1 / 48

Security Mechanisms for Distributed Computing Systems

2011/12/15. Security Mechanisms for Distributed Computing Systems. A9ID1007, Xu Ling Kobayashi Laboratory GSIS, TOHOKU UNIVERSITY. Background. Distributed computing systems (DCSs) Definition: A system where nodes share their computing power with each other to finish certain goals

aurelia-herrera
Download Presentation

Security Mechanisms for Distributed Computing Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2011/12/15 Security Mechanisms for Distributed Computing Systems A9ID1007, Xu Ling Kobayashi Laboratory GSIS, TOHOKU UNIVERSITY

  2. Background • Distributed computing systems (DCSs) • Definition: A system where nodes share their computing power with each other to finish certain goals • Example: • P2P systems (Skype), • volunteer computing systems (SETI@home), • Grid, • Ad hoc systems • …

  3. Background: Example DCS worker worker 1*1=? 1+2=? host worker Volunteer computing system • Host nodes dispatch task to workers. • Workers compute the tasks and return results to host nodes. 1+1=? 1*2=? worker host worker worker 1*1=1 1+2=3 host 1+1=2 worker 1*2=2 worker host

  4. Background: False Result Attack (1) honest worker honest worker 1*1=? 1+2=? • False result attack: Malicious nodes deliberately send incorrect data to honest nodes 1+1=? 1*2=? host host malicious worker malicious worker honest worker honest worker 1*1=1 1+2=3 1+1=100 1*2=100 host host malicious node malicious worker

  5. Background: False Result Attack (2) honest worker • False result attack (definition): • One host node and multiple workers. • The host dispatches tasks to workers. Workers compute tasks and return returns to the host. • Malicious workers return incorrect results to host. 1+2=3 1+1=100 host malicious node host 1+1=? 1+1=100 1+1=? 1+1=2 1+1=2 1+1=? worker worker (malicious) worker

  6. Background: Existing Solution to FRA 11*11=121! v is malicious • Existing solutions: Enable the host to distinguish malicious workers • Quiz – based solutions • The host dispatches multiple tasks to each worker v • These tasks contains some special tasks called quizzes • The host checks the correctness of the answers of quizzes Node v is honest only if the answers of the quizzes return by v are correct • Problem: • A Quiz should satisfy: the correctness of the answer of a quiz should be easy to check • Unpractical: How to generate quizzes that satisfy this property is an open problem. host 1+1=? 1+1=3 1+2=? 1+2=3 11*11=? (quiz) 11*11=3 (quiz) v

  7. Background: Sybil Attack • Sybil attack (SA) • A few malicious users controls many Sybil nodes (malicious nodes) to break the system protocol • Sybil nodes collude to break the system malicious user 1+1=100 Sybil 1*1=100 host Sybil host 1*1=100 1+1=100 Sybil Sybil node

  8. Example: Sybil Attack to DHT (1) • Routing via intermediate hops • Result is authenticated • Trade off table size versus routing hops s {IP addr}PKt t {IDt} {IDt} {IDt}

  9. Example: Sybil Attack to DHT (2) • Attacker creates many pseudonyms • Disrupts routing or stabilization • Douceur, 2002: “without a logically centralized authority, Sybil attacks are always possible” s t {IDt}

  10. Background: Existing Solution to SA (1) • Social network model based Sybil detecting (SSD) • Social network model: • Nodes of the same types are closely connected • # of attack edges is small Attack edges Sybil cluster Honest cluster

  11. Background: Existing Solution to SA (2) • Social network model based Sybil detecting (SSD) • Goal: For each honest node v, enable v to judge the types of other nodes • Assumption: The network topology of the DCS obeys SNM • Basic idea: • # of attack edge is small  communication between nodes of different types is weakened • It is easy for v to communicate with honest nodes • It is hard for v to communicate with Sybil nodes •  v can judge the types of other nodes

  12. Background: Existing Solution to SA (3) • Social network model based Sybil detecting (SSD) • Example SSD algorithm: SybilLimit • Probing random walk (PRW): a message packet that moves in a random walk manner for a short distance • Probing random walks have low escape rate • Each node disseminate a certain number of PRWs • For v, node u is honest iff the PRWs of v and u intersect • Problem: the distinguishing accuracy is low • Sybil accept rate: Pr(honest nodes accept Sybil nodes) u v Attack edges

  13. Objective • Problem • For FRA: existing solutions are unpractical (Quiz) • For SA: distinguishing accuracy is low (SSD alg.) • Objective: Design effective security mechanisms to resist FRA and SA on DCSs. • Design practical FRA resisting algorithms • Use no quiz • Pr(the host accurately distinguishes honest workers and malicious workers) • Design accurate SSD algorithms

  14. Objective: Approaches • Design practical FRA resisting algorithms • Replace quizzes with normal tasks • Design accurate SSD algorithms • Idea: detect the attack edges • Detect the attack edges • Detect Sybil nodes • Design AED-based SSD algorithm for authorized DCSs • Design AED algorithm for unauthorized DCSs completely separate nodes of different types u v

  15. MSC: a Practical Spot Checking Mechanism for Resisting False Result Attack • Objective: enable the host to distinguish the types of workers without using quizzes. • Evaluation metric: reliability of workers • SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm • Objective: enable each honest node to distinguish the types of other nodes • Evaluation metric: Sybil accept rate • RSC: an Attack Edge Detecting Algorithm for Sybil Resisting • Objective: enable each honest node to judge whether a certain incident edge is an attack edge. • Evaluation metric: RWEBs of incident edges

  16. Organization workers 1 are honest; worker 4 is malicious • Introduction • MSC: a Practical Spot Checking Mechanism for Resisting False Result Attack • SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm • RSC: an Attack Edge Detecting Algorithm for Sybil Resisting • Conclusion worker 2 worker 3 worker 4 (Malicious) worker 1 v1 is honest, v2 is Sybil e1 is not AE, e2 is AE v2 v e2 e1 v1 Honest nodes Sybil nodes

  17. MSC: an Practical Spot Checking Mechanism for Resisting False Result Attack

  18. Introduction 11*11=121! v is malicious host • Background (review) • False result attack (FRA) • Quiz • Goal: enable the host to detect malicious workers • Idea: • Use quizzes to detect malicious workers • The host checks the correctness of the answers of quizzes • Problem: how to generate quizzes that satisfy this property is an open problem. • Objective: Design an algorithm that enables the host to detect malicious workers without using quizzes 1+1=? 1+1=3 1+2=? 1+2=3 11*11=? (quiz) 11*11=3 (quiz) v

  19. Mutual Spot Checking: Idea • Use quizzes to detect malicious works  using checking tasks (normal task) to detect malicious workers • The host checks the correctness of the answers of quizzes Workers check the correctness of the answers of checking tasks

  20. Mutual Spot Checking: Algorithm The host • Dispatches a task set to each worker. • For each pair of two workers, v and u, the task sets of v and u have some tasks in common (checking tasks) • Increases the reliabilities of v and u if v and u return equal answers to their checking tasks (made a match). using checking tasks (normal task) to detect malicious workers The workers check the correctness of the checking tasks Malicious workers make more mismatches have lower reliabilities be detected

  21. 2 0         0 1 0 1 1 Reliability gap Honest Malicious An example Reliability change of peers Reliability host Running time Peer A T1 Peer B T2 Peer C T3 CT(c) t1 CT(a) CT(b) t3 CT(c) CT(a) t2 CT(b) mismatching! matching

  22. Change of Performance as the Number of Malicious Workers Increases • Pf: Percentage of malicious workers in the system • Number of malicious workers is small  honest workers have highest reliabilities. • Number of malicious worker is large  conspirators have the highest reliabilities. •  Under collusion: MSC can detect malicious nodes when # of malicious nodes is small (50% of the system)

  23. Conclusion • Objective: an algorithm that enables the host to detect malicious workers without quizzes • MSC • Use normal tasks (checking task) to detect malicious workers • Let workers check the correctness of answers of quizzes • Evaluation • No collusion : Can detect all malicious workers • Under colluding: Can detect all malicious workers when malicious workers are less than half of the system Publication Ling Xu, Hirouyki Takizawa, and Hiroaki Kobayashi: “A Reliability Model for Result Checking in Volunteer Computing”, Proceedings of DAS-P2P 2008 Workshop, pp.201-204, 2008.

  24. SybilDetector: an Attack Edge Detecting Based Sybil Detecting Algorithm

  25. Introduction • Background (review) • Sybil attack • SSD algorithms • Objective: Enables each honest node to distinguish the types of other nodes • Idea: the attack edges weakens the communication between nodes of different types • Problem: Low distinguishing accuracy • Observation: detecting the attack edges plays an important role in designing accurate SSD algorithms • Objective: an accurate AED-based SSD algorithm for authorized DCSs u v

  26. SybilDetector: Idea • Observation • For node v, node u is Sybil  (v,u)-SP will pass the attack edges (v,u)-SP: a shortest path between the v and u • Idea: For v to decide whether u is Sybil • Computes (v,u)-SPs • Detect the attack edges • Judge whether the (v,u)-SPs have passed the attack edges u v Honest cluster Sybil cluster

  27. SybilDetector: Algorithm • Computes (v,u)-SPs • Use existing distributed shortest path computing algorithms • Detect the attack edges • Compute the shortest path betweenness (SPB) of each edge SPB of edge e: # of shortest paths that pass e • Attack edges have higher SPBs • e is an attack edge  the SPB of e is high • Judge whether the (v,u)-SPs have passed the attack edges sp ae u v e b(ae) = 18 b(e) = 8

  28. Evaluation Honest cluster Sybil cluster • Performance metric • Sybil accept rate (sar): the probability that honest node regard Sybil nodes to be honest • Objective • SybilDetector has better accuracy than previous SSD algorithms?  Compare the performance of SybilDetector with that of SybilLimit • How will the performance of SybilDetector be affected by g (# of attack edges) and snn (# of Sybil nodes)?

  29. Network Configuration • Create the honest region: A real world network topology • Create the Sybil region: synthetic network topologies • Connect the two regions with attack edges Honest region Honest cluster Sybil cluster

  30. Change of SAR as the Number of Attack Edges in the System Increases 50x decrease in SAR • SAR increases with g • The SPBs of attack edges decrease • Less Sybil are detected • SAR(SybilDetector)<<SAR(SybilLimit) • 50x improvement 10x decrease in SAR

  31. Change of SAR as the Number of Sybil Nodes in the System Increases • As snn increases, SAR of SD decreases • The SPBs of attack edges increase • More Sybil node are detected • SAR(SybilDetector)<<SAR(SybilLimit) • 4x~180x improvement 4 x decreases in SAR 180 x decreases in SAR

  32. Conclusion Publication Ling Xu, SatayapiwatChainan, Hiroyuki Takizawa, Hiroaki Kobayashi, ”Resisting Sybil Attack By Social Network and Network Clustering,” saint, pp.15-21, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet, 2010 • Sybil attack is a critical threat to decentralized DCSs • Objective: enable each honest node to detect Sybil nodes • Proposed SybilDetector, a Sybil resisting algorithm • Remarkably (4x~180x in the simulation) decreased sar, compared with the representative existing solution

  33. RSC: an Attack Edge Detecting Algorithm for Sybil Resisting

  34. Introduction: Background (1) • Accuracy of SSD algorithms can be improved by detecting attack edges • Definition • Edge betweenness metric: a metric that measures the extent to which an edge lies on paths between nodes pairs Example: shortest path edge betweenness (SPEB) • Detecting property: for an EBM, if the metric values of attack edges are notably higher than these of non-attack edges, this EBM satisfies detecting property. Example: shortest path edge betweenness (SPEB) • Design an AED algorithm • Design an EBM that satisfies the detecting property • Securely compute the metric values of edges in a distributed manner.

  35. Introduction: Background (2) • In authorized DCSs, SPB-AED can detect the attack edges • Problem: an AED algorithm for unauthorized DCSs is needed • Need an EBM that • satisfies the detecting property • can be securely computed in a distributed manner • No such an EBM is known • Only SPEB is known to satisfy the detecting property • Objective: design an attack edge detecting algorithm for unauthorized DCSs • For each honest node v, v judges whether a certain incident edge is an attack edge

  36. Approach • For each honest node v, v judges whether a certain incident edge e is an attack edge • Determine the detecting metric • Computes the RWEB of each incident edge • The probability that e is an attack edge is proportional to the RWEB of e

  37. Related Work • Random walk edge betweenness (RWEB) • Each pair of nodes disseminate an absorbing random walk (ARW) to each other • RWEB of edge e: RWEB of e is the PURE number of random walk that pass e • RWEB has some good properties, but whether RWEB is an detecting metric is unknown e (v,u)-SP (v,u)-ARW v u RWEB(e) = 0

  38. Determine Detecting Metric • Conjecture: RWEB is a candidate detecting metric • RWEB may satisfy the detecting property • ARWs between nodes of different types must pass the attack edges • Compute RWEBs in unauthorized DCSs is possible • Sybil nodes has less influence on random walk paths than on shortest paths  It is easier to compute RWEBs than to compute SPEBs a a C1 C2 C1 C2 b b c c

  39. Compute RWEBs Securely: Basic RSC • Basic RSC (for node v) • For each node u, disseminates one (v,u)-ARW • For each incident edge e, calculate RWEB(e) by counting the # of times that e is passed by ARWs (v,u)-SP (v,u)-ARW v u

  40. Compute RWEBs Securely: Resist Attacks • Attacks to basic RSC: Sybil nodes can reduces the RWEBs of attack edges • Let ae=(v,u) is an attack edge. v is honest and u is Sybil. • On receiving an ARW, arw, from v, u simply relays arw back to v. • Solution [Distance Limitation (DL)]: for each (s,t)-ARW, arw, s rejects t if arw has moved M steps • Fact: under DL, Sybil nodes should not launch attacks • If t is Sybil, launching attacks makes t be rejected • If t is honest, launching attacks increases RWEBs of attack edges • Fact: under DL, if s and t are honest, Pr(s rejects t) is low • M steps is sufficient for arw to reaches t v m u s t m

  41. Evaluation • Metric • Attack edge betweenness (aeb): Average RWEB of attack edges • Honest edge betweenness (heb): Average RWEB of honest edges • Network • Create the honest region: A real world network topology • Create the Sybil region: synthetic network topologies • Connect the two regions with attack edges Honest region Honest cluster Sybil cluster

  42. RSC is able to detect the attack edges

  43. Application of RSC • Example: use RSC to construct accurate SSD algorithms • SOHL (An existing SSD algorithm for unauthorized DCSs) • Use probing random walks(PRWs) as constructing component • A PRW: a message packet that moves in a random walk manner for a short distance • PRWs have a low escape rate • Algorithm: each node v • disseminates a large number of PRWs • regards the ending nodes of the PRWs as honest nodes • regards other nodes as Sybil nodes • Performance of SOHL is proportional to the escape rate of probing random walks u v Attack edges

  44. Application of RSC (continue) • Example: use RSC to construct accurate SSD algorithms for unauthorized DCSs • Idea • Reduce the escape rate of probing random walks: Reduce the probability that probing random walks passing the edges of high betweennesses • Call the new algorithm RSSR u v Attack edges

  45. Performance Comparison: SOHL & RSSR • As g increases, SAR increases • Average btns of attack edges decreases • Escape rate increases • Accept more Sybil nodes • SAR(RSSR) << SAR(SOHL) • Attack edges can be effectively detected 28x decrease in SAR 3x decreases in SAR Honest cluster Sybil cluster

  46. Conclusion • Problem: there is no attack edge detecting algorithm for unauthorized DCSs • Contribution: • RSC, an attack edge detecting algorithm for unauthorized DCSs • Use RWEB to detect attack edges • Securely compute RWEBs of edges in a distributed manner • Provides an example to show how RSC can be used to construct accurate unauthorized SSD algorithms

  47. Conclusion

  48. Conclusion • FRA and SA are security threats to DCSs • Existing solutions to FRA (Quiz) are unpractical • Existing solutions to SA (SSD) are not accurate • Objective: design more effective mechanisms to resist FRA and SA • Contributions • Designed MSC: practical algorithms that enables the host detect malicious workers • Designed SybilDetector: accurate SSD algorithm for authorized DCSs • Designed RSC: attack edge detecting algorithm, which can be used to construct accurate SSD algorithms for unauthorized DCSs • Validated the power of attack edge detecting

More Related