5.

4.2

Trusted Computing and Trusted Platform