Section: New Results

Reputation in Dynamic Large Scale Systems

Participants : Emmanuelle Anceaume, Romaric Ludinard, Heverson Ribeiro.

Persistent Feedbacks

We aim at providing mechanisms that will guarantee the persistence of the feedback about entities within a structured peer to peer overlay [18] , [19] . Persistent feedbacks clearly leverage the level of difficulty for an attacker to mount withwashing attacks, or transaction repudiations. The use of erasing and rateless codes  [40] is a promising way to provide strong persistence mechanims  [31] , [39] at a reasonnable cost. We have proposed solutions that partially fulfill these requirements in the context of a structured peer to peer overlay  [21] . As currently designed, these mechanisms are so powerful that it can be almost impossible to erase wrongly attributed feedbacks. Because we are also interested with privacy issue, we plan to extend these solutions so as to offer the possibility for a right to oblivion (i.e. , a right to erasure of data).

Induced Churn to Face Malicious Users

Persistent feedbacks are a first barrier against the simpler attacks. However, it is still quite easy for a malicious user to use several distinct identities so as to bias the reputation mechanism. Recall that the trustworthiness of the reputation mechanism we are considering here, is solely based on statistical measurements. Consequently, an attacker that could create a statistically significant number of different identities could make collapsing this hypothesis. Our contribution is centered around the study of robust mechanisms that can resist such attacks. It has been shown  [23] that peer-to-peer overlay networks can only survive severe (Byzantine) attacks if malicious peers are not able to predict what is going to be the topology of the network for a given sequence of join and leave operations. Designing a P2P overlay that makes such previsions extremely difficult is a key feature to obtain a robust routing  [42] mechanism within the overlay. In turn, a robust routing mechanism will guarantee that malicious users will not be able to corrupt information transmission and by the way persistence of collected and aggregated feedbacks.

A promising way to reach this goal is to have limited lifetime identities within the system. This limitation forces malicious and honest users to regularly leave and reenter the system. This helps spreading uniformly malicious users within the overlay making the task of mounting an attack extremely difficult. However, this solution induces a permanent churn for the overlay. As a consequence, it is of the uttermost importance to evaluate the cost of such solutions in terms of extra communication messages. In collaboration with the Inria project team Dionysos and Supelec, we have started investigating this approach with interesting results. We consider adversarial strategies by following specific games. Our analysis demonstrates first that an adversary can very quickly subvert DHT-based overlays by simply never triggering leave operations. We then show that when all nodes (honest and malicious ones) are imposed on a limited lifetime, the system eventually reaches a stationary regime where the ratio of polluted clusters is bounded, independently from the initial amount of corruption in the system. This results, obtained by using Markov models, are shown in [13] and [14] .