Fun with Networks:

flangeeasyMobile - Wireless

Nov 21, 2013 (3 years and 9 months ago)

89 views

Fun with Networks:

Social, Sensor, and Shape
-
Shifting

Phillip B. Gibbons

Intel Research Pittsburgh


DISC’08 / Graal’08

September 24, 2008

Slides (except those borrowed from colleagues) are © Phillip B. Gibbons

Phillip B. Gibbons, DISC’08/Graal’08

3

Fun with Networks


Social Networks


SybilLimit: Defending against Sybil Attacks in P2P




Sensor Networks


Synopsis Diffusion: Robust in
-
network aggregation




Shape
-
Shifting Networks


Claytronics: Aggregation in programmable matter


Phillip B. Gibbons, DISC’08/Graal’08

4

Background: Sybil Attack


Sybil attack:

Single user assumes
many fake/sybil identities


Already observed in real
-
world
p2p systems



Sybil identities can
become a large fraction

of all identities


“Out
-
vote” honest users in
collaborative tasks

launch

sybil

attack

honest

malicious

Phillip B. Gibbons, DISC’08/Graal’08

5

Background:

Defending Against Sybil Attack


Using trusted central authority (TCA)


Ties identities to human beings


Not always desirable: who to trust, privacy, etc.


Practice: Gmail accounts





Much harder without a TCA [Douceur’02]


Resource challenges not sufficient


IP address
-
based approach not sufficient


Practice: Wikipedia IP blocking



Widely considered real & challenging


40 papers on sybil attacks, no distributed solution

Phillip B. Gibbons, DISC’08/Graal’08

6

SybilGuard/SybilLimit Basic Insight:

Leveraging Social Networks


Nodes = identities


Undirected edges =
strong mutual trust



E.g., colleagues,
relatives in real
-
world


Not online friends !

SybilGuard

[SIGCOMM’06, TON 2008],

SybilLimit

[Oakland’08]

(with Haifeng Yu*, Michael Kaminsky)

First to leverage
social networks

for thwarting


sybil attacks with provable guarantees

* Primary author

Phillip B. Gibbons, DISC’08/Graal’08

7

Attack Model

malicious

users

honest

nodes

Observation: Adversary cannot create extra attack edges

attack
edges


n

honest users: One identity/node each


Malicious users: Multiple identities
each (sybil nodes)

sybil

nodes

sybil nodes
may collude


the adversary

Attack edge: edge

between honest node

& sybil node

Phillip B. Gibbons, DISC’08/Graal’08

8

SybilGuard/SybilLimit Basic Insight

honest nodes

sybil nodes

Dis
-
proportionally

small cut
disconnecting a
large number of
identities


But cannot search
brute
-
force…

attack
edges

Phillip B. Gibbons, DISC’08/Graal’08

9

SybilLimit End Guarantees


Completely decentralized



Enables any given
verifier

node to decide
whether to
accept

any given
suspect

node


Accept: Provide service to / receive service from


Ideally: Accept and only accept honest nodes


unfortunately not possible



Bounds # of accepted sybil nodes (w.h.p.)



Accepts (1
-


)
n

honest nodes (w.h.p.)



n
n
O
log
/

per attack edge [up to

)
(log
n

attack edges]

We also prove that SybilLimit is away from optimal

)
(log
n
O
Phillip B. Gibbons, DISC’08/Graal’08

10

Example Application Scenarios

If # of sybil nodes
accepted is

Then applications
can do


< n/2

byzantine consensus

< n

majority voting

< n/c
for some constant

c

secure DHT
[Awerbuch’06,
Castro’02, Fiat’05]





Phillip B. Gibbons, DISC’08/Graal’08

11

Identity Registration


Each node (honest or sybil) has a
locally
generated

public/private key pair


“Identity”: V accepts S means


V accepts S’s public key
K
S


We do not assume/need PKI



Every suspect S “
registers

K
S

on
some
other nodes

Phillip B. Gibbons, DISC’08/Graal’08

12

Registration Goals


Ensure that sybil
nodes (collectively)
register only on
limited number of
honest nodes


Still provide enough
“registration
opportunities” for
honest nodes

sybil region

honest region

K
: registered keys of


sybil nodes

K

K

K

K

K

K

K

K

K

K

K

K

K

K

K

K

K
: registered keys of


honest nodes

Phillip B. Gibbons, DISC’08/Graal’08

13

Acceptance Criteria


Accept S only if
K
S

is register on
sufficiently many

honest nodes


Without knowing
where the honest
region is !


Circular design? We
can use
small cut

against adversary

K

K

K

K

K

K

K

K

K

K

K

K

K

K

K

K

sybil region

honest region

K
: registered keys of


sybil nodes

K
: registered keys of


honest nodes

Phillip B. Gibbons, DISC’08/Graal’08

14

)
(log
n


Take random “walks” of
w=

hops


Honest nodes: likely to remain in honest region
*


Sybil nodes: must cross an attack edge to reach
honest region

Key Idea

sybil region

honest region

K

K

K

K

K

K

K

K

K

K

K

K

K

K

K

K





Register key at


last hop of “walk”

*

w
= Social network’s


mixing time End up


at ~
random edge



in honest region

Phillip B. Gibbons, DISC’08/Graal’08

15

Random
1 to 1 mapping

between

incoming edge and outgoing edge

Random Route: Convergence

a


d

b


a

c


b

d


c

d


e

e


d

f


f

a

b

c

d

e

f

randomized

routing table

Using routing table gives
Convergence Property
:

Routes merge if crossing the same edge

Phillip B. Gibbons, DISC’08/Graal’08

16

Implication of Convergence


Claim:
There are at most
w

K’s per
attack edge


Proof: By the
Convergence

property


Regardless of whether sybil nodes follow protocol

honest

nodes

sybil

nodes

attack
edge

K

K

K

K

Route length
w

Use

independent instances of random routing



m

Phillip B. Gibbons, DISC’08/Graal’08

17

4. Is
K
S

registered?

Verification Procedure

V

S

1. request S’s set of tails

A

B

C

D

E

F

F

2. I have three tails


A

B;
C

D;
E

F

3.common tail: E

F

5. Yes.

4 messages involved

V accepts S Tails intersect + key registered

Earlier: Each node registers at tails



m

Phillip B. Gibbons, DISC’08/Graal’08

18

Further Details in Paper


Birthday paradox V &
honest S


share a common tail w.h.p.



Limit on sybil
Ks
in honest region V &

sybil S

don’t share a common tail w.h.p.


Unless V has a tail in sybil region: Handled in paper



How to estimate parameters:
w

&
m



Evaluation w/ real
-
world social networks


Friendster, LiveJournal, DBLP (Added sybil nodes)

Phillip B. Gibbons, DISC’08/Graal’08

19

Conclusions (to Part I)


Sybil attack:


Widely considered a real & challenging problem



SybilLimit: Fully decentralized defense
protocol based on social networks


Provable near
-
optimal guarantees


Experimental validation on real social networks



Open Problem (in SybilLimit & Politics):




Honest users not voting

Phillip B. Gibbons, DISC’08/Graal’08

20

Fun with Networks


Social Networks


SybilLimit: Defending against Sybil Attacks in P2P




Sensor Networks


Synopsis Diffusion: Robust in
-
network aggregation




Shape
-
Shifting Networks


Claytronics: Aggregation in programmable matter


Phillip B. Gibbons, DISC’08/Graal’08

21

Wireless Sensor Network Aggregation


Aggregate in
-
network over a tree


Each node sends 1 short message (saves energy)

10

0
10
20
30
40
50
60
70
0
10
20
30
40
50
Time
% Nodes Included
3

1

1

3

1

1

3

7

1

2

1

Phillip B. Gibbons, DISC’08/Graal’08

22

The Problem and the Goal


Tree topology used to avoid

double
-
counting


Aggregation

and
routing


are tightly coupled




Our goal:

Decouple the two components


They can be independently optimized


Robust multi
-
path routing can be used


Can exploit the broadcast medium

1

1

1

1

3

1

3

7

1

1

3

4

5

12

In contrast, a gossip approach requires

point
-
to
-
point messages & explicit acks

Phillip B. Gibbons, DISC’08/Graal’08

23

Synopsis Diffusion


Each node generates a small
synopsis

of its readings (SG)



Starting with outer ring, each
node
broadcasts

its synopsis



Synopsis Fusion

(SF): Each
node in next ring combines
all synopses it hears into

its own synopsis



SF must be
order
-

and
duplicate
-

insensitive

(ODI)

Example

Topology:

Rings

e.g., Compute count or sum using Flajolet
-
Martin’s

distinct
-
values counting

[Considine et al, ICDE’04]

[with Suman Nath*, Srini Seshan, Zach Anderson, SenSys’04, TOSN 2008]

* Primary author

Phillip B. Gibbons, DISC’08/Graal’08

24

SD Example: Uniform Sample of Size K


SG(): Each node selects a random
r

in
[0,1], and creates a synopsis (r, id, val)


SF(s,s’): Output the
K

(r,id,val) triples
from
s U s’

with maximum r
-
values


SE(s): Output the
K

val’s in
s

K=2: (.4,1,v1), (.7,2,v2), (.3,3,v3), (.8,4,v4)

{(.4,1,v1),(.7,2,v2)}

{(.7,2,v2), (.4,1,v1)}

{(.7,2,v2),(.8,4,v4)}

{v2,v4}

{(.7,2,v2),(.3,3,v3)}

{(.3,3,v3),(.8,4,v4)}

Phillip B. Gibbons, DISC’08/Graal’08

25

Key Challenge & A Solution

ODI Goal
:
S
1

is always the same

SF

SF

SF

SG

r
1

SG

r
2

SG

r
3

SG

r
4

SG

r
5

SF

SF

SF

SF

SE

S
1

Result

Aggregation Topology

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

SF

Potentially large
unknown set of
combinations!

Key Result:

Give 4 simple,

locally testable

properties for

ODI correctness

(necessary &

sufficient)

Makes topology

independence tractable

Phillip B. Gibbons, DISC’08/Graal’08

26

Order
-

& Duplicate
-
Insensitive
Synopses


Necessary & sufficient conditions

1.
SF is commutative

2.
SF is associative

3.
SF is same
-
synopsis idempotent: SF(s,s) = s

4.
If readings r and r’ are “duplicates”,

then SG(r) = SG(r’)

E.g., suppose use SF(s1,s2) = (s1+s2)/2, which of P1
-
P3 fails?

P2: SF(2,SF(6,30)) = 10 but SF(SF(2,6),30) = 17

Phillip B. Gibbons, DISC’08/Graal’08

27

Implications


SF forms a semi
-
lattice


Lattice property can tell if another
ODI synopsis accounts for my synopsis

E.g., SF is bitwise
-
OR

00101

10111

Implicit acks (Listen to what parent sends to
know if your message was “received”)

Efficient adaptation to dynamic message loss,
even when asymmetric links

More robust routing More accurate answers

4

6

Not true for

non
-
ODI

e.g., sum

Phillip B. Gibbons, DISC’08/Graal’08

28

ODI
-
Correct Algorithms


Count, Count Distinct, Sum, Average,

Standard deviation, Second moment,

Uniform sample, k’th statistical moment,
Quantiles, Frequent items,

Range aggregates, Inner product queries

For ODI
-
correct algorithms:

Approximation guarantees

Well
-
studied

Streaming Model

=

same

3

5

2

2

2

2

5

3





Phillip B. Gibbons, DISC’08/Graal’08

29

Synopsis Diffusion on Rings

Scheme

Energy

Tree (TAG)

41.8mj

A. Rings

42.1mj

Flood

685mj

0
0.2
0.4
0.6
0.8
1
0
0.2
0.4
0.6
0.8
1
Loss Rate
RMS Error
TAG
Rings
Adaptive Rings
Flood
More robust than TAG

Almost as energy
efficient as TAG

600 sensors in 20x20

Count query

(tree)

Phillip B. Gibbons, DISC’08/Graal’08

30

Synopsis Diffusion vs. Tree

Tributary
-
Delta
:
run both

simultaneously, depending on:






[with Amit Manjhi, Suman Nath, ICDE’05]

SD

Tree


Communication

error

1%

60%

Approximation

error


10
-
15%

0
-
5%

Number

of Packets

1
-
3

1

Delta

Tributary



regional loss rate



accumulated aggregation

Phillip B. Gibbons, DISC’08/Graal’08

31

Conclusions (to Part II)


Synopsis Diffusion


ODI
-
correct algorithms + any multi
-
path routing



Open Problems


ODI
-
correct subtraction



Use Synopsis Diffusion in other contexts
:


P2P, mobile, etc.



ODI
-
correctness requires the
same
synopsis
for all aggregation topologies


However, too strong: E.g., quantiles


always
meets guarantees but answer depends on order


What is a formal framework for such scenarios?

Phillip B. Gibbons, DISC’08/Graal’08

32

Fun with Networks


Social Networks


SybilLimit: Defending against Sybil Attacks in P2P




Sensor Networks


Synopsis Diffusion: Robust in
-
network aggregation




Shape
-
Shifting Networks


Claytronics: Aggregation in programmable matter


Phillip B. Gibbons, DISC’08/Graal’08

33

The Vision: A Material That
Changes Shape


Large groups of tiny robot modules (10
6

-
10
9

units), working in unison to form
tangible, moving 3D shapes






Not just an
illusion

of 3D (as with stereo
glasses), but
real physical objects



Both an output device (rendering,
haptics) & an input device (sensing)

Phillip B. Gibbons, DISC’08/Graal’08

34

Suppose Software Could

Control Shape

Video: CMU Entertainment Technology Center

Phillip B. Gibbons, DISC’08/Graal’08

35

Applications


Product design


Medical visualization


Adaptive form
-
factor devices


Telepario


3D fax


Smart antennas


Paramedic
-
on
-
demand


Entertainment


Etc.


Phillip B. Gibbons, DISC’08/Graal’08

36

Claytronics

[PIs: Seth Goldstein, Jason Campbell, Todd Mowry]


Each sub
-
millimeter module (“catom”)
integrates
computing

&
actuation



Key issues:


very high concurrency (
10
6

-
10
9

catoms)


nondeterminism & unreliability


efficient actuators, strong adhesion


power, heat, dirt


complex, dynamic networking (network diameters


≥ 1000, and changing topologies)



Phillip B. Gibbons, DISC’08/Graal’08

37

Moving Catoms Without Moving Parts:


Two Potential Actuation Methods


Magnetic field






Electric field

one coil

two assembled magnet rings

2 magnetic
-
field

prototype catoms

electrostatic
latch design

completed latch

Phillip B. Gibbons, DISC’08/Graal’08

38

patterned “flower”,

including actuators

& control circuitry

arms curl up


due to stresses
between layers

Making Submillimeter Catoms

[J. Robert Reid,


Air Force Research Labs]

[Igal Chertkow & Boaz Weinfeld,


Intel]

2 mold wafers

bonded around

1 thinned logic wafer

Note: Both are

early attempts

Phillip B. Gibbons, DISC’08/Graal’08

39

Catom Design


Actuation: Roll across each other (using
electrostatics) under software control


Planned motion, Reactive motion



Power: Form own power grid


Connected to external power source



Communication: Between physically
adjacent modules


Either electrical contact, capacitive
-
coupled
connections, or free space optics (
wire
-
like
)


Simultaneously with multiple neighbors

Phillip B. Gibbons, DISC’08/Graal’08

40

Aggregation Goal


In order to self
-
organize into a desired
shape, the catom ensemble must:



Be able to measure key aggregate properties


(e.g., center of mass)



Coordinate their activities

…in
real time

Diameter too large for standard


hop
-
by
-
hop approach

Ensemble too dense for

longer range wireless

Phillip B. Gibbons, DISC’08/Graal’08

41

Speculative Forwarding

[with Casey Helfrich, Todd Mowry, Babu Pillai,

Ben Rister, Srini Seshan]

Standard approach:

(regular) gradient

E.g., regular 2D grid

Our approach:



Hierarchical Overlay



Speculative forwarding


on the long links

Phillip B. Gibbons, DISC’08/Graal’08

42

Speculative Forwarding


Each catom maintains
incoming
-
to
-
outgoing link mapping

(e.g., last used)


Each bit along incoming wire sent on
outgoing wire according to the mapping


When accumulate header, check for
miss
-
speculation

Aggregation deferred to nodes in the overlay

Many issues:



miss
-
speculations



creating overlay



shape changes

Initial results

are promising

Phillip B. Gibbons, DISC’08/Graal’08

43

Conclusions (to Part III)


Shape
-
Shifting Networks pose a new
problem domain for algorithmic research


Details are in flux; realizations years away


Key issues: scale, dynamics, soft real
-
time



Open Problems


Much
theory work

to be done:

Formal modeling, new algorithms,

new insights, lower bounds, etc.


E.g., what is a robust, low
-
latency

communication/aggregation

scheme for catom ensembles?


Ensemble algorithmics
: local algs

Brownian hole motion

Grow/consume holes

Phillip B. Gibbons, DISC’08/Graal’08

44

Fun with Networks


Social Networks


SybilLimit: Defending against Sybil Attacks in P2P




Sensor Networks


Synopsis Diffusion: Robust in
-
network aggregation




Shape
-
Shifting Networks


Claytronics: Aggregation in programmable matter