can incentives overcome malicious behavior in p2p network

Can incentives overcome malicious behavior in p2p network?

A. M. Anisul HuqHelsinki University of Technology

[email protected]

AbstractIn recent times, the growth in the number of subscribers ofpeer to peer networks has been phenomenal. Anonymity be-ing a character of such networks also gave rise to the numberof free-riders and malicious behaviors. Though free ridersconsume network bandwidth and decrease the network per-formance by displaying selfish behavior, they are not a seri-ous threat for the rest of the co-operative peers. Maliciouspeers on the other hand, spread viruses, worms, Trojans inthe network, provide misleading feedbacks and try to disruptthe existing trust among the peers. Along with a numberof reputation-based trust supporting frameworks various in-centive techniques are currently being formulated to restrainusers from such free riding and malicious activities. Some ofthese incentive procedures are heavyweight requiring a lot ofinformation among the peers, while others tend to be less re-source consuming and lightweight [15]. In this paper, wewill compare the effectiveness of these incentive measuresagainst malicious activities in peer to peer networks.

1 IntroductionThe earliest application of peer-to-peer (P2P) was for news-groups (USENET) and to exchange messages (FidoNet) [1].Then Napster emerged. With its free music sharing plat-form and subsequent battle with the big music corpora-tions brought the whole concept of P2P networks into lime-light. P2P networks are primarily used for sharing filesand more recently for distributed computations. But stud-ies have shown that the majority of file sharing users donot offer any files for upload, but only download from oth-ers [2,15,19,21,23]. Those who do share are doing it mostlyout of ignorance, for not even being aware of it. Or maybe they are indifferent about it, as their uplink bandwidthwould simply go unused otherwise and their own downloadservice quality does not suffer from uploads [15]. The pres-ence of malicious peers is further complicating matters andthis is the main concern of this paper. They pose a biggerthreat because their main goal is to destroy data [28] or dam-age the infrastructure by propagating worms in the system[29]. As all the systems in a p2p network run the same soft-ware, it is very easy for an attacker to compromise the wholenetwork by finding a single exploitable security hole in thatsoftware [16].

In order to address these two challenges, researchers haveproposed some sort of reputation-based trust mechanism.Some of these techniques use central servers, while others

are decentralized such as PeerTrust [28] or GossipTrust [29].While such protective measures go a long way in solving theproblems at hand, they are not enough. We firmly believethat, providing incentives for peers who share their resourcesare also necessary. These incentives may come in the formof digital cash [11] or it may be that, the service quality apeer receives at a given moment is directly related to theservice quality it provides [15]. The latter concept can beenvisioned as a sort of bartering approach. We focus our at-tention in comparing the performances of different incentivetechniques.

The rest of the article is organized as follows. Section 2looks at research works that have been done till date from an"incentive" point of view. In section 3 we try figure out theexact nature of the threat we are up against and also look atthe current practices that are implemented in order to deterthese attacks. In section 4 we comprehensively analyze theperformances of different incentive techniques that were ei-ther proposed or are currently in use. Section 5 tries to drawa conclusion in terms of incentive techniques and we roundoff by suggesting what needs to be done in this section.

2 Background and Related WorkA prominent feature of p2p network is anonymity. Butanonymous communication cannot be provided by thesender (or receiver) alone. The sender must rely on one ormore nodes that will cooperate to disguise its identity. Insuch systems a group of peers collectively obscure the iden-tity of a message initiator by forwarding the message ran-domly among themselves an arbitrary number of times be-fore sending it to its intended recipient and returning the re-cipient’s response along the reverse path. In such mecha-nisms, the message initiator is anonymous within the groupof collaborating peers. That is, from the recipient’s perspec-tive, all group members are equally likely to have initiatedthe message. Furthermore, peers who forward messages can-not distinguish between the true message initiator and an in-termediate peer along the forwarding path [13, 17, 18]. Animportant property of anonymous protocols is the degreeof anonymity they provide and their robustness to certaintypes of malicious attacks [13, 27]. These metrics are usu-ally monotonic in the number of peers in the group; havingmore peers confers a higher degree of anonymity and higherrobustness to attacks.

As mentioned in the previous section, p2p networks (itmaybe a file-sharing or an ad-hoc network) are now plaguedwith the problem of free-riders and malicious attackers. In-

TKK T-110.5190 Seminar on Internetworking 2009-04-27

troducing reputation-based trust mechanism may curve suchattitude. But according to Figueiredo et al. [11], such a sys-tem will expose its peers in order to identify free-riders andmalicious attackers. Hence, incentive mechanisms that donot require the identity disclosure of any peer must be im-plemented. The authors propose two payment based mech-anisms (namely, on-line and (off-line) ) that use digitalcash [11] to provide explicit incentives for cooperative peerswhile keeping them anonymous. They argue that, a systemthat does not provide explicit incentives will not be able tokeep a peer on-line after its anonymous communication hasfinished.

But according to Chun et al. [7], the presumption of hav-ing a widely accepted abstract currency (along with the re-quired infrastructure) from the very beginning will makethings complicated. They propose to develop a system that issimilar to the evolution of economics. Like early economics,they propose to start off with simple and robust bartering ofresources. They propose to use SHARP (secure highly avail-able resource peering) [5] as the core of this system becauseof its secure resource exchange protocols for bartering.

Mascolo et al. [15] on the other hand, have proposed anew incentive measure that is lightweight, dynamic, decen-tralized and also employs a stateless bartering ring architec-ture combined with a simple grouping algorithm. The keyidea is to make it expensive for peers not to cooperate. Forthis, the system is designed so that it is difficult to gather andprocess enough information in time to exploit free-loadingopportunities in an ever changing network. Additionally, thesystem’s inherent instant gratification mechanism providespeers who offer additional resources with a better service (e.g. increased bandwidth) in return.

3 Specific P2P Attacks and Defenses

There have been basically two types of attacks on the P2Pnetworks. In the first type, attackers target the data circulat-ing in the P2P networks, e. g. by corrupting it or makingit unavailable for other peers. In the other type, attack in-volves making the network as slower or inefficient as possi-ble. This sort of attack is generally done by exploiting theunder lying weakness of the routing protocol. Depending onthe attacker’s objective, he may choose to attack from anyone direction or from both [16].

Now, in many cases attacks of one type can trigger theother. For example, by corrupting files an attacker canprompt users to download more copies of a much sought af-ter file, thus slowing down the network. The opposite is alsotrue. In case of eclipse attacks networks are blocked (henceinefficient) making data inaccessible which is an objective ofthe first type of attack [16].

The possibility of attack is enormous in P2P networks. Wenow give an analysis of the most common type of attacksalong with the traditional defense mechanisms that are cur-rently employed against them.

3.1 Rational AttacksBy the term "rational" we indicate to those peers who willattempt to maximize their consumption of system resources(one may choose to call them "selfish") while minimizingthe use of their own. Research shows that a big portion ofthe peers are of this type [28]. Peers with limited bandwidthcapabilities are more prone to this tendency. Also in shar-ing copy right material a peer might find itself in legal prob-lems [12]. These are good enough reasons to motivate nodesin becoming "self-interested". If a large number of nodes be-have in this way, it will cause the overall performance of thenetwork to plummet.

3.1.1 Defenses

We believe properly designed incentive mechanisms can goa long way in solving the problem of rational attacks.

3.2 File CorruptionAs the name suggests this is an attack against data in theP2P network. The objective here is to replace a file in thenetwork with a false one. In order to attack in this manner,malicious nodes will falsely claim of owning a file, and upona request will respond with a corrupt file. Moreover, all mes-sages passing through malicious peer can be corrupted (sim-ilar to a man-in-the-middle attack) giving these files a highavailability [16]. Surprisingly, it is not only individuals or arouge group of peers that are involved in file corruption at-tacks. It has also been reported that, the music industry hasmassively dumped corrupt and fake contents into the P2Pnetworks [6, 14, 16].

3.2.1 Defenses

Though file corruption attacks sound pretty dangerous, Du-mitriu et al. [10] argue they do not pose a serious threat to theP2P networks. The main problem is that P2P applicationsoften run in the background. When a polluted file is down-loaded, it stays available for a while before it is checked bythe user and discarded. After a period of time, all pollutedfiles are eventually removed and the authentic files becomemore available then the corrupted ones.

3.3 Sybil AttackSybil is of the second type of attack that we mentioned atthe beginning of this section. It is about making the net-work cripple and inefficient. Generally, in a structured P2Pnetwork, user identifiers (IDs) uniquely identify participantendpoints (nodes). Such structure reduces search times bymapping content directly onto nodes based on IDs. For thisreason, the assignment and use of IDs is essential to correctoperation of the network [20]. Now, it is very much possi-ble that a single malicious peer can generate multiple shadowidentities and thus gain control over a part of the network [9].Once this has been accomplished, the attacker can gain ac-cess to certain files and may decide to corrupt those. If theattacker can position his false identities in a strategic way, thedamage can be considerable. He might choose to continue to


an eclipse attack, or slow down the network by rerouting allqueries in a wrong direction.

3.3.1 Defenses

Douceur et al. [9] have proven that, without a central trustedauthority, it is not possible to defend against Sybil attacks[9]. Maybe carefully configured reputation-based systemsmight slow the attack down, but it will not do much more.Because, once an attacker has generated legally validatedidentities, he can create and validate a lot more. Several pa-pers have proposed a centrally trusted authority as a solu-tion, as well as a complicated public-private key based pro-tocol [24]. While using this protocol, each peer must sign itsmessages, and respond to a challenge by the authority everynow and then. It is clear that an attacker simulating manyidentities would need enormous resources in order to be ableto answer all the challenges periodically submitted to each ofhis identities. While this certainly tries to solve the problem,it is unsatisfactory. It breaks the P2P model by reintroducinga centralized point of failure, which can easily be attacked.

3.4 Eclipse AttackIn an overlay network, each node maintains links to a rel-atively small set of peers called neighbors. All communi-cation within the overlay (it may be related to maintainingthe overlay or to application processing) occurs on theselinks [25]. The overlay network’s integrity depends on theability of correct nodes to communicate with each other overa sequence of overlay links. In an Eclipse attack [4, 25, 26]a modest number of malicious nodes conspire to fool cor-rect nodes into adopting the malicious nodes as their peers,with the goal of positioning themselves along strategic rout-ing paths of the P2P network. Once an attacker has done this,he can separate the network in more than one sub networks.After that, if a peer wants to communicate with a peer fromsome other sub network, its message must at a certain pointbe routed through one of the attacker’s nodes. The attackerthus "eclipses" each sub network from the others’ view [25].The follwing figure (see Figure 1) gives a clear idea of whathappens.

Figure 1: An Eclipse Attack: the malicious nodes have sep-arated the network in 2 subnetworks [16].

As we have said earlier, Eclipse attack is closely relatedto the Sybil attack [9, 25] and a successful Sybil attack canbe used to induce an Eclipse attack. However, Eclipse at-tacks are possible even in the presence of an effective defense

against Sybil attacks, such as certified node identities [4,25].If the P2P network is based on a decentralized overlay net-work then nodes will periodically discover new neighborsby consulting the neighbor sets of existing neighbors. Mali-cious nodes can exploit this by advertising neighbor sets thatconsist of only other malicious nodes. Thus, a small numberof malicious nodes with legitimate identities are sufficient tocarry out an Eclipse attack. Castro et al. identify the Eclipseattack as a threat in structured overlay networks [4].

3.4.1 Defenses

The method introduced in [24] can be used to prevent eclipseattack. According to this method, a node that mounts anEclipse attack must have a higher than average node degree.Singh et al. [24] argues that enforcing a node degree limit byauditing is an effective defense against Eclipse attacks.

4 Motivation for Comparison

All the authors mentioned in section 2, claim that their re-spective techniques do not cause too much overhead for theexisting peer-to-peer networks while at the same time keep-ing the malicious attackers at bay. But we have found thatthere is no existing system that currently employs either oneof these techniques. Hence we cannot present any empiricaldata to verify which approach does the best job. The bestthing to do is to compare these proposed methods and thencome up with our own conclusion.

5 Comparison

According to Mascolo et. al [15], the inherent mindset ofa peer is not to provide services such as uploading a file toother peers. The simplest way to change this view is to in-troduce an algorithm based on "bartering rings" where theservice quality a peer receives is directly related to the ser-vice quality it provides. The more a peer supplies to otherpeers, the more it should get back. Hence, the incentive forcooperation. The "bartering ring" principle is simple to im-plement when two peers are downloading directly from eachother and using a tit-for-tat (e.g. in BitTorrent [8]) strategy.Here, each peer monitors the service provided by the other.With three peers, all of them would download from one andupload to the other, as shown in figure 2 (see Figure 2)(form-ing a directional cycle). This structure can be extended forany number of peers.

Figure 2: Bartering Rings [15]


It should be mentioned that, this scheme provides instantgratification with no communication overhead. Because acooperative peer is rewarded immediately and communica-tion is done indirectly by increasing or decreasing the qualityof service.

According to authors of "bartering ring" [15], these rings(actually graphs) are built as a service layer on top of theexisting p2p network layer (sort of an overlay network). Thegraph shows how service is provided in the p2p network,with every directed edge representing one ongoing service.The graph uses the under lying p2p layer for routing andsearching purposes.

In this strategy, the peers do not optimize i.e. they cannotmaximize the total incoming service for the outgoing ser-vices they are providing. It is because a peer can be con-nected to more than one ring. Hence, incoming and outgoingservices can be the elements of more than one ring, makingit computationally hard for the peer to optimize. Instead theauthors [15] suggest peers to increase the service quality inall of their outgoing links until incoming services becomeacceptable. This strategy makes free loading unattractive asbeing cooperative results in instant gratification.

Chun et al.’s [7] proposed SHARP system uses tickets forrepresenting resources. Holder of a ticket has control overother peer’s resources for a particular time interval (calledterm). Each ticket is issued by the owner of the resource andis encrypted with its private key. Encryption ensures thatthe tickets are reputable and not forgeable. But a ticket doesnot guarantee the holder a firm control over the resources.It is because the owner may oversubscribe its resources byissuing more tickets than it can support in order to improveresource availability. Only when the owner returns a lease tothe holder that control is guaranteed. A lease can be renewedto allow the continuous use of the same resources. In orderto improve the cooperation among the peers, Chun et al. [7]proposes to use tit-for-tat [3] strategy. It is a simple enoughtechnique where resource exchange in a round is rewardedwith resource exchange in the next round and defection in agiven round is punished in the next round. The authors alsosuggest sharing P2P tit-for-tat history with friendly neigh-bors so that a peer has a lot more information at hand whenexchanging resources with unknown peers.

Now let’s look at the structure of the digital cash incen-tive strategy proposed by Figueiredo et al. [11]. It should bementioned that the detailed analysis of the concept and de-sign of digital cash is out of the scope of this review paper.A full description of digital cash system can be found in [22]and references therein. The key idea of this mechanism is toprovide the initiator of a message the ability to embed in eachmessage small anonymous payments destined to those peerswho forward the message along its path. For this, onion rout-ing is especially suitable and is used here [11]. Peers who de-sire service, can either join the system and accumulate cashby providing service to others, or can purchase service withan infusion of cash into the system. The authors argue thatthe overhead imposed by these mechanisms in terms of mes-sage latency are modest. The authors propose a publicly ac-cessible authority issuing digital cash, which can be called

Bank. It can be decentralized as long as there is a commoncurrency. However, in order to be used in a P2P network,the most important property of the digital cash mechanismmust be that, it conceals the relationship between a payerand its purchases from the Bank and the payee. Ideally wedo not want any information of the payer revealed as well.Also the authors propose to implement the digital cash con-cept entirely on software. Payments are made either off-lineor on-line. In case of on-line payment, each node must val-idate its payment with the bank in order to prevent doublespending of the same currency by the payer. The main dif-ference with on-line method is that, with off-line paymentnodes do not interact with the Bank when a payment is re-ceived. Instead, nodes accumulate payments and validatethem in batch at a later point e.g. when it is idle or aboutto leave the system. Most off-line payment schemes havea disincentive to double-spend by using cryptographic pay-ment protocols which disclose the identity of the payer onlyif a unit of currency is double-spent [22]. There is also achallenge-response interaction between the payer and payee.Here the payee issues a suitably encrypted challenge to thepayer so that payer does not double spend. Encryption keepsthe payer anonymous.

With digital cash based system, the main concern is withtime delays. Let us first consider, the on-line method.Figueiredo et al. [11] defined TL as the average round triptime from the message generator to the L-th mode in thepath, and TD as the average round trip time from node Lto destination D. Now if TB is the average time required byany node to interact with the bank then the average responsedelay will be at most:

TL+TD+TB

We are considering round-trip time because destination Dhas to send a response using the reverse path in the onionrouting.

Incase of off-line method, there is an additional roundtriptime for the challenge response. But TB is eliminated be-cause nodes do not interact with bank after every transaction.Hence the average response delay will be:

2TL + TD

The authors [11] argue that TB’s contribution to the over-all delay is negligible under the assumption that, bank inter-actions take place while waiting for destination D to reply tothe message. But we are not so convinced by this logic. Be-cause in the on-line method, every intermediate node withinthe path from source to destination has to interact with thebank right after every transaction. Hence a long route canhave considerable communication overhead due to TB .

Both Mascolo et al. [15] and Chun et al. [7] argue that,currencies are expensive to save, exchange and secure. Also,currencies tend to fluctuate by market mechanisms. Weagree with this view. But Chun et al.’s [7] "bartering" pro-posal has considerable communication overhead as it re-quires tickets and in some cases maintains history (optional).Encrypting the tickets also require considerable computa-tion. The authors [7] proposed a tit-for-tat [3] strategy for


incentives, which may work if the set of peers remain static.But in a large and dynamic environment, the system mayneed to keep a huge set of history for tit-for-tat [3] strategyto work and in turn may slow down the whole process.

On the other hand, "bartering ring" [15] does not have anycommunication or computational overhead giving it prefer-ence over other methods. Like the "digital cash" methods,identities of the peers also remain anonymous. So in everyway, "bartering ring" strategy should be preferred as an in-centive method.

6 ConclusionIn this paper we have tried to analyze three different ap-proaches toward incentives. In our analysis we have foundthat, incentive techniques might lure selfish peers into co-operating and hence improve the overall performance of thenetwork. But regretfully this is only an assumption, becausethere is no real world data to concur with or to disreputethis claim. However judging from the nature of the incentivemechanisms described above we can say with a great dealof certainty that these techniques are not sufficient to pre-vent malicious attackers. The off-line method does exposethe identity of the double spenders and in the on-line methodbank is there to verify transactions. But these measures arenot enough against malicious peers who want to destroy thep2p network structure for no reason what so ever. The queerthing is that they do not even care about any financial gains.In order to stop peers with such psyche, we have to imple-ment some sort of reputation based security mechanism (e.g. PeerTrust [28], GossipTrust [29] ) and in the process sac-rifice the anonymity property of the p2p network. This is atrade-off that the peers must accept as the threat posed bymalicious attackers are now more than ever.

References[1] A. Abimbola, Q. Shi, and M. Merabti. Using Intru-

sion Detection to Detect Malicious Peer-to-Peer Net-work Traffic.

[2] E. Adar and B. A. Huberman. Free Riding on Gnutella.Technical report, Xerox PARC, August 2000.

[3] R. Axelrod. The Evolution of Cooperation. BasicBooks, 1984.

[4] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, andD. S. Wallach. Secure routing for structured peer-to-peer overlay networks. In USENIX Operating SystemDesign and Implementation(OSDI), Dec 2002.

[5] J. Chase, B. Chun, Y. Fu, S. Schwab, and A. Vahdat.Sharp: An architecture for secure resource peering.

[6] N. Christin, A. Weigend, and J. Chuang. Contentavailability, pollution and poisoning in peer-to-peer filesharing networks. In ACM E-Commerce Conference,2005.

[7] B. Chun, Y. Fu, and A. Vahdat. Bootstrapping aDistributed Computational Economy with Peer-to-PeerBartering . In Workshop on Economics of Peer-to-PeerSystems, June 2003.

[8] B. Cohen. Incentives Build Robustness in BitTorrent.In Workshop on Economics of Peer-to-Peer Systems,Jun 2003.

[9] J. R. Douceur. The Sybil Attack. In Electronic Pro-ceedings for the 1st International Workshop on Peer-to-Peer Systems, March 2002.

[10] D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica,and W. Zwaenepoel. Denial-of-service resilience inpeer-to-peer file sharing systems. In ACM SIGMET-RICS Performance Evaluation Review, volume 33,pages 38–49, June 2005.

[11] D. R. Figueiredo, J. K. Shapiro, and D. Towsley. In-centives for Cooperation in Anonymity Systems. Tech-nical Report 03-21, Department of Computer Science,University of Massachusetts at Amherst, June 2003.

[12] B. Horne, B. Pinkas, and T. Sander. Escrow ser-vices and incentives in peer-to-peer networks. In 3rdACM conference on Electronic Commerce, pages 85–94, 2001.

[13] B. N. Levine and C. Shields. Hordes: A protocol foranonymous communication over the internet. In ACMJournal of Computer Security, volume 10, 2002.

[14] J. Liang, R. Kumar, Y. Xi, and K. Ross. Pollution inp2p file sharing systems. In IEEE INFOCOM, 2005.

[15] C. Mascolo, T. Ackemann, and W. Emmerich.Lightweight Incentives for Peer-to-Peer Networks.

[16] B. Pretre and D. R. Wattenhofer. Attacks on Peer-to-Peer Networks, 2005.

[17] M. G. Reed, P. F. Syverson, and D. M. Goldschlag.Anonymous connections and onion routing. In IEEEJournal on Selected Areas in Communication SpecialIssue on Copyright and Privacy Protection, 1998.

[18] M. K. Reiter and A. D. Rubin. Crowds: anonymity forWeb transactions. In ACM Transactions on Informationand System Security, volume 1, pages 66–92, 1998.

[19] M. Ripeanu, I. Foster, , and A. Iamnitchi. Mappingthe gnutella network: Properties of large-scale peer-to-peer systems and implications for system design. InIEEE Internet Computing Journal, volume 6, 2002.

[20] H. Rowaihy, W. Enck, P. McDaniel, and T. L. Porta.Limiting Sybil Attacks in Structured P2P Networks.In INFOCOM 2007. 26th IEEE International Con-ference on Computer Communications. IEEE, pages2596–2600, May 2007.

[21] S. Saroiu, P. K. Gummadi, and S. D. Gribble. AMeasurement Study of Peer-to-Peer File Sharing Sys-tems. In Multimedia Computing and Networking 2002(MMCN ’02), San Jose, CA, USA, January 2002.


[22] B. Schneier. Applied Cryptography. John Wiley andSons, 2nd edition, 1996.

[23] S. Sen and J. Wong. Analyzing peer-to-peer trafficacross large networks. In Internet Measurement Work-shop 2002, November 2002.

[24] A. Singh, M. Castro, P. Druschel, and A. Rowstron.Defending against eclipse attacks on overlay networks.In ACM SIGOPS European workshop, 2004.

[25] A. Singh, T.-W. J. Ngan, P. Druschel, and D. S. Wal-lach. Eclipse Attacks on Overlay Networks: Threatsand Defenses.

[26] E. Sit and R. Morris. Security considerations for peer-to-peer distributed hash tables. In 1st InternationalWorkshop on Peer-to-Peer Systems (IPTPS), Mar 2002.

[27] M. Wright, M. Adler, B. N. Levine, and C. Shields. Ananalysis of the degradation of anonymous protocols. InProc. ISOC Network and Distributed System SecuritySymposium (NDSS 2002), February 2002.

[28] L. Xiong and L. Liu. PeerTrust: SupportingReputation-Based Trust for Peer-to-Peer ElectronicCommunities. In IEEE Transactions on Knowledgeand Data Engineering, volume 16, July 2004.

[29] R. Zhou, K. Hwang, and M. Cai. GossipTrust for FastReputation Aggregation in Peer-to-Peer Networks. InIEEE Transactions on Knowledge and Data Engineer-ing, volume 20, September 2008.

can incentives overcome malicious behavior in p2p network

Documents