The EigenTrust Algorithm for Reputation Management in P2P Networks Sepandar D.Kamvar, Mario T.Schlosser, Hector Garcia-Molina Stanford University Appeared in WWW 2003, Budapest, Hungary Speaker : Yu-Hsin Shih Date : 2007/09/04
Outline Problem Basic EigenTrust Distributed EigenTrust Secure EigenTrust Global Trust Value Experiments and Results
Problem Motivation: Goal: Reduce inauthentic files distributed by malicious peers in a P2P network Goal: Identify sources of inauthentic files and malicious peers against downloading from them
Problem (cont.) Problem How to aggregate local trust value without a centralized server From a few peers – cannot get a wide view of P2P network From all peers – may congest the network
Problem (cont.) Method Each peer i is assigned a global trust value, which reflects the experiences of all peers in the network with peer i
Outline Problem Basic EigenTrust Distributed EigenTrust Secure EigenTrust Global Trust Value Experiments and Results
Terminology Local trust value: cij Global trust value: ti Peer 3 Local trust value: cij The opinion that peer i has on peer j, based on past experience Global trust value: ti The trust that the entire system places on peer i Peer 1 t3=0.55 t2=0.3 t1=0.15 t4=0 C21=0.3 C23=0.7 C14=0.01 C12=0.6 Peer 2 Peer 4
Basic EigenTrust Compute local trust value Normalize local trust value Aggregate local trust value
Basic EigenTrust Compute local trust value Normalize local trust value Aggregate local trust value
Compute Local Trust Value Step 1: Peer i downloads a file from peer j Positive transaction tr(i,j) = 1 Negative transaction tr(i,j) = -1 Step 2: Local trust value sij = sum of ratings of individual transactions that peer i has downloaded from peer j sij = Σ tr(i,j) eBay, yahoo
Basic EigenTrust Compute local trust value Normalize local trust value Aggregate local trust value
Normalize Local Trust Value .. All cij are non-negative ci1 + ci2 + . . . + cin = 1 C14=0.1 C12=0.9 Peer 1 Peer 2 Peer 4 Malicious users may assign arbitrarily high local trust values to malicious peers and arbitrarily low values to good peers.
Normalize Local Trust Value (cont.) Local trust vector ci : contains all local trust values cij that peer i has on other peers j Peer 1 c1 Peer 2 Peer 4 Peer 1 C12=0.9 Peer 2 C14=0.1 Peer 4
Normalize Local Trust Value (cont.) Drawback Normalized values do not distinguish between peers with no interaction and peers with poor experience Normalized values are relative, not absolute interpretation
Basic EigenTrust Compute local trust value Normalize local trust value Aggregate local trust value
Past History ? Each peer biases its choice of downloads using its own opinion vector ci. If it has had good past experience with peer j, it will be more likely to download from that peer. Problem – Each peer has limited past experience. Knows few other peers. Peer 4 Peer 1 Peer 6
Friends of Friends Ask for the opinions of people who you trust Peer 4 Peer 1 Peer 2 Peer 8 Peer 6 Friends of Friends Ask for the opinions of people who you trust Weight their opinions by your trust in them
The Math t C T i What your friends think of peer k Weight each friend’s opinion by how much you trust him. Ask your friends j 0.2 0.3 0.5 1 0 0 .1 .3 .2 .6 i T t C
Problems with Friends Either you know a lot of friends, in which case you have to compute and store many values. Or, you have few friends, in which case you won’t know many peers, even after asking your friends.
Goals Want each peer to Know all peers Perform minimal computation and storage
To Know All Peers Ask your friends: t = CTci Ask friends’ friends: Keep asking until t converges: t = (CT)nci
Minimal Computation Luckily, the global trust vector t, if is computed in this manner, converge to the same thing for every peer! Therefore, each peer doesn’t have to store and computes its own global trust vector. The whole network can cooperate to store and compute t.
Non-distributed Algorithm Initialize: Repeat until converges
Practical Issues A priori notions of trust Inactive Peers Malicious Collectives
A Priori Notions of Trust Assuming that some peers in the network are trustworthy Define a distribution p over pre-trusted peers P, such that pi = 1 / |P| In the presence of malicious peers, t = (CT)n p will converge faster so p is used as the start vector
Inactive Peers If peer i doesn’t download from anybody else or assigns 0 to all peers, cij will be undefined: Redefine cij. If a peer i doesn’t know anyone or doesn’t trust anyone, he will choose to trust per-trusted peers C - local trust value
Malicious Collectives Break collectives by having each peer place at least some trust in the peers P that are not a part of the collective How? Probabilistically, an agent crawling the network is less likely to get stuck crawling a malicious collective Challenge: Make sure that no pre-trusted peer is a member of malicious collective
Outline Problem Basic EigenTrust Distributed EigenTrust Secure EigenTrust Global Trust Value Experiments and Results
Distributed EigenTrust Each peer i stores its local trust vector ci and global trust vector ti Computation, storage, message overheads are minimal In P2P networks, each peer has limited interactions with other peers. So most of the trust values will be 0. In the case of a network with heavily active peers, limit the number of local trust values cij that each peer can report
Distributed EigenTrust Algorithm For each peer i { -First, ask peers who know you for their opinions of you. -Repeat until convergence { -Compute current trust value: ti(k+1) = (1-a)(c1i t1(k) +…+ cni tn(k))+api -Send your opinion cij and trust value ti(k+1) to your acquaintances. -Wait for the peers who know you to send you their trust values and opinions. }
Algorithm Complexity Algorithm converges fast: around 100 query cycles for a network of 1000 peers Computed global trust values do not change significantly any more after a low number of iterations
Outline Problem Basic EigenTrust Distributed EigenTrust Secure EigenTrust Global Trust Value Experiments and Results
Secure EigenTrust Previously, each peer computes and reports its own global trust value ti. Drawback: Malicious peers can easily report false trust values Secure EigenTrust A peer’s trust value must not be computed by and reside at the peer itself. Trust value of one peer will be computed by more than one peer. (use majority vote to avoid malicious results) Security is an important issue in P2P network!
Secure EigenTrust M peers (score managers) compute trust value of peer i Use Distributed Hash Table (DHT) to get M score mangers Hash unique ID of peer (IP address, TCP port) using hash functions h1, h2, h3 into points in the logical coordinate space The peers corresponding to the points become the score managers. DHT 只是其中一種Secure的方法, 不是唯一。
Secure EigenTrust : Properties Anonymity A peer at a specific coordinate cannot find out for whom it computes the trust value Randomization Peers that enter the system cannot select at which coordinates in the hash space they want to be located Redundancy Several score managers compute the trust value for one peer
Outline Problem Basic EigenTrust Distributed EigenTrust Secure EigenTrust Global Trust Value Experiments and Results
Global Trust Value When you get responses from multiple peers Deterministic Choose the one with highest trust value Probabilistic Choose a peer with probability proportional to its trust value
Deterministic Download Choose the one with highest trust value Advantage High probability to access authentic files Disadvantage Highly trusted peers will be overloaded. Newcomers have little chance to build up reputation
Deterministic Download Choose the one with highest trust value
Probabilistic Download Choose a peer with probability proportional to its trust value Advantage Limit number of unsatisfactory downloads Balance network load Allow newcomers to build up reputation
Probabilistic Download Choose a peer with probability proportional to its trust value
Load Distribution Deterministic Download Choice Probabilistic Download Choice
Using Global Trust Values Isolating Malicious Peers Select peers probabilistically based on trust value , where d is a constant between 0 and 1. In this way, a peer avoid downloading from another peer who gives it bad discriminatory service.
Using Global Trust Values Stimulating Free-riders to Share Reward reputable peers Increase connectivity, greater bandwidth Effect Incentive to share files Give non-malicious peers an incentive to delete inauthentic files
Outline Problem Basic EigenTrust Distributed EigenTrust Secure EigenTrust Global Trust Value Experiments and Results
Threat Scenarios Malicious Individuals Malicious Collective Always provide inauthentic files Malicious Collective Know each other. Give each other good opinions and give other bad opinions.
Threat Scenarios (cont.) Camouflaged Collective Provide authentic files some of the time to trick good peers into giving them good opinions. Malicious Spies Some members of the collective give good files all the time, but give good opinions to malicious peers.
Malicious Individuals
Malicious Collective
Camouflaged Collective
Malicious Spies
Summary EigenTrust Dramatically reduce number of inauthentic file downloads in the network Robust to malicious peers Low overhead
Reference Kamvar’s slides & paper http://www.stanford.edu/~sdkamvar/talks/EigenTrust.ppt http://www.stanford.edu/~sdkamvar/papers/eigentrust.pdf
Thank you!