Can incentives overcome malicious behavior in p2p network?

A. M. Anisul Huq
Helsinki University of Technology
dodulhuq@gmail.com
Abstract
In recent times, the growth in the number of subscribers of
peer to peer networks has been phenomenal. Anonymity be-
ing a character of such networks also gave rise to the number
of free-riders and malicious behaviors. Though free riders
consume network bandwidth and decrease the network per-
formance by displaying selsh behavior, they are not a seri-
ous threat for the rest of the co-operative peers. Malicious
peers on the other hand, spread viruses, worms, Trojans in
the network, provide misleading feedbacks and try to disrupt
the existing trust among the peers. Along with a number
of reputation-based trust supporting frameworks various in-
centive techniques are currently being formulated to restrain
users from such free riding and malicious activities. Some of
these incentive procedures are heavyweight requiring a lot of
information among the peers, while others tend to be less re-
source consuming and lightweight [15]. In this paper, we
will compare the effectiveness of these incentive measures
against malicious activities in peer to peer networks.
1 Introduction
The earliest application of peer-to-peer (P2P) was for news-
groups (USENET) and to exchange messages (FidoNet) [1].
Then Napster emerged. With its free music sharing plat-
form and subsequent battle with the big music corpora-
tions brought the whole concept of P2P networks into lime-
light. P2P networks are primarily used for sharing les
and more recently for distributed computations. But stud-
ies have shown that the majority of le sharing users do
not offer any les for upload, but only download from oth-
ers [2, 15, 19, 21, 23]. Those who do share are doing it mostly
out of ignorance, for not even being aware of it. Or may
be they are indifferent about it, as their uplink bandwidth
would simply go unused otherwise and their own download
service quality does not suffer from uploads [15]. The pres-
ence of malicious peers is further complicating matters and
this is the main concern of this paper. They pose a bigger
threat because their main goal is to destroy data [28] or dam-
age the infrastructure by propagating worms in the system
[29]. As all the systems in a p2p network run the same soft-
ware, it is very easy for an attacker to compromise the whole
network by nding a single exploitable security hole in that
software [16].
In order to address these two challenges, researchers have
proposed some sort of reputation-based trust mechanism.
Some of these techniques use central servers, while others
are decentralized such as PeerTrust [28] or GossipTrust [29].
While such protective measures go a long way in solving the
problems at hand, they are not enough. We rmly believe
that, providing incentives for peers who share their resources
are also necessary. These incentives may come in the form
of digital cash [11] or it may be that, the service quality a
peer receives at a given moment is directly related to the
service quality it provides [15]. The latter concept can be
envisioned as a sort of bartering approach. We focus our at-
tention in comparing the performances of different incentive
techniques.
The rest of the article is organized as follows. Section 2
looks at research works that have been done till date from an
"incentive" point of view. In section 3 we try gure out the
exact nature of the threat we are up against and also look at
the current practices that are implemented in order to deter
these attacks. In section 4 we comprehensively analyze the
performances of different incentive techniques that were ei-
ther proposed or are currently in use. Section 5 tries to draw
a conclusion in terms of incentive techniques and we round
off by suggesting what needs to be done in this section.
2 Background and Related Work
A prominent feature of p2p network is anonymity. But
anonymous communication cannot be provided by the
sender (or receiver) alone. The sender must rely on one or
more nodes that will cooperate to disguise its identity. In
such systems a group of peers collectively obscure the iden-
tity of a message initiator by forwarding the message ran-
domly among themselves an arbitrary number of times be-
fore sending it to its intended recipient and returning the re-
cipients response along the reverse path. In such mecha-
nisms, the message initiator is anonymous within the group
of collaborating peers. That is, from the recipients perspec-
tive, all group members are equally likely to have initiated
the message. Furthermore, peers who forward messages can-
not distinguish between the true message initiator and an in-
termediate peer along the forwarding path [13, 17, 18]. An
important property of anonymous protocols is the degree
of anonymity they provide and their robustness to certain
types of malicious attacks [13, 27]. These metrics are usu-
ally monotonic in the number of peers in the group; having
more peers confers a higher degree of anonymity and higher
robustness to attacks.
As mentioned in the previous section, p2p networks (it
maybe a le-sharing or an ad-hoc network) are now plagued
with the problem of free-riders and malicious attackers. In-
TKK T-110.5190 Seminar on Internetworking 2009-04-27
troducing reputation-based trust mechanism may curve such
attitude. But according to Figueiredo et al. [11], such a sys-
tem will expose its peers in order to identify free-riders and
malicious attackers. Hence, incentive mechanisms that do
not require the identity disclosure of any peer must be im-
plemented. The authors propose two payment based mech-
anisms (namely, on-line and (off-line) ) that use digital
cash [11] to provide explicit incentives for cooperative peers
while keeping them anonymous. They argue that, a system
that does not provide explicit incentives will not be able to
keep a peer on-line after its anonymous communication has
nished.
But according to Chun et al. [7], the presumption of hav-
ing a widely accepted abstract currency (along with the re-
quired infrastructure) from the very beginning will make
things complicated. They propose to develop a system that is
similar to the evolution of economics. Like early economics,
they propose to start off with simple and robust bartering of
resources. They propose to use SHARP (secure highly avail-
able resource peering) [5] as the core of this system because
of its secure resource exchange protocols for bartering.
Mascolo et al. [15] on the other hand, have proposed a
new incentive measure that is lightweight, dynamic, decen-
tralized and also employs a stateless bartering ring architec-
ture combined with a simple grouping algorithm. The key
idea is to make it expensive for peers not to cooperate. For
this, the system is designed so that it is difcult to gather and
process enough information in time to exploit free-loading
opportunities in an ever changing network. Additionally, the
systems inherent instant gratication mechanism provides
peers who offer additional resources with a better service (e.
g. increased bandwidth) in return.
3 Specic P2P Attacks and Defenses
There have been basically two types of attacks on the P2P
networks. In the rst type, attackers target the data circulat-
ing in the P2P networks, e. g. by corrupting it or making
it unavailable for other peers. In the other type, attack in-
volves making the network as slower or inefcient as possi-
ble. This sort of attack is generally done by exploiting the
under lying weakness of the routing protocol. Depending on
the attackers objective, he may choose to attack from any
one direction or from both [16].
Now, in many cases attacks of one type can trigger the
other. For example, by corrupting les an attacker can
prompt users to download more copies of a much sought af-
ter le, thus slowing down the network. The opposite is also
true. In case of eclipse attacks networks are blocked (hence
inefcient) making data inaccessible which is an objective of
the rst type of attack [16].
The possibility of attack is enormous in P2P networks. We
now give an analysis of the most common type of attacks
along with the traditional defense mechanisms that are cur-
rently employed against them.
3.1 Rational Attacks
By the term "rational" we indicate to those peers who will
attempt to maximize their consumption of system resources
(one may choose to call them "selsh") while minimizing
the use of their own. Research shows that a big portion of
the peers are of this type [28]. Peers with limited bandwidth
capabilities are more prone to this tendency. Also in shar-
ing copy right material a peer might nd itself in legal prob-
lems [12]. These are good enough reasons to motivate nodes
in becoming "self-interested". If a large number of nodes be-
have in this way, it will cause the overall performance of the
network to plummet.
3.1.1 Defenses
We believe properly designed incentive mechanisms can go
a long way in solving the problem of rational attacks.
3.2 File Corruption
As the name suggests this is an attack against data in the
P2P network. The objective here is to replace a le in the
network with a false one. In order to attack in this manner,
malicious nodes will falsely claim of owning a le, and upon
a request will respond with a corrupt le. Moreover, all mes-
sages passing through malicious peer can be corrupted (sim-
ilar to a man-in-the-middle attack) giving these les a high
availability [16]. Surprisingly, it is not only individuals or a
rouge group of peers that are involved in le corruption at-
tacks. It has also been reported that, the music industry has
massively dumped corrupt and fake contents into the P2P
networks [6, 14, 16].
3.2.1 Defenses
Though le corruption attacks sound pretty dangerous, Du-
mitriu et al. [10] argue they do not pose a serious threat to the
P2P networks. The main problem is that P2P applications
often run in the background. When a polluted le is down-
loaded, it stays available for a while before it is checked by
the user and discarded. After a period of time, all polluted
les are eventually removed and the authentic les become
more available then the corrupted ones.
3.3 Sybil Attack
Sybil is of the second type of attack that we mentioned at
the beginning of this section. It is about making the net-
work cripple and inefcient. Generally, in a structured P2P
network, user identiers (IDs) uniquely identify participant
endpoints (nodes). Such structure reduces search times by
mapping content directly onto nodes based on IDs. For this
reason, the assignment and use of IDs is essential to correct
operation of the network [20]. Now, it is very much possi-
ble that a single malicious peer can generate multiple shadow
identities and thus gain control over a part of the network [9].
Once this has been accomplished, the attacker can gain ac-
cess to certain les and may decide to corrupt those. If the
attacker can position his false identities in a strategic way, the
damage can be considerable. He might choose to continue to
TKK T-110.5190 Seminar on Internetworking 2009-04-27
an eclipse attack, or slow down the network by rerouting all
queries in a wrong direction.
3.3.1 Defenses
Douceur et al. [9] have proven that, without a central trusted
authority, it is not possible to defend against Sybil attacks
[9]. Maybe carefully congured reputation-based systems
might slow the attack down, but it will not do much more.
Because, once an attacker has generated legally validated
identities, he can create and validate a lot more. Several pa-
pers have proposed a centrally trusted authority as a solu-
tion, as well as a complicated public-private key based pro-
tocol [24]. While using this protocol, each peer must sign its
messages, and respond to a challenge by the authority every
now and then. It is clear that an attacker simulating many
identities would need enormous resources in order to be able
to answer all the challenges periodically submitted to each of
his identities. While this certainly tries to solve the problem,
it is unsatisfactory. It breaks the P2P model by reintroducing
a centralized point of failure, which can easily be attacked.
3.4 Eclipse Attack
In an overlay network, each node maintains links to a rel-
atively small set of peers called neighbors. All communi-
cation within the overlay (it may be related to maintaining
the overlay or to application processing) occurs on these
links [25]. The overlay networks integrity depends on the
ability of correct nodes to communicate with each other over
a sequence of overlay links. In an Eclipse attack [4, 25, 26]
a modest number of malicious nodes conspire to fool cor-
rect nodes into adopting the malicious nodes as their peers,
with the goal of positioning themselves along strategic rout-
ing paths of the P2P network. Once an attacker has done this,
he can separate the network in more than one sub networks.
After that, if a peer wants to communicate with a peer from
some other sub network, its message must at a certain point
be routed through one of the attackers nodes. The attacker
thus "eclipses" each sub network from the others view [25].
The follwing gure (see Figure 1) gives a clear idea of what
happens.
Figure 1: An Eclipse Attack: the malicious nodes have sep-
arated the network in 2 subnetworks [16].
As we have said earlier, Eclipse attack is closely related
to the Sybil attack [9, 25] and a successful Sybil attack can
be used to induce an Eclipse attack. However, Eclipse at-
tacks are possible even in the presence of an effective defense
against Sybil attacks, such as certied node identities [4, 25].
If the P2P network is based on a decentralized overlay net-
work then nodes will periodically discover new neighbors
by consulting the neighbor sets of existing neighbors. Mali-
cious nodes can exploit this by advertising neighbor sets that
consist of only other malicious nodes. Thus, a small number
of malicious nodes with legitimate identities are sufcient to
carry out an Eclipse attack. Castro et al. identify the Eclipse
attack as a threat in structured overlay networks [4].
3.4.1 Defenses
The method introduced in [24] can be used to prevent eclipse
attack. According to this method, a node that mounts an
Eclipse attack must have a higher than average node degree.
Singh et al. [24] argues that enforcing a node degree limit by
auditing is an effective defense against Eclipse attacks.
4 Motivation for Comparison
All the authors mentioned in section 2, claim that their re-
spective techniques do not cause too much overhead for the
existing peer-to-peer networks while at the same time keep-
ing the malicious attackers at bay. But we have found that
there is no existing system that currently employs either one
of these techniques. Hence we cannot present any empirical
data to verify which approach does the best job. The best
thing to do is to compare these proposed methods and then
come up with our own conclusion.
5 Comparison
According to Mascolo et. al [15], the inherent mindset of
a peer is not to provide services such as uploading a le to
other peers. The simplest way to change this view is to in-
troduce an algorithm based on "bartering rings" where the
service quality a peer receives is directly related to the ser-
vice quality it provides. The more a peer supplies to other
peers, the more it should get back. Hence, the incentive for
cooperation. The "bartering ring" principle is simple to im-
plement when two peers are downloading directly from each
other and using a tit-for-tat (e.g. in BitTorrent [8]) strategy.
Here, each peer monitors the service provided by the other.
With three peers, all of them would download from one and
upload to the other, as shown in gure 2 (see Figure 2)(form-
ing a directional cycle). This structure can be extended for
any number of peers.
Figure 2: Bartering Rings [15]
TKK T-110.5190 Seminar on Internetworking 2009-04-27
It should be mentioned that, this scheme provides instant
gratication with no communication overhead. Because a
cooperative peer is rewarded immediately and communica-
tion is done indirectly by increasing or decreasing the quality
of service.
According to authors of "bartering ring" [15], these rings
(actually graphs) are built as a service layer on top of the
existing p2p network layer (sort of an overlay network). The
graph shows how service is provided in the p2p network,
with every directed edge representing one ongoing service.
The graph uses the under lying p2p layer for routing and
searching purposes.
In this strategy, the peers do not optimize i.e. they cannot
maximize the total incoming service for the outgoing ser-
vices they are providing. It is because a peer can be con-
nected to more than one ring. Hence, incoming and outgoing
services can be the elements of more than one ring, making
it computationally hard for the peer to optimize. Instead the
authors [15] suggest peers to increase the service quality in
all of their outgoing links until incoming services become
acceptable. This strategy makes free loading unattractive as
being cooperative results in instant gratication.
Chun et al.s [7] proposed SHARP system uses tickets for
representing resources. Holder of a ticket has control over
other peers resources for a particular time interval (called
term). Each ticket is issued by the owner of the resource and
is encrypted with its private key. Encryption ensures that
the tickets are reputable and not forgeable. But a ticket does
not guarantee the holder a rm control over the resources.
It is because the owner may oversubscribe its resources by
issuing more tickets than it can support in order to improve
resource availability. Only when the owner returns a lease to
the holder that control is guaranteed. A lease can be renewed
to allow the continuous use of the same resources. In order
to improve the cooperation among the peers, Chun et al. [7]
proposes to use tit-for-tat [3] strategy. It is a simple enough
technique where resource exchange in a round is rewarded
with resource exchange in the next round and defection in a
given round is punished in the next round. The authors also
suggest sharing P2P tit-for-tat history with friendly neigh-
bors so that a peer has a lot more information at hand when
exchanging resources with unknown peers.
Now lets look at the structure of the digital cash incen-
tive strategy proposed by Figueiredo et al. [11]. It should be
mentioned that the detailed analysis of the concept and de-
sign of digital cash is out of the scope of this review paper.
A full description of digital cash system can be found in [22]
and references therein. The key idea of this mechanism is to
provide the initiator of a message the ability to embed in each
message small anonymous payments destined to those peers
who forward the message along its path. For this, onion rout-
ing is especially suitable and is used here [11]. Peers who de-
sire service, can either join the system and accumulate cash
by providing service to others, or can purchase service with
an infusion of cash into the system. The authors argue that
the overhead imposed by these mechanisms in terms of mes-
sage latency are modest. The authors propose a publicly ac-
cessible authority issuing digital cash, which can be called
Bank. It can be decentralized as long as there is a common
currency. However, in order to be used in a P2P network,
the most important property of the digital cash mechanism
must be that, it conceals the relationship between a payer
and its purchases from the Bank and the payee. Ideally we
do not want any information of the payer revealed as well.
Also the authors propose to implement the digital cash con-
cept entirely on software. Payments are made either off-line
or on-line. In case of on-line payment, each node must val-
idate its payment with the bank in order to prevent double
spending of the same currency by the payer. The main dif-
ference with on-line method is that, with off-line payment
nodes do not interact with the Bank when a payment is re-
ceived. Instead, nodes accumulate payments and validate
them in batch at a later point e.g. when it is idle or about
to leave the system. Most off-line payment schemes have
a disincentive to double-spend by using cryptographic pay-
ment protocols which disclose the identity of the payer only
if a unit of currency is double-spent [22]. There is also a
challenge-response interaction between the payer and payee.
Here the payee issues a suitably encrypted challenge to the
payer so that payer does not double spend. Encryption keeps
the payer anonymous.
With digital cash based system, the main concern is with
time delays. Let us rst consider, the on-line method.
Figueiredo et al. [11] dened T
L
as the average round trip
time from the message generator to the L-th mode in the
path, and T
D
as the average round trip time from node L
to destination D. Now if T
B
is the average time required by
any node to interact with the bank then the average response
delay will be at most:
T
L
+T
D
+T
B
We are considering round-trip time because destination D
has to send a response using the reverse path in the onion
routing.
Incase of off-line method, there is an additional roundtrip
time for the challenge response. But T
B
is eliminated be-
cause nodes do not interact with bank after every transaction.
Hence the average response delay will be:
2T
L
+ T
D
The authors [11] argue that T
B
s contribution to the over-
all delay is negligible under the assumption that, bank inter-
actions take place while waiting for destination D to reply to
the message. But we are not so convinced by this logic. Be-
cause in the on-line method, every intermediate node within
the path from source to destination has to interact with the
bank right after every transaction. Hence a long route can
have considerable communication overhead due to T
B
.
Both Mascolo et al. [15] and Chun et al. [7] argue that,
currencies are expensive to save, exchange and secure. Also,
currencies tend to uctuate by market mechanisms. We
agree with this view. But Chun et al.s [7] "bartering" pro-
posal has considerable communication overhead as it re-
quires tickets and in some cases maintains history (optional).
Encrypting the tickets also require considerable computa-
tion. The authors [7] proposed a tit-for-tat [3] strategy for
TKK T-110.5190 Seminar on Internetworking 2009-04-27
incentives, which may work if the set of peers remain static.
But in a large and dynamic environment, the system may
need to keep a huge set of history for tit-for-tat [3] strategy
to work and in turn may slow down the whole process.
On the other hand, "bartering ring" [15] does not have any
communication or computational overhead giving it prefer-
ence over other methods. Like the "digital cash" methods,
identities of the peers also remain anonymous. So in every
way, "bartering ring" strategy should be preferred as an in-
centive method.
6 Conclusion
In this paper we have tried to analyze three different ap-
proaches toward incentives. In our analysis we have found
that, incentive techniques might lure selsh peers into co-
operating and hence improve the overall performance of the
network. But regretfully this is only an assumption, because
there is no real world data to concur with or to disrepute
this claim. However judging from the nature of the incentive
mechanisms described above we can say with a great deal
of certainty that these techniques are not sufcient to pre-
vent malicious attackers. The off-line method does expose
the identity of the double spenders and in the on-line method
bank is there to verify transactions. But these measures are
not enough against malicious peers who want to destroy the
p2p network structure for no reason what so ever. The queer
thing is that they do not even care about any nancial gains.
In order to stop peers with such psyche, we have to imple-
ment some sort of reputation based security mechanism (e.
g. PeerTrust [28], GossipTrust [29] ) and in the process sac-
rice the anonymity property of the p2p network. This is a
trade-off that the peers must accept as the threat posed by
malicious attackers are now more than ever.
References
[1] A. Abimbola, Q. Shi, and M. Merabti. Using Intru-
sion Detection to Detect Malicious Peer-to-Peer Net-
work Trafc.
[2] E. Adar and B. A. Huberman. Free Riding on Gnutella.
Technical report, Xerox PARC, August 2000.
[3] R. Axelrod. The Evolution of Cooperation. Basic
Books, 1984.
[4] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and
D. S. Wallach. Secure routing for structured peer-to-
peer overlay networks. In USENIX Operating System
Design and Implementation(OSDI), Dec 2002.
[5] J. Chase, B. Chun, Y. Fu, S. Schwab, and A. Vahdat.
Sharp: An architecture for secure resource peering.
[6] N. Christin, A. Weigend, and J. Chuang. Content
availability, pollution and poisoning in peer-to-peer le
sharing networks. In ACM E-Commerce Conference,
2005.
[7] B. Chun, Y. Fu, and A. Vahdat. Bootstrapping a
Distributed Computational Economy with Peer-to-Peer
Bartering . In Workshop on Economics of Peer-to-Peer
Systems, June 2003.
[8] B. Cohen. Incentives Build Robustness in BitTorrent.
In Workshop on Economics of Peer-to-Peer Systems,
Jun 2003.
[9] J. R. Douceur. The Sybil Attack. In Electronic Pro-
ceedings for the 1st International Workshop on Peer-
to-Peer Systems, March 2002.
[10] D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica,
and W. Zwaenepoel. Denial-of-service resilience in
peer-to-peer le sharing systems. In ACM SIGMET-
RICS Performance Evaluation Review, volume 33,
pages 3849, June 2005.
[11] D. R. Figueiredo, J. K. Shapiro, and D. Towsley. In-
centives for Cooperation in Anonymity Systems. Tech-
nical Report 03-21, Department of Computer Science,
University of Massachusetts at Amherst, June 2003.
[12] B. Horne, B. Pinkas, and T. Sander. Escrow ser-
vices and incentives in peer-to-peer networks. In 3rd
ACM conference on Electronic Commerce, pages 85
94, 2001.
[13] B. N. Levine and C. Shields. Hordes: A protocol for
anonymous communication over the internet. In ACM
Journal of Computer Security, volume 10, 2002.
[14] J. Liang, R. Kumar, Y. Xi, and K. Ross. Pollution in
p2p le sharing systems. In IEEE INFOCOM, 2005.
[15] C. Mascolo, T. Ackemann, and W. Emmerich.
Lightweight Incentives for Peer-to-Peer Networks.
[16] B. Pretre and D. R. Wattenhofer. Attacks on Peer-to-
Peer Networks, 2005.
[17] M. G. Reed, P. F. Syverson, and D. M. Goldschlag.
Anonymous connections and onion routing. In IEEE
Journal on Selected Areas in Communication Special
Issue on Copyright and Privacy Protection, 1998.
[18] M. K. Reiter and A. D. Rubin. Crowds: anonymity for
Web transactions. In ACMTransactions on Information
and System Security, volume 1, pages 6692, 1998.
[19] M. Ripeanu, I. Foster, , and A. Iamnitchi. Mapping
the gnutella network: Properties of large-scale peer-to-
peer systems and implications for system design. In
IEEE Internet Computing Journal, volume 6, 2002.
[20] H. Rowaihy, W. Enck, P. McDaniel, and T. L. Porta.
Limiting Sybil Attacks in Structured P2P Networks.
In INFOCOM 2007. 26th IEEE International Con-
ference on Computer Communications. IEEE, pages
25962600, May 2007.
[21] S. Saroiu, P. K. Gummadi, and S. D. Gribble. A
Measurement Study of Peer-to-Peer File Sharing Sys-
tems. In Multimedia Computing and Networking 2002
(MMCN 02), San Jose, CA, USA, January 2002.
TKK T-110.5190 Seminar on Internetworking 2009-04-27
[22] B. Schneier. Applied Cryptography. John Wiley and
Sons, 2nd edition, 1996.
[23] S. Sen and J. Wong. Analyzing peer-to-peer trafc
across large networks. In Internet Measurement Work-
shop 2002, November 2002.
[24] A. Singh, M. Castro, P. Druschel, and A. Rowstron.
Defending against eclipse attacks on overlay networks.
In ACM SIGOPS European workshop, 2004.
[25] A. Singh, T.-W. J. Ngan, P. Druschel, and D. S. Wal-
lach. Eclipse Attacks on Overlay Networks: Threats
and Defenses.
[26] E. Sit and R. Morris. Security considerations for peer-
to-peer distributed hash tables. In 1st International
Workshop on Peer-to-Peer Systems (IPTPS), Mar 2002.
[27] M. Wright, M. Adler, B. N. Levine, and C. Shields. An
analysis of the degradation of anonymous protocols. In
Proc. ISOC Network and Distributed System Security
Symposium (NDSS 2002), February 2002.
[28] L. Xiong and L. Liu. PeerTrust: Supporting
Reputation-Based Trust for Peer-to-Peer Electronic
Communities. In IEEE Transactions on Knowledge
and Data Engineering, volume 16, July 2004.
[29] R. Zhou, K. Hwang, and M. Cai. GossipTrust for Fast
Reputation Aggregation in Peer-to-Peer Networks. In
IEEE Transactions on Knowledge and Data Engineer-
ing, volume 20, September 2008.