ArticlePDF Available

A Survey of Solutions to the Sybil attack

Authors:

Abstract

Many security mechanisms are based on specific assumptions of identity and are vulnerable to attacks when these assumptions are violated. For example, impersonation is the well-known consequence when authenticating credentials are stolen by a third party. Another attack on identity occurs when credentials for one identity are purposely shared by multiple individuals, for example to avoid paying twice for a service. In this paper, we survey the impact of the Sybil attack, an attack against identity in which an individual entity masquerades as multiple simultaneous identities. The Sybil attack is a fundamental problem in many systems, and it has so far resisted a universally applicable solution.
A Survey of Solutions to the Sybil Attack
Brian Neil Levine1Clay Shields2N. Boris Margolin1
1Dept. of Computer Science, Univ. of Massachusetts, Amherst
2Dept. of Computer Science, Georgetown University
{brian, margolin}@cs.umass.edu, clay@cs.georgetown.edu
1 Introduction
Many security mechanisms are based on specific assumptions of identity and
are vulnerable to attacks when these assumptions are violated. For example,
impersonation is the well-known consequence when authenticating credentials
are stolen by a third party. Another attack on identity occurs when credentials
for one identity are purposely shared by multiple individuals, for example to
avoid paying twice for a service. Such shared accounts are common in practice:
friends exchange iTunes passwords to share purchased music; BugMeNot.com is
a community that shares website registration passwords; and network address
translation [29] devices allow multiple users to pay for a single IP address which
is then shared among them.
In this paper, we survey the impact of the Sybil attack [26], an attack against
identity in which an individual entity masquerades as multiple simultaneous
identities. The Sybil attack is a fundamental problem in many systems, and it
has so far resisted a universally applicable solution.
Many distributed applications and everyday services assume each participat-
ing entity controls exactly one identity. When this assumption is unverifiable or
unmet, the sevice is subject to attack and the results of the application are ques-
tionable if not incorrect. A concrete example of this would be an online voting
system where one person can vote using many online identities. Notably, this
problem is currently only solved if a central authority, such as the administrator
of a certificate authority, can guarantee that each person has a single identity
represented by one key; in practice, this is very difficult to ensure on a large
scale and would require costly manual attention.
2 The Sybil Attack
While it has only been recently named and described, the Sybil attack has ap-
peared in many forms in both academic work and in the real world. It is a severe
and pervasive problem in many areas. For example, it is possible to rig Internet
polls by using multiple IP addresses to submit votes [47], to gain advantage in
any results of a chain letter [12], and is a well-known and potentially major prob-
lem in real-world elections [86]. A Sybil attack is also used by companies that
increase the Google PageRank rating of the pages of their customers [9], and
10
20
30
15
5
25
Trusted certification
No solution
Resource testing
Recurring costs
Trusted devices
Observation
Citations
Fig. 1. Sybil attack approaches in the literature, summarized
has been used to link particular search terms to unexpected results for political
commentary [66]. Reputation systems are a common target for Sybil attacks [18]
including real-world systems like eBay [8].
Spammers can use this attack to gain access to multiple accounts on free-
email systems. Peer-to-peer computing systems which use voting to verify correct
answers, such as SETI@home, are also susceptible to accepting false solutions
from a Sybil attacker [94]. Ad hoc mobile network routing can be manipulated
when a Sybil attacker appears to be many different mobile nodes at once [44].
In systems that provide anonymity between peers, such as Tor, the Sybil attack
is generally capable of revealing the initiator of a connection [89] and there is no
defense against this attack [24]. It also allows free riding in services in cooperative
file storage systems such as Pastiche [20].
Formal analyses of the attack have been done in the context of peer-to-peer
applications [18,26]. Despite this work, there is no general solution to the attack.
Proposed solutions most commonly use resource testing, though Douceur has
shown this cannot prevent the attack in practical situations [26]. A wide variety
of applications have considered the effects of the attack [22, 49, 67, 71,83].
Below we first summarize approaches that have been cited in the literature
to protecting against or detecting the attack. We then review results that are
specific to different applications vulnerable to the attack.
2.1 General Approaches
Since the first analysis of the Sybil attack, some eleven different approaches have
been proposed to prevent or mitigate the attack. In this paper, we categorize 90
papers that mention either the Sybil attack or pseudospoofing [23] (an earlier
term for the use of multiple false identities) into these eleven categories and
describe each approach.
Approximately half of the published papers either suggest certification as a
solution to the Sybil attack, following Douceur’s approach, or simply state the
problem without giving a solution. The remaining papers use one of nine distinct
strategies. In Figure 1 we show the number of citations for different approaches
to the Sybil problem; some papers are counted in multiple categories.
Trusted certification [2,15,16, 26–28,35,40, 42,46,51,61–63,65, 67,68,75–
78, 84, 85, 90, 95, 96, 98]
Douceur [26] has proven that trusted certification is the only approach that
has the potential to completely eliminate Sybil attacks. Accordingly, it is cited as
the most common solution. However, trusted certification relies on a centralized
authority that must ensure each entity is assigned exactly one identity, as indi-
cated by possession of a certificate. In fact, Douceur offers no method of ensuring
such uniqueness, and in practice it must be performed by a manual or in-person
process. This may be costly or a create a performance bottleneck in large-scale
systems. Moreover, to be effective, the certifying authority must ensure that lost
or stolen identities are discovered and revoked. If the performance and security
implications can be solved, then this approach can eliminate the Sybil attack.
No solution [1, 6, 7, 21, 25, 32, 43, 45, 53, 54, 58, 79–82, 88, 97]
Though many researchers are aware that the Sybil attack is a potential prob-
lem, they present no solution to it for in their work. We cite these publications
to point out that the Sybil attack remains an unsolved problem that is correctly
acknowledged where applicable, and not to disparage the works.
Resource testing [4, 15, 19, 33, 38, 41, 51, 55, 56, 59, 61, 67, 87, 93, 95]
The goal of resource testing is to attempt to determine if a number of iden-
tities possess fewer resources than would be expected if they were independent.
These tests include checks for computing ability, storage ability, and network
bandwidth, as well as limited IP addresses. Cornelli et al. [19] and Freedman
and Morris [33] specifically propose testing for IP addresses in different domains
or autonomous systems. Requiring heterogeneous IP addresses prevents some
attacks but does not discourage others (such as zombie networks) and limits the
usability of an application.
Douceur has proven the ineffectiveness resource tests, but a number of re-
searchers suggest them as a minimal Sybil attack defense. In these cases the
stated goal is to discourage rather than prevent Sybil attacks, and the number
of identities an attacker can have is, in theory, limited. For many applications
this is insufficient if an attacker can obtain enough identities for a successful
attack, even if it is expensive. In the Tor communication system, for example,
only two identities are required for an attack on anonymity [89].
In a type of resource test, Yu et al.’s SybilGuard technique [93] relies on
limited availability of real-world friendship edges between nodes. However, the
p2p application in use may have little intersection with the real-world friends
represented in the graph. These friendship relationships may also be expensive to
construct since the proposal requires out-of-band key sharing and a stronger trust
relationship than is typical in social networks. It instead requires procedures at
least as onerous as the GPG key signing tree. These costs, however, are one-time
only and can be amortized over time by honest or malicious users alike.
Recurring costs and fees [5, 27, 36, 55, 56]
In a variation on resource testing, in several papers [5, 55, 56] identities are
periodically re-validated using resource tests. The approach limits the number
of Sybil attacker with constrained resources can introduce in a period of time.
However, as we noted above, in many applications very few Sybil identities are
required for an effective attack. Additionally, in these papers, computational
power is tested. Computational power mostly involves a one-time cost (for ex-
ample, the purchase of computing hardware), so an attacker could recover over
time even a high initial cost of claiming a large number of identities.
Awerbuch and Scheidler [5] suggest the use of Turing tests, for example
CAPTCHAs, to impose recurring fees. Dragovic et al. [27] require certification
of identities, but this certification is not trusted; rather, it is seen as a way of
imposing identity creation costs. Gatti et al.’s Sufficiently Secure Peer-to-Peer
Networks [36] uses an economic, game-theoretical approach to examine when
attacks on censorship resistant networks are cost-effective. In recent work [57],
we showed that charging a recurring fee for each participating identity is quan-
titatively more effective as a disincentive against successful Sybil attacks than
charging one-time fees. For many applications, recurring fees can incur a cost
to the Sybil attack that increases linearly with the total number of identities
participating; one-time fees incur only a constant cost.
Trusted devices [67, 76]
In a defense related to trusted certification authorities, entities in an ap-
plication can be linked in some secure fashion to a specific hardware device.
Analogous to any central authority handing out cryptographic certificates, there
are no special methods of preventing an attacker from obtaining multiple devices
other than manual intervention. The cost of acquiring multiple devices may be
high, however.
2.2 Application Domains
In the remainder of this section, we summarize results regarding the Sybil attack
that are specific to a broad set of application domains.
Mobile Networks [14, 72] Wireless, mobile networks provide a unique
avenue for detecting Sybil attackers. Observation of location can distinguish dif-
ferent devices, and limits of realistic mobility can constrain attacker movement.
For an attacker with a single device, all Sybil identities will always appear to
move together. The defense is not applicable beyond mobile networks, and it
does not protect against a single entity controlling multiple devices, each having
a non-recurring cost.
Auditing [3,83,94] In some cases, the correctness of identity behavior can
be determined through audit. If the audit is cheap, the Sybil attack has little
benefit: for instance, a large number of apparently independent identities cannot
successfully convince another entity that they have factored a large number
unless they have actually done so.
In some cases, audits are as costly as performing a requested computation.
Here the probability of a successful misrepresentation must be factored into the
cost of a Sybil attack. Yurkewych et al. [94] study the effect of the Sybil attack on
p2p computing schemes (e.g., SETI@HOME). They determine the most effective
strategy is to offer a large reward for for a correct calculation of a result with
limited auditing. Because of the Sybil attack, it is less effective to redundantly
give the same computation to several participants and reward a majority that
returns with the same result with limited auditing.
Cash economies [52, 91, 92] In these applications, identities explicitly
exchange currency for desired goods or services. In most cases, such applications
are not susceptible to the Sybil attack, since they do not rely on redundancy.
Yokoo et al. [91, 92] describe a Sybil attack in combinatorial auction protocols,
where the independence of different valuations of goods is attacked. The benefit
of the Sybil attack can be eliminated by pricing goods appropriately in that it
must not be more expensive to buy a bundle of goods than to buy each good
separately.
Reputation Systems For many p2p systems, including ad hoc networks
and online markets, reputation systems have received a significant amount of at-
tention as a solution for mitigating the affects of malicious peers. In an important
work, Cheng and Friedman [17] evaluated the vulnerability of reputation systems
to the Sybil attack, classifying them as symmetric or asymmetric approaches.
A symmetric reputation system is one in which an identity’s reputation de-
pends solely on the topology of the trust graph, and not the naming or identity of
nodes. An attacker that wishes to increase its reputation simply uses Sybil iden-
tities to create a copy of the existing graph representing trust relationships. A
symmetric reputation system cannot distinguish original nodes from the copies,
and thus some Sybil node has reputations equal or better to any original node.
Cheng and Friedman [17] prove formally that such reputation systems are sus-
ceptible to Sybil attacks. Examples of symmetric reputation systems include
Google’s PageRank algorithm [9, 50], EigenTrust [48], and others [27, 61,69,70]
In asymmetric reputation systems, there are specifically trusted nodes from
which all reputation values propagate. Alternatively, each entity separately com-
putes a trust value along their unique paths to every other identity in the system.
Since the trusted nodes cannot be impersonated, no Sybil attacker can create
a duplicate graph as explained above in the symmetric case. This trust value
can change over time as the entity interacts with and observes the behavior of
different identities. This is typical of social networks.
Asymmetric reputation systems can be effective at raising the cost of Sybil
attacks because attackers are forced to build up trust before effectively launching
attacks. Unfortunately, these systems inevitably penalize newcomers who must
prove themselves by offering benefits before getting anything in return. Examples
of asymmetric systems include Feldman et al. [30], Guha et al. [39], Domingos
et al. [74] among others [3, 10, 11, 13, 14, 17, 27, 31, 34, 37, 45, 52, 60, 64, 68, 73]
3 Conclusion
There are a variety of attacks that hinge on the issue of identity. In this paper,
we have presented an overview of work related to analyzing or solving the Sybil
attack, in which one entity appears as or controls many different identities. We
have demonstrated the breadth of applications that are subject to the attack,
including the widely used systems Google, eBay, SETI@HOME, and Tor. The
attack also presents a problem for peer-to-peer networks, mobile networks, and
reputation systems. While we lack an efficient, general solution that scales well
to large systems, there are a variety of solutions that can limit or prevent the
attack in several individual application domains.
References
1. A. Acquisti, R. Dingledine, and P. Syverson. On the Economics of Anonymity. In
Proc. Financial Cryptography (FC). Springer-Verlag, LNCS 2742, January 2003.
2. A. Adya, W. J. Bolosky, M. Castro, R. Chaiken, G. Cermak, J. R. Douceur, J. How-
ell, J. Lorch, M. Theimer, and R. P. Wattenhofer. Farsite: Federated, available,
and reliable storage for an incompletely trusted environment. In Proc. OSDI, pages
1–14, Dec. 2002.
3. K. Anagnostakis and M. Greenwald. Exchange-based incentive mechanisms for
peer-to-peer file sharing. In Proc. Intl Conf on Distributed Computing Systems
(ICDCS), Mar. 2004.
4. J. Aspnes, C. Jackson, and A. Krishnamurthy. Exposing computationally-
challenged Byzantine impostors. Technical Report YALEU/DCS/TR-1332, Yale
University Department of Computer Science, July 2005.
5. B. Awerbuch and C. Scheideler. Group Spreading: A Protocol for Provably Se-
cure Distributed Name Service. In Proc. Automata, Languages and Programming
(ICALP), pages 183–195, 2004.
6. B. Awerbuch and C. Scheideler. Robust Distributed Name Service. In Proc. Intl
Wkshp on Peer-to-Peer Systems, pages 237–249, 2004.
7. A. Bhargava, K. Kothapalli, C. Riley, C. Scheideler, and M. Thober. Pagoda: a
dynamic overlay network for routing, data management, and multicasting. In Proc.
ACM Symp on Parallel Algorithms, pages 170–179, 2004.
8. R. Bhattacharjee and A. Goel. Avoiding Ballot Stuffing in eBay-like Reputation
Systems. In ACM SIGCOMM Workshop on the Economics of Peer-to-Peer Sys-
tems, August 2005.
9. M. Bianchini, M. Gori, and F. Scarselli. Inside pagerank. ACM Trans. Inter. Tech.,
5(1):92–128, 2005.
10. R. B¨ohme, G. Danezis, C. D´ıaz, S. K¨opsell, and A. Pfitzmann. Mix cascades
vs. peer-to-peer: Is one concept superior? In Proc. Wkshp on Privacy Enhancing
Technologies, pages 243–255, 2004.
11. S. Buchegger and J.-Y. L. Boudec. A Robust Reputation System for P2P and Mo-
bile Ad hoc Networks. In Proc. Wkshp on the Economics of Peer-to-Peer Systems,
2004.
12. J. Bulgatz. More Extraordinary Popular Delusions and the Madness of Crowds.
Three Rivers Press, 1992.
13. S. ˇ
Capkun and J.-P. Hubaux. BISS: building secure routing out of an incomplete
set of secure associations. In Proc. ACM Wireless Security Conference, pages 21–
29, 2003.
14. S. Capkun, J.-P. Hubaux, and L. Buttyan. Mobility helps peer-to-peer security.
IEEE Transactions on Mobile Computing, 5(1):43–51, Jan 2006.
15. M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. S. Wallach. Secure routing
for structured peer-to-peer overlay networks. In Proc. OSDI, pages 299–314, Dec
2002.
16. M. Castro, P. Druschel, A. Kermarrec, and A. Rowstron. One ring to rule them
all: Service discovery and binding in structured peer-to-peer overlay networks. In
Proc. SIGOPS European Wkshp, 2002.
17. A. Cheng and E. Friedman. Sybilproof Reputation Mechanisms. In Proc. ACM
Wkshp on Economics of Peer-to-Peer Systems, pages 128–132, 2005.
18. A. Cheng and E. Friedman. Sybilproof Reputation Mechanisms . In ACM Wkshp
on the Economics of Peer-to-Peer Systems, August 2005.
19. F. Cornelli, E. Damiani, and S. Samarati. Implementing a reputation-aware
gnutella servent. In Proc. Intl Wkshp on Peer-to-Peer Computing, 2002.
20. L. Cox and B. Noble. Pastiche: Making backup cheap and easy. In Proc. USENIX
OSDI, Dec. 2002.
21. D. Cvrcek and V. Matyas. On the role of contextual information for privacy attacks
and classification. In Proc. Wkshp on Privacy and Security Aspects of Data Mining,
pages 31–39, Nov. 2004.
22. G. Danezis, C. Lesniewski-Laas, M. F. Kaashoek, and R. Anderson. Sybil-resistant
DHT routing. In Proc. ESORICS, pages 305–318, 2005.
23. L. Detweiler. Snakes of medusa and cyberspace: Internet identity subversion. The
Risks Digest: Forum on Risks to the Public in Computers and Related Systems,
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator,
Nov. 1993. http://catless.ncl.ac.uk/Risks/15.25.html.
24. R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion
router. In Proc. USENIX Security Symp, Aug. 2004.
25. R. Dingledine, V. Shmatikov, and P. Syverson. Synchronous batching: From cas-
cades to free routes. In Proc. Privacy Enhancing Technologies workshop (PET),
volume 3424 of LNCS, May 2004.
26. J. Douceur. The Sybil Attack. In Proc. Intl Wkshp on Peer-to-Peer Systems
(IPTPS), Mar. 2002.
27. B. Dragovic, E. Kotsovinos, S. Hand, and P. R. Pietzuch. Xenotrust: Event-based
distributed trust management. In Proc. Intl Wkshp on Database and Expert Sys-
tems Applications, 2003.
28. B. Dutertre, S. Cheung, and J. Levy. Lightweight key management in wireless
sensor networks by leveraging initial trust. Technical Report SRI-SDL-04-02, SRI
International, 2002.
29. K. Egevang and P. Francis. The IP network address translator (NAT). RFC 1631,
Internet Engineering Task Force, May 1994.
30. M. Feldman, K. Lai, I. Stoica, and J. Chuang. Robust Incentive Techniques for
Peer-to-Peer Networks. In Proc. ACM E-Commerce Conference (EC), May 2004.
31. M. Feldman, K. Lai, I. Stoica, and J. Chuang. Robust incentive techniques for
peer-to-peer networks. In ACM Conf on Electronic Commerce, 2004.
32. D. R. Figueiredo, P. Nain, and D. Towsley. On the analysis of the predecessor attack
on anonymity systems. Computer Science Technical Report 04-65, University of
Massachusetts, July 2004.
33. M. J. Freedman and R. Morris. Tarzan: A peer-to-peer anonymizing network layer.
In Proc. ACM CCS, Nov. 2002.
34. Y. Fu, J. Chase, B. Chun, S. Schwab, and A. Vahdat. SHARP: An architecture
for secure resource peering. In Proc. ACM SOSP, Oct. 2003.
35. A. C. Fuqua, T.-W. J. Ngan, and D. S. Wallach. Economic behavior of peer-to-peer
storage networks. In Wkshp on Economics of Peer-to-Peer Systems, 2003.
36. R. Gatti, S. Lewis, A. Ozment, T. Rayna, , and A. Serjantov. Sufficiently secure
peer-to-peer networks. In Wkshp on the Economics of Information Security, May
2004.
37. P. Gauthier, B. Bershad, and S. Gribble. Dealing with cheaters in anonymous peer-
to-peer networks. Technical Report 04-01-03, University of Washington, January
2004.
38. S. Goel, M. Robson, M. Polte, and E. G. Sirer. Herbivore: A Scalable and Efficient
Protocol for Anonymous Communication. Technical Report 2003-1890, Cornell
University, February 2003.
39. R. Guha, R. Kumar, P. Raghavan, and A. Tomkins. Propagation of trust and
distrust. In Proc. Intl Conf on World Wide Web, pages 403–412. ACM Press,
2004.
40. N. Harvey, M. B. Jones, S. Saroiu, M. Theimer, and A. Wolman. Skipnet: A
scalable overlay network with practical locality properties. In Proc. USENIX Symp
on Internet Technologies and Systems (USITS), March 2003.
41. K. Hildrum. Finding Nearby Objects in Peer-to-Peer Networks. PhD thesis, Uni-
versity of California, Berkeley, 2004.
42. K. Hildrum and J. Kubiatowicz. Asymptotically efficient approaches to fault-
tolerance in peer-to-peer networks. In Proc. Intl Symp on Distributed Computing,
pages 321–336, 2003.
43. K. Hildrum, J. D. Kubiatowicz, S. Rao, and B. Y. Zhao. Distributed object lo-
cation in a dynamic network. In Proc. ACM Symp on Parallel Algorithms and
Architectures, pages 41–52, Aug. 2002.
44. Y.-C. Hu, A. Perrig, and D. Johnson. Ariadne: A secure on-demand routing pro-
tocol for ad hoc networks. In Proc. ACM MOBICOM, Sept. 2002.
45. R. Huebsch, B. N. Chun, J. M. Hellerstein, B. T. Loo, P. Maniatis, T. Roscoe,
S. Shenker, I. Stoica, and A. R. Yumerefendi. The architecture of pier: an internet-
scale query processor. In Proc. CIDR, pages 28–43, 2005.
46. M. Jelasity, A. Montresor, and O. Babaoglu. Towards secure epidemics: Detec-
tion and removal of malicious peers in epidemic-style protocols. Technical Report
UBLCS-2003-14, University of Bologna, Department of Computer Science, Nov.
2003. presented at FuDiCo II: S.O.S, Bertinoro, Italy, June, 2004.
47. P. Judge. ZDNet: .net vote rigging illustrates importance of web services.
http://news.zdnet.co.uk/software/ 0,39020381,2102244,00.htm, 2002.
48. S. D. Kamvar, M. T. Schlosser, and H. Garcia-Molina. The eigentrust algorithm
for reputation management in p2p networks. In Proc. Intl Conf on World Wide
Web, pages 640–651. ACM Press, 2003.
49. C. Karlof and D. Wagner. Secure routing in wireless sensor networks: Attacks and
countermeasures. Ad hoc Networks Journal (Elsevier), 1(2–3):293–315, Sept. 2003.
50. P. Lawrence, B. Sergey, R. Motwani, and T. Winograd. The pagerank citation
ranking: Bringing order to the web. Technical report, Stanford University, 1998.
51. J. Ledlie and M. Seltzer. Distributed, secure load balancing with skew, hetero-
geneity, and churn. In Proc. IEEE INFOCOM, Mar. 2005.
52. R. L. Levien. Attack resistant trust metrics. Master’s thesis, University of Cali-
fornia at Berkely, 1995.
53. B. N. Levine, M. K. Reiter, C. Wang, and M. K. Wright. Timing attacks in
low-latency mix-based systems. In Proc. Financial Cryptography. Springer-Verlag,
LNCS 3110, February 2004.
54. P. Maniatis, T. Giuli, M. Roussopoulos, D. Rosenthal, and M. Baker. Impeding
attrition attacks on p2p systems. In Proc. 11th ACM SIGOPS European Wkshp,
Sept. 2004.
55. P. Maniatis, D. S. H. Rosenthal, M. Roussopoulos, M. Baker, T. Giuli, and Y. Mu-
liadi. Preserving peer replicas by rate-limited sampled voting. In Proc. ACM
SOSP, pages 44–59, 2003.
56. P. Maniatis, M. Roussopoulos, T. J. Giuli, D. S. H. Rosenthal, and M. Baker.
The lockss peer-to-peer digital preservation system. ACM Trans. Comput. Syst.,
23(1):2–50, 2005.
57. N. B. Margolin and B. N. Levine. Quantifying and discouraging sybil attacks.
Computer Science Technical Report 2005-67, University of Massachusetts Amherst,
Dec. 2005.
58. S. Marti, P. Ganesan, and H. Garcia-Molina. SPROUT: P2P Routing with Social
Networks. In Proc. EDBT Wkshps, pages 425–435, 2004.
59. S. Marti and H. Garcia-Molina. Examining metrics for peer-to-peer reputation
systems. Technical Report 2003-39, Stanford University, July 2003.
60. S. Marti and H. Garcia-Molina. Identity crisis: Anonymity vs. reputation in p2p
systems. In Proc. 3rd Intl Conference on Peer-to-Peer Computing, pages 134–141,
2003.
61. S. Marti and H. Garcia-Molina. Limited reputation sharing in p2p systems. In
Proc. 5th ACM conference on Electronic commerce, 2004.
62. J. Martin and L. Alvisi. A framework for dynamic byzantine storage. Technical
Report TR04-08, University of Texas at Austin, 2004.
63. G. Mathur, V. N. Padmanabhan, and D. R. Simon. Securing routing in open
networks using secure traceroute. Technical Report MSR-TR-2004-66, Microsoft
Research, July 2004.
64. R. Morselli, J. Katz, and B. Bhattacharjee. A game-theoretic framework for an-
alyzing trust-inference protocols. In 2nd Wkshp on Economics of Peer-to-Peer
Systems, Cambridge, MA, USA, June 2004.
65. M. Narasimha, G. Tsudik, and J. H. Yi. On the utility of distributed cryptography
in p2p and manets: the case of membership control. In Proc. IEEE Intl Conference
on Network Protocols (ICNP), 2003.
66. B. News. ’miserable failure’ links to bush, ’December 7’ 2003.
http://news.bbc.co.uk/2/hi/americas/3298443.stm.
67. J. Newsome, E. Shi, D. Song, and A. Perrig. The Sybil attack in sensor networks:
analysis & defenses. In Proc. Intl Symp on Information Processing in Sensor
Networks (IPSN), pages 259–268, 2004.
68. T.-W. J. Ngan. Incentives and fair sharing in peer-to-peer systems. Master’s thesis,
Rice University, 2004.
69. T.-W. J. Ngan, D. S. Wallach, and P. Druschel. Incentives-compatible peer-to-peer
multicast. In 2nd Wkshp on the Economics of Peer-to-Peer Systems, June 2004.
70. N. Ntarmos and P. Triantafillou. Seal: Managing accesses and data in peer-to-peer
sharing networks. In Peer-to-Peer Computing, pages 116–123, 2004.
71. A. Perrig, J. Stankovic, and D. Wagner. Security in wireless sensor networks.
Commun. ACM, 47(6):53–57, 2004.
72. C. Piro, C. Shields, and B. N. Levine. Detecting the Sybil Attack in Ad hoc Net-
works. In Proc. IEEE/ACM Intl Conf on Security and Privacy in Communication
Networks (SecureComm), August 2006.
73. B. C. Popescu, B. Crispo, and A. S. Tanenbaum. Safe and Private Data Sharing
with Turtle: Friends Team-Up and Beat the System. In Proc. 12th Cambridge Intl
Wkshp on Security Protocols. Springer-Verlag, April 2004.
74. M. Richardson, R. Agrawal, and P. Domingos. Trust management for the semantic
web. In Intl Semantic Web Conference, pages 351–368, 2003.
75. R. Rodrigues. An agenda for robust peer-to-peer storage. In First IRIS Student
Wkshp, Aug. 2003.
76. R. Rodrigues, B. Liskov, and L. Shrira. The design of a robust peer-to-peer system.
In Proc. ACM SIGOPS European Wkshp, Sept. 2002.
77. T. Roscoe and S. Hand. Transaction-based charging in Mnemosyne: a peer-to-pee
steganographic storage system. In Proc. Intl Wkshp on Peer-to-Peer Computing
at Networking 2002, May 2002.
78. N. Saxena, G. Tsudik, and J. H. Yi. Admission control in peer-to-peer: design and
performance evaluation. In Proc. ACM Wkshp on Security of ad hoc and sensor
networks, pages 104–113. ACM Press, 2003.
79. A. Serjantov. Anonymizing censorship resistant systems. In Proc. 1st Intl Wkshp
on Peer-to-Peer Systems, Mar. 2002.
80. A. Serjantov and R. Anderson. On dealing with adversaries fairly. In Wkshp on
Economics and Information Security, May 2004.
81. J. Shneidman and D. C. Parkes. Overcoming rational manipulation in mechanism
implementations. Technical Report TR-12-03, Harvard, 2003.
82. J. Shneidman, D. C. Parkes, and L. Massoulie. Faithfulness in internet algorithms.
In Proc. Wkshp on Practice and Theory of Incentives and Game Theory in Net-
worked Systems (PINS), 2004.
83. M. Srivatsa and L. Liu. Vulnerabilities and security threats in structured overlay
networks: A quantitative analysis. In Proc. ACSAC, pages 252–261, 2004.
84. M. Srivatsa, L. Xiong, and L. Liu. XChange: A distributed protocol for electronic
fair-exchange. In Proc. IEEE Intl Parallel and Distributed Processing Symp, 2005.
85. M. ˇ
Cagalj, I. A. Saurabh Ganeriwal, and J.-P. Hubaux. On Cheating in CSMA/CA
Ad Hoc Networks. Technical Report IC/2004/27, EPFL-DI-ICA, Mar. 2004.
86. A. Viglucci, J. Tanfani, and L. Getter. Herald special report: Dubious tactics tilted
mayoral votes. Miami Herald, February 8, 1998.
87. V. Vishnumurthy, S. Chandrakumar, and E. G. Sirer. KARMA: A Secure Economic
Framework for P2P Resource Sharing. In Proc. Wkshp on the Economics of Peer-
to-Peer Systems, 2003.
88. H. J. Wang, Y.-C. Hu, C. Yuan, Z. Zhang, and Y.-M. Wang. Friends troubleshoot-
ing network: Towards privacy-preserving, automatic troubleshooting. In IPTPS,
pages 184–194, 2004.
89. M. Wright, M. Adler, B. N. Levine, and C. Shields. The Predecessor Attack: An
Analysis of a Threat to Anonymous Communications Systems. ACM Transactions
on Information and System Security (TISSEC), 4(7), 2004.
90. H. Yang, H. Luo, Y. Yang, S. Lu, and L. Zhang. HOURS: Achieving DoS Resilience
in an Open Service Hierarchy. Technical report, UCLA, 2003.
91. M. Yokoo. Characterization of strategy/false-name proof combinatorial auction
protocols: Price-oriented, rationing-free protocol. In Proc. Intl Joint Conference
on Artificial Intelligence (IJCAI), Aug. 2003.
92. M. Yokoo, Y. Sakurai, and S. Matsubara. The effect of false-name bids in combi-
natorial auctions: new fraud in internet auctions. Games and Economic Behavior,
46(1):174–188, January 2004.
93. H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman. Sybilguard: Defending
against sybil attacks via social networks. In Proc. ACM SIGCOMM, 2006.
94. M. Yurkewych, B. N. Levine, and A. L. Rosenberg. On the cost-ineffectiveness of
redundancy in commercial p2p computing. In Proc. ACM CCS, pages 280–288,
2005.
95. B. Zhao, A. D. Joseph, and J. Kubiatowicz. Supporting rapid mobility via locality
in an overlay network. Technical Report UCB/CSD-02-1216, UC Berkeley, Nov.
2002.
96. B. Y. Zhao, L. Huang, J. Stribling, S. C. Rhea, A. D. Joseph, and J. D. Kubiatowicz.
Tapestry: A resilient global-scale overlay for service deployment. IEEE Journal on
Selected Areas in Communications, 22(1):41–53, Jan. 2004.
97. Y. Zhao. Decentralized Object Location and Routing: A New Network Paradigm.
PhD thesis, University of California, Berkeley, 2004.
98. S. Zhu, S. Setia, and S. Jajodia. LEAP: Efficient security mechanisms for large-scale
distributed sensor networks. In ACM Conference on Computer and Communica-
tions Security (CCS), Oct. 2003.
... Byzantine nodes cannot forge signatures, ensuring the authenticity and integrity of messages forwarded by correct nodes. They cannot spawn new nodes or generate new identities, eliminating Sybil attacks [19]. ...
... After n − 1 rounds, all correct nodes have the same adjacency matrix and are able to compute if all nodes are reachable and if the vertex-connectivity is greater than t, to determine if the graph is partitioned or t-Byzantine partitionable (ll. [16][17][18][19][20][21][22][23]. Note that to accurately evaluate the topology, the number of rounds to use R should be larger than the graph diameter. ...
... Agreement is ensured by Lemma 2 and Lemma 3. Safety is ensured by Lemma 3. Finally, NECTAR is 2t-sensitive, according to Lemma 1. Regarding the validity property, if a node computes confirmed = True, it has in particular, computed r ̸ = n (Alg. 1 (ll. [16][17][18][19][20][21][22][23]). There are thus two cases: first, if the subgraph of correct nodes is disconnected, then V b is directly a vertex cut of G. Second, if the subgraph of correct nodes is connected, then according to Lemma 2, every correct node computes r ̸ = n. ...
Preprint
Full-text available
Detecting and handling network partitions is a fundamental requirement of distributed systems. Although existing partition detection methods in arbitrary graphs tolerate unreliable networks, they either assume that all nodes are correct or that a limited number of nodes might crash. In particular, Byzantine behaviors are out of the scope of these algorithms despite Byzantine fault tolerance being an active research topic for important problems such as consensus. Moreover, Byzantinetolerant protocols, such as broadcast or consensus, always rely on the assumption of connected networks. This paper addresses the problem of detecting partition in Byzantine networks (without connectivity assumption). We present a novel algorithm, which we call NECTAR, that safely detects partitioned and possibly partitionable networks and prove its correctness. NECTAR allows all correct nodes to detect whether a network could suffer from Byzantine nodes. We evaluate NECTAR's performance and compare it to two existing baselines using up to 100 nodes running real code, on various realistic topologies. Our results confirm that NECTAR maintains a 100% accuracy while the accuracy of the various existing baselines decreases by at least 40% as soon as one participant is Byzantine. Although NECTAR's network cost increases with the number of nodes and decreases with the network's diameter, it does not go above around 500KB in the worst cases.
... Byzantine nodes cannot forge signatures, ensuring the authenticity and integrity of messages forwarded by correct nodes. They cannot spawn new nodes or generate new identities, eliminating Sybil attacks [19]. ...
... After n − 1 rounds, all correct nodes have the same adjacency matrix and are able to compute if all nodes are reachable and if the vertex-connectivity is greater than t, to determine if the graph is partitioned or t-Byzantine partitionable (ll. [16][17][18][19][20][21][22][23]. Note that to accurately evaluate the topology, the number of rounds to use R should be larger than the graph diameter. ...
... Agreement is ensured by Lemma 2 and Lemma 3. Safety is ensured by Lemma 3. Finally, NECTAR is 2t-sensitive, according to Lemma 1. Regarding the validity property, if a node computes confirmed = True, it has in particular, computed r ̸ = n (Alg. 1 (ll. [16][17][18][19][20][21][22][23]). There are thus two cases: first, if the subgraph of correct nodes is disconnected, then V b is directly a vertex cut of G. Second, if the subgraph of correct nodes is connected, then according to Lemma 2, every correct node computes r ̸ = n. ...
... SeeRao and Reiley (2012) [88] for other economic analysis on spamming.16 SeeLevine et al. (2006) [94] for other ways to mitigate Sybil attacks.17 Note that in economics, the term 'free-riding' is specifically used for non-excludable goods and carries a slightly different meaning than it might in the blockchain context[96].18 ...
... SeeRao and Reiley (2012) [88] for other economic analysis on spamming.16 SeeLevine et al. (2006) [94] for other ways to mitigate Sybil attacks.17 Note that in economics, the term 'free-riding' is specifically used for non-excludable goods and carries a slightly different meaning than it might in the blockchain context[96].18 ...
Preprint
Full-text available
This paper surveys products and studies on cryptoeconomics and tokenomics from an economic perspective, as these terms are still (i) ill-defined and (ii) disconnected from economic disciplines. We first suggest that they can be novel when integrated; we then conduct a literature review and case study following consensus-building for decentralization and token value for autonomy. Integration requires simultaneous consideration of strategic behavior, spamming, Sybil attacks, free-riding, marginal cost, marginal utility and stabilizers. This survey is the first systematization of knowledge on cryptoeconomics and tokenomics, aiming to bridge the contexts of economics and blockchain.
... Table II categorizes cyber layer attacks based on malicious objectives that impact the security aspects of confidentiality, integrity, or availability. [47] Man-in-the-middle [48]- [50] Unauthorized Access [51]- [54] Reconnaissance [55]- [57] Message Replay [45], [58]- [60] Integrity Supply Chain Attacks [61]- [64] Command Manipulation [65], [66] Code Manipulation [65], [67] Malware Injection [68] Rogue Node [69]- [71] Broadcast Message Spoofing [58] Topology Attacks [72], [73] Sybil [74]- [76] Byzantine [77], [78] Availability DOS/DDOS [79]- [83] Response Delay [58], [59], [84] 1) Confidentiality Eavesdropping: The attack (also known as traffic analysis or packet sniffing) refers to the interception and analysis of network traffic to gain sensitive information [45]. In smart grids, eavesdropping may expose critical data to attackers including energy consumption patterns, pricing information, control messages, etc. Encryption and secure communication protocols can help mitigate the risk of eavesdropping in smart grids [46], [47]. ...
... Sybil: The attack occurs when a malicious node in a network illegitimately claims multiple identities [74], [75]. By controlling a large number of identities, a Sybil attack can disproportionately impact the network operations, manipulate data aggregation, disrupt communication, or undermine trustbased schemes [76]. ...
Preprint
Full-text available
In this study, we conduct a comprehensive review of smart grid security, exploring system architectures, attack methodologies, defense strategies, and future research opportunities. We provide an in-depth analysis of various attack vectors, focusing on new attack surfaces introduced by advanced components in smart grids. The review particularly includes an extensive analysis of coordinated attacks that incorporate multiple attack strategies and exploit vulnerabilities across various smart grid components to increase their adverse impact, demonstrating the complexity and potential severity of these threats. Following this, we examine innovative detection and mitigation strategies, including game theory, graph theory, blockchain, and machine learning, discussing their advancements in counteracting evolving threats and associated research challenges. In particular, our review covers a thorough examination of widely used machine learning-based mitigation strategies, analyzing their applications and research challenges spanning across supervised, unsupervised, semi-supervised, ensemble, and reinforcement learning. Further, we outline future research directions and explore new techniques and concerns. We first discuss the research opportunities for existing and emerging strategies, and then explore the potential role of new techniques, such as large language models (LLMs), and the emerging threat of adversarial machine learning in the future of smart grid security.
... In the context of a UAV reputation system, a Sybil attacker can generate numerous imaginary UAV identities, each accompanied by an artificial false positive reputation [43]. ...
Article
Full-text available
The proliferation of unmanned aerial vehicle (UAV) networks is increasing, driven by their capacity to deliver automated services tailored to the varied demands of numerous smart city applications. Trust, security, and privacy remain paramount in the public domain. Traditional centralized network designs fall short of ensuring device authentication, data integrity, and privacy within the highly dynamic and adaptable environments of UAV networks. Decentralized reputation systems have emerged as a promising solution for enhancing the reliability and trustworthiness of data and communications within these networks while safeguarding UAV security. This paper presents an exhaustive survey of trust and reputation systems, exploring existing frameworks and proposed innovations alongside their inherent challenges. The crucial role of reputation systems is to strengthen trust, security, and privacy throughout these networks, and various strategies can be incorporated to mitigate existing vulnerabilities. As a useful resource for researchers and practitioners seeking to advance the state of the art in UAV network security, we hope this survey will spark further community discussion and stimulate innovative ideas in this burgeoning field.
... Moreover, other defense mechanisms against Sybil attacks in network scenarios [100] prove effective in the context of DeAI: ...
Preprint
Full-text available
Decentralized Artificial Intelligence (DeAI) represents a paradigm shift in AI development, aiming to distribute control and resources across a broader network of stakeholders. From the vantage points of data providers, computing powers, and model trainers, we delve into the intricacies of participant involvement in DeAI, elucidating the associated risks, challenges, and corresponding solutions. Furthermore, we shed light on the emergent challenges stemming from large-scale models, particularly in the realms of cryptography, privacy preservation, and network scalability. With its comprehensive coverage, this survey serves as an indispensable resource for researchers and practitioners navigating the dynamic terrain of DeAI. A more detailed and continuously updated version is available at https://deai.gitbook.io
... The safety and integrity of UAV reputation systems are usually threatened by Sybil attacks. 14 of 25 In the context of a UAV reputation system, a Sybil attacker can generate numerous imaginary UAV identities, each accompanied by an artificially false positive reputation [42]. Subsequently, these malicious UAVs might be utilized for various false intentions. ...
Preprint
Full-text available
The proliferation of Unmanned Aerial Vehicle (UAV) networks is increasing, driven by their capacity to deliver automated services tailored to the varied demands of numerous smart city applications. Trust, security, and privacy remain paramount in the public domain. Traditional centralized network designs fall short of ensuring device authentication, data integrity, and privacy within UAV networks’ highly dynamic and adaptable environments. Decentralized reputation systems emerge as a promising solution to enhance the reliability and trustworthiness of data and communications within these networks while safeguarding UAV security. This paper presents an exhaustive survey of trust and reputation systems, exploring existing frameworks and proposed innovations alongside their inherent challenges. It highlights the crucial role of reputation systems in strengthening trust, security, and privacy throughout these networks and discusses various strategies to mitigate existing vulnerabilities. As a useful resource for researchers and practitioners seeking to advance the state of the art in UAV network security, we hope this survey will spark further community discussion and stimulate innovative ideas in this burgeoning field.
Article
Performance of peer-to-peer resource sharing networks depends upon the level of cooperation of the participants. To date, cash-based systems have seemed too complex, while lighter-weight credit mechanisms have not provided strong incentives. We propose exchange-based mechanisms for providing incentives for cooperation in peer-to-peer file sharing networks. Peers give higher service priority to requests from peers that can provide a simultaneous and symmetric service in return. We generalize this approach to n-way exchanges among rings of peers and present a search algorithm for locating such rings. We have used simulation to analyze the effect of exchanges on performance. Our results show that exchange-based mechanisms can provide strong incentives for sharing, offering significant improvements in service times for sharing users compared to free-riders, without the problems and complexity of cash- or credit-based systems.
Article
In this paper we describe Turtle, a peer-to-peer architecture for safe sharing of sensitive data. The truly revolutionary aspect of Turtle rests in its novel way of dealing with trust issues: while existing peer-to-peer architectures with similar aims attempt to build trust relationships on top of the basic, trust-agnostic, peer-to-peer overlay, Turtle takes the opposite approach, and builds its overlay on top of pre-existent trust relationships among its users. This allows both data sender and receiver anonymity, while also protecting each and every intermediate relay in the data query path. Furthermore, its unique trust model allows Turtle to withstand most of the denial of service attacks that plague other peer-to-peer data sharing networks.
Conference Paper
Security is important for many sensor network applications. A particularly harmful attack against sensor and ad hoc networks is known as the Sybil attack [6], where a node illegitimately claims multiple identities. This paper systematically analyzes the threat posed by the Sybil attack to wireless sensor networks. We demonstrate that the attack can be exceedingly detrimental to many important functions of the sensor network such as routing, resource allocation, misbehavior detection, etc. We establish a classification of different types of the Sybil attack, which enables us to better understand the threats posed by each type, and better design countermeasures against each type. We then propose several novel techniques to defend against the Sybil attack, and analyze their effectiveness quantitatively.
Article
Previous work in computational mechanism design has largely fo-cused on the problem of revelation of private information by self-interested agents. In contrast, this work addresses the rational ma-nipulation that can occur when mechanisms are implemented by the agents themselves. We are interested in distributed implemen-tations, when agents may selfishly deviate from algorithms im-posed by a mechanism designer and damage the performance of the overall system. We define two properties for non-manipulable mechanism implementations, communication-and algorithm com-patibility and identify techniques that can be used to achieve these properties. A proof technique is introduced to show how a dis-tributed mechanism implementation can be proven to be an ex post Nash equilibrium, inclusive of the private information revelation and mechanism actions within an agent's strategy space. We focus in particular on the lowest cost interdomain routing problem pro-posed by Feigenbaum, Papadimitriou, Sami, and Shenker (FPSS) [5]. Our approach relies primarily on problem partitioning and re-dundancy and does not add significant new processing or commu-nication overhead to the distributed FPSS algorithm.