1 / 40

The Sociology of Sybils: Understanding Social Network-based Sybil Defenses

The Sociology of Sybils: Understanding Social Network-based Sybil Defenses. Krishna P. Gummadi Networked Systems Research Group MPI-SWS. Sybil attack. A fundamental problem in distributed systems Attacker creates many fake/sybil identities Many cases of real world attacks : Digg, Youtube.

tracey
Télécharger la présentation

The Sociology of Sybils: Understanding Social Network-based Sybil Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Sociology of Sybils:Understanding Social Network-based Sybil Defenses Krishna P. Gummadi Networked Systems Research Group MPI-SWS

  2. Sybil attack • A fundamental problem in distributed systems • Attacker creates many fake/sybil identities • Many cases of real world attacks : Digg, Youtube Automated sybil attack on Youtube for $147!

  3. Sybil defense • Using a trusted central authority • Tie identities to actual human beings • Not always desirable • Can be hard to find such authority • Sensitive info may scare away users • Potential bottleneck and target of attack • Hard without a trusted central authority • Impossible unless using special assumptions [Douceur ’02] • Resource challenges using CPU, b.w., memory are not sufficient • Adversary can have much more resources than typical user • Need some resource that is hard to obtain in abundance • Links in a social network?

  4. Sybil nodes Leveraging social networks:Basic insight • Resource Constraint • Bound on number of trust relationships between attackers and honest nodes • Attacker cannot create arbitrarily large # of edges between honest nodes and Sybil identities • Assumption: edges represent mutual trust • E.g., colleagues, relatives in real-world • Not online friends! honest nodes

  5. Several proposals to leverage social nets • All rely on detecting the topological features resulting from the resource constraint • SybilGuard [Sigcomm ’06] • SybilLimit [Oakland S&P ’08] • Ostra [NSDI ’08] • SybilInfer [NDSS ’09] • SumUp [NSDI ’09] • Whanau [NSDI ’10] • MobId [INFOCOM ’10]

  6. sybil nodes Example: SybilGuard The sub-graph of honest nodes is fast mixing Disproportionally small cut separating honest and Sybil nodes honest nodes Cannot search for such a cut using brute-force

  7. How SybilGuard works:Random walk intersection • Verifier accepts a suspect if the two routes intersect • W.h.p., verifier’s route stays within honest region • W.h.p., routes from two honest nodes intersect • # of accepted Sybils < g*w • g: # of attack edges • w: random walk length Verifier Suspect honest nodes sybil nodes Random walk length w:

  8. Another example: SumUp • A Sybil resilient vote aggregator • A central party collects all votes and the social graph • Goal: extract a subset of votes • include at most a few votes from Sybils • include most votes from honest users

  9. Step 1: Designate a vote collector

  10. Step 2: Use max-flow to collect votes

  11. Step 2: Use max-flow to collect votes

  12. Step 3: Assign appropriate link capacities

  13. Summary: Sybil defense schemes • A number of Sybil schemes already proposed • More with each passing conference • All schemes rely on two common assumptions • Honest nodes: they are fast mixing • Sybils: they do not mix quickly with honest nodes • But, each relies on its own graph analysis algorithm • E.g., back-traceable random walk intersection, bayesian inference from modified random walks, max-flow between nodes, betweenness centrality of nodes

  14. Problem with state of the art • Fast mixing assumption provides little insight • Into how the schemes work • Or what structural properties affect their effectiveness • Neither does the evaluation of the Sybil algorithms • Lots of sensitive parameters that impact results • Each scheme evaluated on different data sets • Each scheme performs differently on different data sets • Evaluations assume different adversarial models

  15. Rest of the talk • Investigate several unanswered questions: • How do the different schemes compare against each other? • Do they all find Sybils similarly? • What types of network structures are vulnerable to Sybil attacks? • How prevalent are such structures in real-world social networks? • And discuss their implications

  16. Results summary • How do the different schemes compare against each other? • Do they all find Sybils similarly? • All Sybil schemes work by detecting tightly-knit node communities • What types of network structures are vulnerable to Sybil attacks? • When all honest nodes do not form a single cohesive community • How prevalent are such structures in real-world social networks? • Very prevalent! Real-world social communities have bounded size

  17. Communities in social networks • Group of users more densely connected than overall graph

  18. Results summary • How do the different schemes compare against each other? • Do they all find Sybils similarly? • All Sybil schemes work by detecting tightly-knit node communities • What types of network structures are vulnerable to Sybil attacks? • When all honest nodes do not form a single cohesive community • How prevalent are such structures in real-world social networks? • Very prevalent! Real-world social communities have bounded size

  19. How Sybil defense schemes work • At their core, Sybil schemes partition the network • Into Sybils and non-Sybils • Partitioning algorithms can be viewed as ranking nodes • With a sliding cutoff determined by parameters

  20. How Sybil defense schemes work • Ranking is independent of an algorithm’s parameters • Changing parameters yields different partitions

  21. Comparing Sybil defense schemes • Compare their node rankings at different partitionings • How do the partitions formed by the first k nodes compare • Metric: Mutual information [Strehl ’02] • Varies between 0 and 1 • 0 => no correlation between the partitionings • 1 => perfect match

  22. Comparing Sybil defense schemes • All Sybil schemes rank nodes in the local community before others • No correlation between rankings within or outside local community Toy topology with two well defined communities

  23. Comparing Sybil defense schemes • Using a Facebook subgraph • Nodes from local community ranked before others • Little correlation between rankings within & outside the community

  24. Comparing Sybil defense schemes • Using an Astrophysicist network • Nodes from local community ranked before others • Little correlation between rankings within & outside the community

  25. Summary: Comparing Sybil defense schemes • All node rankings are biased towards decreasing conductance • When multiple nodes are similarly well connected, their orderings can vary in different schemes • Nodes in cohesive clusters around reference node are ranked before others in all schemes • Sybil defense schemes are effectively detecting communities!

  26. Rest of the talk • Investigate several unanswered questions: • How do the different schemes compare against each other? • Do they all find Sybils similarly? • All Sybil schemes work by detecting tightly-knit node communities • What types of network structures are vulnerable to Sybil attacks? • How prevalent are such structures in real-world social networks? • And discuss their implications

  27. What networks are vulnerable to Sybil attacks? • When non-Sybils are divided into multiple communities • Cannot tell apart Sybils & non-Sybils in a distant community • Attackers can launch very effective targeted attacks

  28. Do non-Sybils form multiple communities? • Some real-world social networks have high modularity • They exhibit well defined community structures

  29. Are networks with stronger community structures more vulnerable? • Yes! Networks with higher modularity are more susceptible to attacks • Independent of the Sybil defense scheme used

  30. Rest of the talk • Investigate several unanswered questions: • How do the different schemes compare against each other? • Do they all find Sybils similarly? • All Sybil schemes work by detecting tightly-knit node communities • What types of network structures are vulnerable to Sybil attacks? • When all honest nodes do not form a single cohesive community • How prevalent are such structures in real-world social networks? • And discuss their implications

  31. How often do non-Sybils form one cohesive community? • Traditional methodology: • Analyze several real-world social network graphs • Generalize the results to the universe of social networks • A more scientific method: • Leverage insights from sociological theories on communities • Test if their predictions hold in online social networks • And then generalize the findings

  32. Group attachment theory • Explains how humans join and relate to groups • Common-identity based groups • Membership based on self interest or ideology • E.g., NRA, Greenpeace, and PETA • Tend to be loosely-knit and less cohesive • Common-bond based groups • Membership based on inter-personal ties, e.g., family or kinship • Tend to form tightly-knit communities within the network

  33. Dunbar’s theory • Limits the # of stable social relationships a user can have • To less than a couple of hundred • Linked to size of neo-cortex region of the brain • Observed throughout history since hunter-gatherer societies • Also observed repeatedly in studies of OSN user activity • Users might have a large number of contacts • But, regularly interact with less than a couple of hundred of them • Limits the size of cohesive common-bond based groups

  34. Prediction and implication • Strongly cohesive communities in real-world social networks will be necessarily small • No larger than a few hundred nodes! • If true, it imposes a limit on the number of non-Sybils we can detect with high accuracy • Will be problematic as social networks grow large

  35. Verifying the prediction • In all networks, groups larger than a few 100 nodes do not remain cohesive • Small cohesive groups tend to be family and alumni groups • Large groups are often on abstract topics like music or politics Real-world data sets analyzed

  36. Rest of the talk • Investigate several unanswered questions: • How do the different schemes compare against each other? • Do they all find Sybils similarly? • All Sybil schemes work by detecting tightly-knit node communities • What types of network structures are vulnerable to Sybil attacks? • When all honest nodes do not form a single cohesive community • How prevalent are such structures in real-world social networks? • Very prevalent! Real-world social communities have bounded size • And discuss their implications

  37. Implications • Fundamental limits on social network-based Sybil defenses • Can reliably identify only a limited number of honest nodes • In large networks, limits interactions to a small subset of honest nodes • Might still be useful in certain scenarios, e.g., white listing email from friends • Social network-based Sybil defense is a misnomer!

  38. Future directions • Leverage information beyond social network structure • E.g., inter-user activity can reveal the strength of ties and help eliminate links to Sybils • Move towards Sybil tolerance • Rather than preventing users from creating multiple identities • Focus on limiting privileges

  39. Summary • We discussed social network-based Sybil defenses • Lots of proposed schemes, but little understanding • Of how they compare with each other • Or what structural properties impact them • Or how well they would work in real-world social networks • We found that Sybil schemes • Work by effectively detecting communities • Are vulnerable in networks with well defined community structures • Can find only a limited number of trustworthy nodes in real-world • Our findings suggest that we need to move beyond using only the social network to defend against Sybil attacks

  40. Thanks! Questions? • Acknowledgements: • Joint work with Bimal Viswanath, Ansley Post, and Alan Mislove • Thanks to Haifeng Yu and Nguyen Tran for illustrations of SybilGuard and SumUp Sybil defense schemes

More Related