Peer-to-Peer's Most Wanted: Malicious Peers Loubna Mekouar, Youssef Iraqi and Raouf Boutaba University of Waterloo, Waterloo, Canada lmekouar ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Peer-to-Peer’s Most Wanted: Malicious Peers∗
Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
University of Waterloo, Waterloo, Canada
{lmekouar, iraqi, rboutaba}@bbcr.uwaterloo.ca
In this paper, we propose a reputation management scheme for partially decentralized peer-to-peer systems.
The reputation scheme helps to build trust among peers based on their past experiences and feedback from other
peers. Two selection advisor algorithms are proposed for helping peers to select the most trustworthy peer to
download from. The proposed algorithms can detect malicious peers sending inauthentic files. The Malicious
Detector Algorithm is also proposed to detect liar peers that send the wrong feedback to subvert the reputation
system. The new concept of Suspicious Transactions is introduced and explained. Simulation results confirm the
capability of the proposed algorithms to effectively detect malicious peers and isolate them from the system, hence
reducing the amount of inauthentic uploads, increasing peers’ satisfaction, and preserving network resources.
Keywords: Reputation Management, Suspicious Transactions, Authentic Behavior, Credibility Behavior, Par-
tially Decentralized Peer-to-Peer Systems.
1. Introduction files shared by local peers. These special peers
are called “supernodes” or “ultrapeers” and are
1.1. Background assigned dynamically [6]. They can be replaced
In a Peer-to-Peer (P2P) file sharing system, in case of failure or malicious attack. For peers
peers communicate directly with each other to ex- connected to supernodes, the supernodes index
change information and share files. P2P systems shared files and proxy search requests on behalf of
can be divided into several categories (Figure 1): these peers. Queries are therefore sent to supern-
Centralized P2P systems (e.g., Napster [1]) use odes, not to other peers. A supernode typically
a centralized control server to manage the sys- supports 300 to 500 peers, depending on available
tems. These systems suffer from a single point resources [5]. Figure 2 depicts the paths of both
of failure, scalability, and censorship problems. control and data messages in partially decentral-
Decentralized P2P systems try to distribute con- ized systems. Partially decentralized systems are
trol over several peers. They can be divided into the most popular; for example, KaZaA supports
completely decentralized and partially decentral- more than four million simultaneous peers, and
ized systems. Completely decentralized systems the amount of data available for download is more
(e.g., Gnutella [2]) have absolutely no hierarchi- than 5281.54 TB.
cal structure among peers. In other words, all In traditional P2P systems (i.e., without any
peers have exactly the same role. In partially de- reputation mechanism), a user is given a list of
centralized systems (e.g., KaZaA [3], Morpheus peers that can provide the requested file. The
[4] and Gnutella2 [5]), peers can have different user has then to choose one peer from which the
roles. Some peers act as local central indexes for download will be performed. This process is frus-
∗ The
trating to the user because this latter struggles
present work was partially funded by the Natural
Sciences and Engineering Research Council of Canada
to choose the most trustworthy peer. After the
(NSERC). A preliminary version was published in the download has finished, the user has to check the
IFIP/IEEE International Workshop on Distributed Sys- received file for malicious content (e.g., viruses2 )
tems: Operations & Management (DSOM), 2004, and
in the IEEE Consumer Communications and Networking
Conference (CCNC), 2005. 2 such as the VBS.Gnutella Worm [7]
12 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
Centralized
Send a request for a file
e.g. Napster
Receive a list of peers that have the file
P2P systems
Completely
Decentralized
e.g. Gnutella
Decentralized
Select a peer from the list
Partially
Decentralized
e.g. Gnutella2, Download the file
KaZaA, Morpheus
No Yes
File is good?
Figure 1. P2P systems
Figure 3. Life cycle in a traditional P2P system
2. Receive a list of peers that have the re-
Peer
quested file
Supernode
Control 3. Select a peer (performed by the human
Data user)
4. Download the file
In [8] it is stated that most of the shared con-
tent is provided by only 30% of peers. A mech-
anism is needed to reward these peers and en-
Figure 2. Example topology in a partially decen-
courage other peers to share their content. At
tralized P2P system
the same time, a mechanism is needed to punish
peers that exhibit malicious behavior (i.e., those
that provide malicious content or misleading file-
names) or at least isolate them from the system.
and verify that the received file corresponds to
Reputation-based P2P systems [9–13] were in-
the requested file (i.e., the requested content). If
troduced to solve these problems. These systems
the file is not acceptable, the user has to restart
try to provide a reputation management system
the process3 . In traditional P2P systems, little
that will evaluate the transactions performed by
information is given to the user to help in the
peers and associate a reputation value to these
selection process.
peers. The reputation values will be used as se-
The following is the life cycle of a peer in a
lection criteria among peers. These systems differ
traditional P2P system (see Figure 3):
in how they compute reputation values, and how
1. Send a file request (either to the supernode they use these values.
or to other peers, depending on the P2P The following is the life cycle of a peer in a
system) reputation-based P2P system (Figure 4):
3 The download can take few days for large files 1. Send a file requestPeer-to-Peer’s Most Wanted: Malicious Peers 3
2. Receive a list of peers that have the re-
quested file
Send a request for a file
3. Select a peer or a set of peers, based on a
reputation metric Receive a list of peers that have the file
4. Download the file
Select a peer based on a reputation metric
5. Send feedback and update the reputation
data
Download the file
1.2. Motivation and contribution
Partially decentralized P2P systems have been Update No Yes Update
proposed to reduce the control overhead needed Reputation File is good? Reputation
Data Data
to run the P2P system. They also provide lower
discovery time because the discovery process in-
volves only supernodes. Several reputation man-
agement systems have been proposed in the lit- Figure 4. Life cycle in a reputation-based P2P
erature (Section 9 provides more details). They system
have focused on completely decentralized P2P
systems. Only KaZaA, a proprietary partially de-
centralized P2P system, has introduced basic rep-
utation metric (called “participation level”) for
rating peers. The proposed reputation manage- reduces message overhead significantly. In fact,
ment schemes for completely decentralized P2P once a supernode sends a search request on behalf
systems cannot be applied in the case of a par- a peer, the supernode will get a list of peers that
tially decentralized system. The latter relies on have the requested file and their reputations from
supernodes for control message exchange (i.e., no their corresponding supernodes. In this case, no
direct management messages are allowed among voting system is needed since the reputation will
peers.) represent all past experiences from all the peers
In completely decentralized P2P systems, each that had interacted with these peers. A supern-
peer may record information on past experiences ode will be also used to provide service differen-
with all peers it has interacted with and may use a tiation based on reputation data of the peers it is
voting system to request peers’ opinions regard- responsible for.
ing the peers that have the requested file. The In this paper, we propose a reputation man-
goal of this paper is to take advantage of the use agement system for partially decentralized P2P
of supernodes in partially decentralized P2P sys- systems. This reputation mechanism allows more
tems for reputation management. In addition to clearsighted management of peers and files. Our
being used for control message exchange, a su- contribution is in step 3 and 5 of the life cycle of a
pernode will also be used to store reputation data peer in a reputation-based P2P system (cf. 1.1).
for peers it serves, update this data, and provide Good reputation is obtained by having consistent
it to other supernodes. Since each peer interacts good behavior through several transactions. The
only with one supernode at a time (an assumption reputation criteria is used to distinguish among
that can be justified by the use of FastTrack4 ), the peers. The goal is to maximize the user satisfac-
proposed approach achieves more accuracy and tion, and decrease the sharing of corrupted files.
4 Although
This algorithm detects malicious peers that are
in this paper, it is assumed that each peer in-
teracts only with one supernode at a time, the proposed
sending inauthentic files and isolates them from
mechanism can easily be extended to handle the case when the system.
a peer can connect to several supernodes at the same time. In this paper, we also propose a novel scheme,4 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
that in addition to detecting and punishing in- We assume that supernodes are selected from a
authentic peers, detects liar peers and punishes set of trusted peers. This means that supernodes
them. This scheme reduces considerably the are trusted to manipulate the reputation data.
amount of malicious uploads and protects the This trust is similar to the trust given to these
health of the system. supernodes for control messages exchange.
The reputation considered in this paper, is for
trust (i.e. maliciousness of peers), based on the 2.2. The Reputation Management Scheme
accuracy and quality of the file received. We also After downloading a file F from peer Pj , peer
consider that peers can lie while sending feedback. Pi will evaluate this download. If the file received
We assume no other malicious behaviors such as corresponds to the requested file, then we set
Denial of Service Attacks etc. Such malicious be- AF F
i,j = 1. If not, we set Ai,j = −1. In this case,
haviors are outside of the scope of this paper and either the file has the same title as the requested
left for future work. file but different content, or that its quality is
The paper is organized as follows. In Sec- not acceptable. Note that if we want to support
tion 2, we introduce the new reputation manage- different levels of appreciations, we can set the
ment schemes considered in this paper. Section appreciation as a real number between −1 and 1.
3, describes the proposed selection advisor mech- Note also that a null appreciation can be used,
anisms. Section 4, presents an analysis of peers’ for example, if a faulty communication occurred
behavior. Section 5 discusses the proposed ap- during the file transfer.
proaches to detect malicious peers. Section 6 dis- Each peer Pi in the system has four values,
cusses service differentiation issues in the consid- called reputation data (REPPi ), stored by its su-
ered P2P systems. Section 7 presents the per- pernode Sup(i):
formance evaluation of the proposed schemes and +
1. Di,∗ : Satisfied downloads of peer Pi from
Section 8 presents some open issues, while Section other peers,
9 presents the related works. Finally, Section 10
−
concludes the paper. 2. Di,∗ : Unsatisfied downloads of peer Pi from
other peers,
2. Reputation Management +
3. D∗,i : Satisfied uploads from peer Pi to
In this section, we describe the proposed rep- other peers,
utation management schemes. The following no- −
4. D∗,i : Unsatisfied uploads from peer Pi to
tations will be used. other peers
2.1. Notations and Assumptions +
Di,∗ −
and Di,∗ provide an idea about the health
• Let Pi denotes peer i of the system (i.e., satisfaction of peers) while
+ −
D∗,i and D∗,i provide an idea about the amount
• Let Di,j be the units of downloads per- and quality of uploads provided by peer Pi . They
formed by peer Pi from peer Pj can, for example, help detect free riders. Keeping
−
track of D∗,i will also help detecting malicious
• Let Di,∗ denotes the units of downloads per-
peers (i.e. those peers who are providing cor-
formed by peer Pi
rupted files and/or misleading filenames). Note
that we have the following relationships:
• Let D∗,j denotes the units of uploads by
peer Pj + −
Di,∗ + Di,∗ = Di,∗ ∀i
+ − (1)
D∗,i + D∗,i = D∗,i ∀i
• Let AF be the appreciation of peer Pi after
i,j
downloading the file F from peer Pj . Keeping track of these values is important. They
will be used as an indication of the reputation
• Let Sup(i) denotes the supernode of peer i and the satisfaction of peers.Peer-to-Peer’s Most Wanted: Malicious Peers 5
Figure 5 depicts the steps performed after re- Pi Sup(i) Sup(j) Pj
ceiving a file. When receiving the appreciation
(i.e. AF i,j ) of peer Pi , its supernode Sup(i) will F
+ −
update Di,∗ and Di,∗ values. The appreciation is
AFij
then sent to the supernode of peer Pj to update
+ −
D∗,j and D∗,j values. The way these values are Update
updated is explained in the following subsections D+i,* , D-i,*
2.3 and 2.4.
When peer Pi joins the system for the first AFij
time, all values of its reputation data REPPi are
initialized to zero5 . Based on peer’s transactions Update
D+*,j , D-*,j
of uploads and downloads, these values are up-
dated. Periodically, the supernode of peer Pi
sends REPPi to the peer. This period of time
is not too long to preserve accuracy and not too
short to avoid extra overhead. The peer will keep Figure 5. Reputation update steps
a copy of REPPi to be used the next time the peer
joins the system or if its supernode changes. The
reputation data can be used to compute impor-
tant reputation parameters as presented in sec- since it does not take into consideration the size
tion 3. of the downloads, this scheme makes no differ-
To prevent tampering with REPPi , we assume ence between peers who are uploading large files
that supernodes share a secret key that will be and those who are uploading small files. This
used to digitally sign REPPi . The mechanism may rise a fairness issue among peers as upload-
used to do so is outside the scope of this pa- ing large files necessitates the dedication of more
per. The reader is referred to [14] for a survey resources. Also, some malicious peers may arti-
on key management for secure group communi- ficially increase their reputation by uploading a
cation. We also assume the use of public key large number of small files.
encryption to provide integrity of message ex-
2.4. The Size Based Appreciation Scheme
changes.
A better approach is to take into consideration
2.3. The Number Based Appreciation the size of the download. Once the peer sends its
Scheme appreciation, the size of the download Size(F )
In this first scheme, we will use the number of (the amount of bytes downloaded by the peer Pi
downloads as an indication of the amount down- from peer Pj ) is also sent6 . The reputation data
loaded. This means that D∗,j will indicate the of Pi and Pj will be updated based on the amount
number of downloads from peer Pj , i.e. the num- of data downloaded.
ber of uploads by peer Pj . In this case, after each In this case, after each download transaction
download transaction by peer Pi from peer Pj , by peer Pi from peer Pj , Sup(i) will perform the
Sup(i) will perform the following operation: following operation:
+ +
If AF + − If AF
i,j = 1 then Di,∗ = Di,∗ + Size(F ),
i,j = 1 then Di,∗ + +, else Di,∗ + +. − −
and Sup(j) will perform the following opera- else Di,∗ = Di,∗ + Size(F ).
tion: and Sup(j) will perform the following opera-
If AF + −
i,j = 1 then D∗,j + +, else D∗,j + +.
tion:
+ +
This scheme allows to rate peers according to If AF
i,j = 1 then D∗,j = D∗,j + Size(F ),
the number of transactions performed. However, 6 Alternatively the supernode can know the size of the file
from the information received as a response to the peer’s
5 This is a neutral reputation value. search request.6 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
− − j 1 2
else D∗,j = D∗,j + Size(F ).
+
If we want to include the content of files in the D∗,j 40 20
−
rating scheme, it is possible to attribute a coeffi- D∗,j 20 0
cient for each file. For example, in the case that Table 1
the file is rare, the uploading peer could be re- Example of Reputation Data
warded by increasing its satisfied uploads with
more than just the size of the file. Eventually, in-
stead of using the size of the download, we can use
the amount of resources dedicated by the upload- The following subsections describe two alterna-
ing peer to this upload operation (i.e. processing, tive selection algorithms. Anyone of these algo-
bandwidth, time, etc.). rithms can be based on one of the appreciation
schemes presented in section 2.3 and 2.4. Note
3. The Selection Advisor Algorithm that only the satisfied and unsatisfied units of up-
+ −
loads (i.e. D∗,j , D∗,j ) are considered for comput-
In this section, we assume that peer Pi has re- ing the reputation of a peer. The satisfied and
+ −
ceived a list of peers Pj that have the requested unsatisfied units of downloads (i.e. Di,∗ , Di,∗ )
file and their corresponding reputation values. will be taken into consideration for service differ-
These values are computed at their correspond- entiation.
ing supernodes and sent to the supernode of the
peer requesting the file (i.e., Pi ). Peer Pi has to 3.1. The Difference Based Algorithm
use the reputation value as a selection criterion In this scheme, we compute the Difference-
among these peers and choose the right peer to Based (DB) behavior of a peer Pj as:
download from. Note that the four values of the + −
reputation data are not sent to Pi . Only one rep- DBj = D∗,j − D∗,j (2)
utation value for each peer that has the requested
This value gives an idea about the aggregate be-
file will be received. Note also that the selection
havior of the peer. Note that the reputation as
operation can be performed at the level of the
defined in equation 2 can be negative. This rep-
supernode, i.e. the supernode can, for example,
utation value gives preference to peers who per-
filter malicious peers from the list given to peer
formed more good uploads than bad ones.
Pi .
The following is the life cycle of a peer Pi in 3.2. The Inauthentic Detector Algorithm
the proposed reputation-based P2P system: In the previous scheme, only the difference be-
+ −
tween D∗,j and D∗,j is considered. This may not
1. Send a request for a file F to the supernode
give a real idea about the behavior of the peers
Sup(i)
as shown in the following example. If peer P1
2. Receive a list of candidate peers that have and peer P2 have the reputation data as in Ta-
the requested file ble 1, and assume we are using the Size Based Ap-
preciation scheme, then according to Difference-
3. Select a peer or a set of peers Pj based on Based algorithm (cf. equation 2) we have DB1 =
a reputation metric (The reputation algo- 40 − 20 = 20 MB and DB2 = 20 − 0 = 20 MB.
rithms are presented in the following sub- In this case, both peers have the same reputa-
sections 3.1 and 3.2). tion. However, from the user’s perspective, peer
P2 is more preferable than peer P1 . Indeed, peer
4. Download the file F P2 has not uploaded any malicious files. To solve
this problem, we propose to take into considera-
+ −
5. Send feedback AF i,j . Sup(i) and Sup(j) tion not only the difference between D∗,j and D∗,j
will update the reputation data REPPi and but also the sum of these values. In this scheme,
REPPj respectively. we compute the Authentic Behavior of a peer PjPeer-to-Peer’s Most Wanted: Malicious Peers 7
as: this case, we call this approach the explicit ser-
+
D∗,j −
−D∗,j +
D∗,j −
−D∗,j
vice differentiation. Service differentiation will be
ABj = + − = D∗,j if D∗,j 6= 0 discussed in section 6.
D∗,j +D∗,j (3)
ABj = 0 otherwise
Note that the reputation as defined in equation 3 4. Peer Behavior Understanding
+
is a real number between −1 (if D∗,j = 0) and 1 In all previously proposed feedback-based rep-
−
(if D∗,j = 0). utation management schemes for P2P systems,
If we go back to the example in table 1, then the emphasize was on detecting and punishing
we have AB1 = (40 − 20)/60 = 1/3 and AB2 = peers who are sending inauthentic files. No spe-
(20−0)/20 = 1. The Inauthentic Detector scheme cial mechanism was proposed to detect and pun-
will choose peer P2 . ish peers that send wrong feedbacks. Although
When using this reputation scheme, the peer some of the proposed feedback-based reputation
can do one of the following: schemes take this behavior into consideration,
those schemes rely on peers’ reputation for their
1. Choose peer Pj with the maximum value of
peer-selection process. In this paper, we intro-
ABj , or
duce the concept of suspicious transactions to de-
2. Choose the set of peers Pj such that tect liar peers.
ABj ≥ ABthreshold , where ABthreshold In a P2P system, peers can lie in their feed-
is a parameter set by the peer Pi or by backs. Such liar peers can subvert the reputation
the system. The latter case can be used if system by affecting badly the reputation of other
the P2P system supports swarmed retrieval peers (increase the reputation of malicious peers,
(i.e. the system is able to download sev- and/or decrease the reputation of good peers).
eral pieces of the file simultaneously from These malicious peers may not be detected if they
different peers.) Note that our proposed are not sending inauthentic files and, hence, their
schemes as presented in this paper can be reputation can be high and they will be wrong-
easily adapted to systems with swarmed re- fully trusted by the system.
trieval. In this case, each peer participating Malicious peers send inauthentic files to sat-
in the upload operation, will see its reputa- isfy their needs in propagating malicious content:
tion data updated according to the amount e.g. viruses and misleading filenames. Malicious
it uploaded. peers can also lie in their feedbacks to satisfy their
needs to subvert the reputation system. Acting
Note that in the case where there are several maliciously has bad effects on any Peer-to-Peer
peers with a maximum reputation value, one peer system. We believe that it is of paramount im-
can be selected randomly or other parameters can portance to detect liar peers and prevent them
be used to distinguish among peers. One can use from affecting the system.
the amount of available resources as a selection In this context, free riders [8] will not be con-
criterion. For example nodes with higher outgo- sidered as malicious peers if they do not affect
ing bandwidth will be preferable. directly the reputation of other peers.
As it will be shown in the performance eval-
uation section 7, the proposed schemes are able 4.1. Peer Behavior Categorization
to isolate malicious peers from the system by not In a P2P system, we consider two general be-
requesting them for uploads. This will prevent haviors of peers: good and malicious. Good peers
malicious peers from increasing their reputation. are those that send authentic files and do not lie
We call this approach the implicit service differ- in their feedbacks (Type T 1 in Table 2). Mali-
entiation. In addition of being used as a selection cious peers can be divided into three categories:
criterion, the reputation data can be used by the 1) peers that send inauthentic files and do not lie
supernode to perform service differentiation. In in their feedbacks (Type T 2), 2) peers that send8 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
Type Peer Authentic Credibility
Behavior Behavior
T1 Good High High
T2 Malicious: Inauthentic Low High
T3 Malicious: Liar High Low
T4 Malicious: Inauthentic and Liar Low Low
Table 2
Peer Behavior
authentic files and do lie in their feedbacks (Type 5. Detecting Malicious Peers
T 3), and 3) peers that send inauthentic files and
do lie in their feedbacks (Type T 4). Let’s assume that peer Pi downloads file F from
A liar peer is one that after receiving an au- peer Pj . We focus on the Authentic Behavior
thentic file, instead of giving an appreciation (sending authentic or inauthentic files) of peer Pj
equal to 1, the peer sends an appreciation equal since it is sending the file, and the Credibility Be-
to −1 to decrease the reputation of the peer up- havior (lying or not in the feedback) of peer Pi
loading the file. Or, if the peer receives an in- since it is sending the appreciation that will af-
authentic file, it sends a positive appreciation to fect the reputation of peer Pj . If we want to take
increase the reputation of other malicious peers. the appropriate actions after this transaction, we
Note that we consider the consistent behaviors of have to detect if peer Pj belongs to any of the
peers. This means that most of the time a peer categories T 2 and T 4, and if peer Pi belongs to
behavior is consistent with the category it belongs any of the categories T 3 and T 4.
to (i.e. T 1, T 2, T 3, or T 4). For example, a good IDA (section 3.2) allows us to detect peers
peer can sometimes (on purpose or by mistake) sending inauthentic files. The goal now is to de-
send inauthentic files. Note also that peers can tect peers that send wrong feedbacks and dimin-
change their behavior over time and hence can ish their impact on the reputation-based system.
jump from one category to another. A free rider 5.1. First Approach
can belong to one of the categories described in One approach is to say that malicious peers
Table 2 and the system will deal with it accord- have a low reputation than good peers. One way
ingly. of reducing the impact of peers having a low rep-
utation is to take this later into account when
updating the reputation of other peers.
We can then change the operations in section
2.4, to:
4.2. Effect On Reputation + +
If AF
i,j = 1 then D∗,j = D∗,j + 1+AB i
Size(F )
Peers can have positive or negative reputations. − −
2
1+ABi (4)
A good peer usually has a positive reputation else D∗,j = D∗,j + 2 Size(F )
since he is behaving well, but since malicious
Using this approach7 , the impact of peer Pi on
peers can lie, his reputation can decrease and
the reputation of peer Pj is related to the trust
even get negative. In contrast, malicious peers
given to peer Pi . The trust is expressed by the
will have negative reputation values since they
value of ABi . If peer Pi has a good reputation
are sending inauthentic files. However, their rep-
(usually above zero), it is trusted more and it
utation values can increase and even get positive
will impact the reputation of peer Pj , but, if its
if some other malicious peers send positive ap-
reputation is low (usually negative), only a small
preciations even if they receive inauthentic files.
This happens in systems where liar peers are not 7 Inoperation (4), 1+AB i
can be replaced by any function
2
detected nor punished. of ABi that is strictly increasing from 0 to 1.Peer-to-Peer’s Most Wanted: Malicious Peers 9
fraction of the file size is considered hence reduc- When receiving the appreciation (i.e. AF i,j ) of
ing the impact on the reputation of peer Pj . peer Pi , its supernode Sup(i) will update the val-
In case peer Pi is new, his reputation is null ues of Ni and Ni∗ as follows:
and since we do not know yet if he is a good
or a malicious peer, only half of the size of the Ni = Ni + 1
(5)
uploaded file F is affecting the reputation of the If (AF ∗ ∗
i,j × ABj ) < 0 then Ni = Ni + 1
peer uploading the file (i.e. peer Pj ).
The problem with this approach appears in the Let αi be the ratio of Ni∗ and Ni :
following example. Assume that some peers be- Ni∗
long to category T 3. Those peers always send au- αi = (6)
Ni
thentic files, but send also wrong appreciations.
Most of the time, and according to operation (4), Note that 0 ≤ αi ≤ 1 ∀i
those peers will have a high reputation since they αi is the ratio of the number of suspicious feed-
always send authentic files and hence will receive backs9 sent by peer Pi over the total number of
good feedbacks8 . Those peers will be trusted by feedbacks sent by peer Pi . αi is a good indicator
the system and will affect badly the reputations of the liar behavior of peer Pi . Indeed, if peer Pi
of other peers and may eventually brake the sys- lies in its feedbacks, the number of times AF i,j and
tem. The performance evaluation section assesses the sender’s reputation having different signs, is
the effect of liar peers on the reputation of other high and hence the value of Ni∗ . Liar peers will
peers. tend to have values of αi near 1. Good peers will
tend to have values of αi near zero.
5.2. Second Approach
To minimize the effect of liar peers, we pro-
A better approach to detect peers that lie in
pose to use the following update strategy for the
their feedbacks is to detect suspicious transac-
sender’s appreciation; After receiving the appre-
tions. We define a suspicious transaction as one
ciation AF i,j , the sender’s supernode Sup(j) will
in which the appreciation is different from the one
perform the following operations:
expected knowing the reputation of the sender.
If AFi,j = 1
In other words, if AFi,j = 1 and ABj < 0 or if + +
F then D∗,j = D∗,j + (1 − αi ) × Size(F )
Ai,j = −1 and ABj > 0 then we consider this − −
transaction as suspicious. else D∗,j = D∗,j + (1 − αi ) × Size(F )
To detect peers that lie in their feedbacks, for
each peer Pi we keep track of the following values: T Fj = T Fj + Size(F )
1. Ni : The total number of downloads per- Since liar peers (in categories T 3 and T 4) will
formed by peer Pi have a high value of αi , their effect on the repu-
tation of the peer sending the file is minimized.
2. Ni∗ : The number of downloads by peer Pi
This is because the higher the value of αi , the
where the sign of the appreciation sent by
lower the value of (1 − αi ). On the other hand,
peer Pi is different from the sign of the
good peers will have a lower value of αi and hence
sender’s reputation, i.e. AF i,j × ABj < 0 will keep having an impact of the reputation of
(i.e. during a suspicious transaction)
other peers.
3. T Fi : The total size of all the files uploaded Note that ABj is updated after each upload
by Pi . of peer Pj (equation 7) and αi is updated after
each download of peer Pi . This means that liar
Note that Ni∗ ≤ Ni ∀i peers will be detected and punished even if they
8 We assume that the percentage of malicious peers, in a did not upload any file and inauthentic peers will
P2P system, is lower than the percentage of good peers.
This assumption is realistic since this is the basis on which 9A suspicious feedback is the feedback sent during a sus-
peer-to-peer systems can work. picious transaction10 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
be detected and punished even if they did not of peer’s behavior. If Di,∗ >> D∗,i , then this peer
perform any download. can be considered as a free rider. Its supernode
D + −D∗,j
− can reduce or stop providing services to this peer.
ABj = ∗,jT Fj if T Fj 6= 0 (7) This will encourage and motivate free riders to
ABj = 0 otherwise share more with others. In addition, the supern-
ode can enforce additional management policies
If peer Pi changes its behavior, αi will also
to protect the system from malicious peers. It is
change, and hence its impact on the reputation
also possible to implement mechanisms to prevent
of others. For example, if peer Pi changes its be-
malicious peers from downloading in addition to
havior from category T 3 to T 1 (c.f. table 2), the
prevent them from uploading.
number of suspicious transactions Ni∗ involving
Moreover, the mechanism presented in 5.2 to
this peer (in comparison to the total number of
detect malicious peers, will allow the supern-
transactions Ni ) will be less and hence the value
ode to enforce service differentiation according to
of αi will decrease, making the impact of this peer
peers’ reputation. For example, when processing
more considerable.
a search request, the supernode can give higher
Let the Credibility Behavior of peer Pi be:
priority to good peers who do not send inauthen-
CBi = 1 − αi .
tic files nor lie in their feedbacks. In addition,
In this case, the reputation of peer Pi is the cou-
when a peer Pi receives a list of peers that have
ple (ABi , CBi ) which characterize the behavior of
the requested file and chooses peer Pj to down-
peer Pi in terms of Authentic Behavior (sending
load from, peer Pi ’s reputation that is the couple
authentic or inauthentic files) and Credibility Be-
(ABi , CBi ) may be also sent to peer Pj who will
havior (lying or not in the feedback). Note that
decide whether to upload or not the requested
because the behavior of peers is characterized by
file. In case that the value of CBi is too low, the
two values, the supernode can still download a file
peer Pj can choose not to upload the file since
from a peer with low value of CBi as long as the
its reputation can be affected. Usually, peer Pj
value of ABi is high. This means that the system
will expect its ABj to increase as a return of up-
can still take advantage of a peer that provides
loading a good-quality requested file to Pi but the
authentic files but lies in its feedbacks. We will
low value of CBi will not guarantee this increase.
refer to this algorithm as the Malicious Detector
This service differentiation at peers level will mo-
Algorithm (MDA).
tivate peers to protect their reputation by not
The performance evaluation section presents
lying in the feedbacks if they want to download
results that confirm that the Credibility Behav-
files from other peers.
ior is a very good indicator of the liar behavior
of peers, and hence can be used to differentiate
7. Performance Evaluation
among peers. This will in turn allow for better
management of peers and hence, provide better In the performance evaluation section, we will
performance. focus on:
6. Service Differentiation • Simulating the Difference-Based and the In-
authentic Detector algorithms: in this case
In addition of being used as selection criteria, these algorithms are compared with the
the reputation data can be used by the supernode KaZaA-Based and the Random Way algo-
to perform service differentiation. Periodically, rithms. No liar peers are considered in
the supernode can check the reputation data of this first set of simulations to prove the ef-
its peers and assign priorities to them. Peers with fectiveness of the proposed algorithms and
high reputation will have higher priority while their outstanding performance compared to
those with lower reputation will receive a low pri- other schemes.
ority. For example, by comparing the values of
D∗,i and Di,∗ one can have a real characterization • Simulating the Inauthentic Detector andPeer-to-Peer’s Most Wanted: Malicious Peers 11
Algorithm Acronym
Difference-Based algorithm DB
Inauthentic Detector algorithm IDA 7.1.1. Simulation Parameters
KaZaA-Based algorithm KB We use the following simulation parameters:
Random Way algorithm RW
Table 3 • We simulate a system with 1000 peers.
Simulated Algorithms
• The number of files is 1000.
• File sizes are uniformly distributed between
the Malicious Detector algorithms: in this 10MB and 150MB.
case, these algorithms are compared to the
KaZaA-Based and the Random Way algo- • At the beginning of the simulation, each
rithms. A high percentage of malicious peer has one of the files randomly and each
peers is considered to show the effective- file has one owner.
ness of both the IDA and MDA in detect-
ing malicious peers who are sending mali- • As observed by [15], KaZaA files’ requests
cious content. Moreover, this second set of do not follow the Zipf’s law distribution.
simulations demonstrates the effectiveness In our simulations, file requests follow the
of MDA in detecting liar peers and reduc- real life distribution observed in [15]. This
ing the amount of malicious uploads hence means that each peer can ask for a file with
allowing for better network resources uti- a Zipf distribution over all the files that the
lization and higher peer satisfaction. peer does not already have. The Zipf dis-
tribution parameter is chosen close to 1 as
7.1. Simulation of the Difference-Based assumed in [15].
and the Inauthentic Detector Algo-
rithms • The probability of malicious peers is 50%.
In this first set of simulations, we will simulate Recall that our goal is to assess the capabil-
the two selection advisor algorithms (cf. section ity of the proposed selection algorithms to
3.1 and 3.2) namely, the Difference-Based (DB ) isolate malicious peers.
algorithm and the Inauthentic Detector algorithm
(IDA). Both schemes use the Size-Based Appre- • The probability of a malicious peer to up-
ciation Scheme proposed in section 2.4. We will load an inauthentic file is 80%.
compare the performance of these two algorithms
with the following two schemes. • Only 80% of all peers with the requested file
In KaZaA [3], the peer participation level is are found in each request.
computed as follows: (uploaded/downloaded) ×
100, i.e. using our notation (cf. section 2.1) the • We simulate 30000 requests. This means
participation level is (D∗,j /Dj,∗ ) × 100. We will that each peer performs an average of 30
consider the scheme where each peer uses the par- requests. For this reason we did not specify
ticipation level of other peers as selection criteria a storage capacity limit.
and we will refer to it as the KaZaA-Based algo-
rithm (KB ). • Unless stated otherwise, the simulations
We will also simulate a system without reputa- were repeated 10 times over which the re-
tion management. This means that the selection sults are averaged.
is done in a random way. We will refer to this
algorithm as the Random Way algorithm (RW ). 7.1.2. Performance Parameters
Table 3 presents the list of considered algorithms. In this first set of simulations we will mainly
focus on the following performance parameters:12 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
1 0.7
IDA
DB
KB
0.8 0.6
0.6 0.5
Percentage of Malicious Uploads
Peer Satisfaction
0.4 0.4
RW
0.2 0.3
RW
0 0.2
−0.2 0.1
KB
DB
IDA
−0.4 0
0 0.5 1 1.5 2 2.5 3 3.5 0 0.5 1 1.5 2 2.5 3 3.5
Request Number 4
x 10 Request Number 4
x 10
Figure 6. Peer Satisfaction Figure 7. The percentage of malicious uploads
• The peer satisfaction: computed as the dif-
ference of non-malicious downloads and ma- The bad performance of KB can be explained by
licious ones over the sum of all the down- the fact that it does not distinguish between ma-
loads performed by the peer. The peer sat- licious and non-malicious peers. As long as the
isfaction is averaged over all peers. peer has the highest participation level, it is cho-
sen regardless of its behavior. Our schemes (DB
• The percentage of malicious uploads: com- and IDA) make the distinction and do not choose
puted as the sum of the size of all malicious a peer if it is detected as malicious. The RW
uploads performed by all peers during the scheme chooses peers randomly and hence the re-
simulation over the total size of all uploads. sults observed from the simulations (i.e. 20% sat-
isfaction) can be explained as follows. With 50%
• Peer load share: we would like to know the
malicious peers and 80% probability to upload
impact of the selection advisor algorithm
an inauthentic file, we can expect to have 60% of
on the load distribution among peers. The
authentic uploads and 40% inauthentic uploads
peer load share is computed as the normal-
in average. As the peer satisfaction is computed
ized load supported by the peer. This is
as the difference of non-malicious downloads and
computed as the sum of all uploads per-
malicious ones over the sum of all the downloads
formed by the peer over all uploads in the
performed by the peer, we can expect a peer sat-
system.
isfaction of (60 − 40)/(60 + 40) = 20%.
7.1.3. Simulation Results Figure 7 shows the percentage of malicious up-
Figure 6 depicts the peer satisfaction achieved loads, i.e. the percentage of inauthentic file up-
by the four considered schemes. The X axis rep- loads. As in RW scheme peers are chosen ran-
resents the number of requests while the Y axis domly, we can expect to see a steady increase of
represents the peer satisfaction. Note that the the size of malicious uploads and a fixed percent-
maximum peer satisfaction that can be achieved age of malicious uploads. On the other hand, our
is 1. Note also that the peer satisfaction can be proposed schemes DB and IDA can quickly detect
negative. According to the figure, it is clear that malicious peers and avoid choosing them for up-
the DB and IDA schemes outperform the RW loads. This isolates malicious peers and controls
and KB schemes in terms of peer satisfaction. the size of malicious uploads. This, of course,Peer-to-Peer’s Most Wanted: Malicious Peers 13
−3 RW KB
x 10
4 0.45
0.4
3.5
0.35
3
0.3
2.5
Peer load share
Peer load share
0.25
2
0.2
1.5
0.15
1
0.1
0.5 0.05
0 0
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
Peer Peer
Figure 8. Peer load share for RW Figure 9. Peer load share for KB
results in using the network bandwidth more ef- requested uploads (c.f. figure 9).
ficiently and higher peer satisfaction as shown in In figures 10 and 11 the results for the proposed
figure 6. In KB scheme, the peer with the high- schemes IDA and DB are presented. We can note
est participation level is chosen. The chosen peer that in both schemes malicious peers are isolated
will see its participation level increases according from the system by not being requested to per-
to the amount of the requested upload. This will form uploads. This explains the fact that the nor-
further increase the probability of being chosen malized loads of malicious peers (peers from 1 to
again in the future. If the chosen peer happens 500) is very small. This also explains why the
to be malicious, the size of malicious uploads will load supported by non malicious peers is higher
increase dramatically as malicious peers are cho- than the one in the RW and KB scenarios. In-
sen again and again. This is reflected in figure 7 deed, since none of malicious peers is involved
where KB has worse results than RW. in uploading the requested files10 , almost all the
To investigate the distribution of loads among load (of the 30000 requests) is supported by the
peers for the considered schemes, we plotted the non malicious peers.
normalized load supported by each peer during According to figures 10 and 11, we can observe
one simulation run. Figure 8, 9, 10 and 11 depict that even if the two proposed schemes DB and
the results. Note that we organized the peers into IDA are able to detect malicious peers and isolate
two categories, malicious peers from 1 to 500 and them from the system, they do not distribute the
non malicious peers from 501 to 1000. As ex- load among non malicious peers in the same man-
pected, the RW scheme distributes the load uni- ner. Indeed, the IDA scheme distributes the load
formly among the peers (malicious and non ma- more uniformly among the non malicious peers
licious)(c.f. figure 8). The KB scheme does not than the DB scheme (c.f. figure 10). The DB
distribute the load uniformly. Instead, few peers scheme tends to concentrate the load on a small
are always chosen to upload the requested files. number of peers (c.f. figure 11). This can be
In addition, the KB scheme cannot distinguish explained by the way each scheme computes the
between malicious and non malicious peers, and reputation of peers. As explained in sections 3.1
in this particular case, the malicious peer num- 10 after
that these malicious peers are detected by the pro-
ber 180 has been chosen to perform most of the posed schemes14 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
IDA DB
0.015 0.4
0.35
0.3
0.01
0.25
Peer load share
Peer load share
0.2
0.15
0.005
0.1
0.05
0 0
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
Peer Peer
Figure 10. Peer load share for IDA Figure 11. Peer load share for DB
licious Detector (MDA) algorithms. Their perfor-
and 3.2, the DB scheme computes the reputation mance will be compared to KB and RW. In these
of peer Pj as shown in equation 2 based on a dif- simulations, liar peers will be considered as op-
ference between non malicious uploads and mali- posed to the first set of simulations in section 7.1.
cious ones. The IDA scheme, on the other hand,
computes a ratio as shown in equation 3. The fact 7.2.1. Simulation Parameters
that DB is based on a difference, makes it choose We use the same simulation parameters as in
the peer with the highest difference. This in turn 7.1 with the following modifications:
will make this peer more likely to be chosen again • At the beginning of the simulation, each
in the future. This is why, in figure 11, the load peer has 30 randomly chosen files and each
achieved by DB is not distributed uniformly. file has at least one owner.
The IDA scheme, focuses on the ratio of the dif-
ference between non malicious uploads and mali- • Peers behavior and distribution are as de-
cious ones over the sum of all uploads performed picted in Table 4.
by the peer (cf. eq. 3). This does not give any
• Only 40% of all peers with the requested file
preference to peers with higher difference. Since
are found in each request. We have consid-
in our simulations we did not consider any free
ered a situation where we have a lower per-
riders, we can expect to have a uniform load dis-
centage of peers with the requested file to
tribution among peers as depicted by figure 10.
assess the proposed algorithms in a highly
If free riders are considered, reputation mecha-
dynamic network.
nisms will not be affected since reputation data
is based on the uploads of peers. Obviously, the Taking into consideration Table 4, peers with
load distribution will be different. indices from 1 to 300 belong to category M 2,
peers with indices from 301 to 600 belong to cate-
7.2. Simulation of the Inauthentic Detec- gory M 1 and peers with indices from 601 to 1000
tor and the Malicious Detector Algo- belong to category G. We have considered a sit-
rithms uation where we have a high percentage of mali-
In this second set of simulations, we will simu- cious peers to show the effectiveness of our pro-
late the Inauthentic Detector (IDA) and the Ma- posed scheme.Peer-to-Peer’s Most Wanted: Malicious Peers 15
Category Percentage Percentage of sending Percentage of sending
of peers inauthentic files wrong feedback
G 40% 1% 1%
M1 30% 50% 50%
M2 30% 90% 90%
Table 4
Peer Behavior and Distribution
1 0.4
0.8
0.2
0.6
0
0.4
Authentic Behavior
Authentic Behavior
0.2
−0.2
0
−0.4
−0.2
−0.4 −0.6
−0.6
−0.8
−0.8
−1
−1 0 100 200 300 400 500 600 700 800 900 1000
0 100 200 300 400 500 600 700 800 900 1000
Peer Peer
Figure 12. Authentic Behavior with IDA (with Figure 13. Authentic Behavior with IDA (with
no liar peers) liar peers)
7.2.2. Performance Parameters
distribution of peers’ behavior in the case where
In this second set of simulations we will mainly
no liar peers exist is the same as in table 4 with
focus on the following performance parameters:
the fourth column set to zero in all categories.
• The peer satisfaction: computed as the dif- It is clear from figure 12 that IDA is able to
ference of non-malicious downloads and ma- differentiate among peers and detect those that
licious ones over the sum of all the down- send inauthentic files. Good peers (with indices
loads performed by the peer. The peer sat- from 601 to 1000) have high AB values while ma-
isfaction is averaged over all peers. licious peers (from 1 to 600) have low AB values
(most of peers with indices between 1 and 300
• The percentage of malicious uploads: com-
have a value of -1). However, if liar peers exist,
puted as the sum of the size of all malicious
those peers affect badly the system and makes it
uploads performed by all peers during the
difficult to differentiate among peers (c.f. figure
simulation over the total size of all uploads.
13). This affects greatly the performance of the
7.2.3. Simulation Results system as will be shown in figure 17.
Figures 12 and 13 show the Authentic Behav- Figure 14 depicts the Credibility Behavior of
ior values for peers when using IDA. Figure 12 peers when using MDA. The figure shows that
presents the results in a situation where no peer CB is a very good indicator of the liar behavior
lies in its feedbacks, while figure 13 shows the re- of peers. Indeed, good peers (with indices from
sults where there are liar peers in the system. The 601 to 1000) have a very high value of credibility16 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
1
0.9
0.8
0.9
0.7 MDA
0.8
Credibility Behavior
0.6
0.7
IDA
0.5
0.6
0.4
0.5
Peer Satisfaction
0.3 0.4
0.2 0.3
RW
0.1 0.2
0 100 200 300 400 500 600 700 800 900 1000
Peer
0.1
KB
0
−0.1
0 0.5 1 1.5 2 2.5 3
Figure 14. Credibility Behavior Request Number x 10
4
Figure 15. Peer Satisfaction
while liar peers (from 1 to 600) have lower val-
ues. This indicator is also able to differentiate
among degrees of liar behavior; peers with lower
probability of lying (indices from 301 to 600) have
higher credibility than those with higher proba-
bility of lying (indices 1 to 300).
Figure 15 depicts the peer satisfaction achieved
by the four considered schemes. The X axis rep- 0.7
resents the number of requests while the Y axis
represents the peer satisfaction. According to 0.6
the figure, it is clear that the MDA and IDA 0.5
Percentage of Malicious Uploads
schemes outperform the RW and KB schemes KB
in terms of peer satisfaction. The bad perfor- 0.4
RW
mance of KB can be explained by the fact that it
does not distinguish between malicious and non-
0.3
malicious peers. The RW scheme chooses peers 0.2
randomly and hence the results observed from IDA
the simulations (i.e. 15% satisfaction) can be 0.1
explained as follows. With the values of table MDA
0
4, we can expect to have (99% × 40% + 50% × 0 0.5 1 1.5
Request Number
2 2.5
4
x 10
3
30% + 10% × 30% =) 57.6% of authentic up-
loads and (1% × 40% + 50% × 30% + 90% ×
30% =) 42.4% inauthentic uploads in average.
As the peer satisfaction is computed as the dif- Figure 16. Percentage of malicious uploads
ference of non-malicious downloads and malicious
ones over the sum of all the downloads performed
by the peer. We can expect a peer satisfaction
of (57.6 − 42.4)/(57.6 + 42.4) = 15.2%.Peer-to-Peer’s Most Wanted: Malicious Peers 17
Our schemes (MDA and IDA) make the distinc- 0.55
tion and do not choose a peer if it is detected as 0.5
malicious. Since MDA is able to detect liar peers, 0.45
it can protect the system from them and hence is 0.4
Percentage of Malicious Uploads
able to take the right decision when choosing a 0.35
peer to download from. In IDA, liar peers affect 0.3
the Authentic Behavior values of other peers and
0.25
hence lower the achieved peer satisfaction.
Figure 16 shows the percentage of inauthen-
0.2
IDA
tic file uploads. KB has the worst results com- 0.15
pared to other schemes as explained earlier. IDA 0.1
MDA
can quickly detect inauthentic peers and avoid 0.05
0 0.5 1 1.5 2 2.5 3
choosing them for uploads. This isolates the in- Request Number 4
x 10
authentic peers and controls the size of malicious
uploads. However, since IDA does not detect liar
peers, the reputation of peers is affected as shown Figure 17. Percentage of malicious uploads for
in figure 13. This will sometimes result in bad de- MDA and IDA
cisions. MDA on the other hand takes into con-
sideration liar behavior and thanks to the Cred-
ibility Behavior parameter, is able to reduce the
effect of liar peers on the system. This allows the eral search requests without sending apprecia-
system to take more clearsighted decisions. This, tions, the supernode can suspect that the peer is
of course, results in using the network bandwidth not providing appreciations and assigns a lower
more efficiently and higher peer satisfaction as priority value for search requests from this peer.
shown in figure 15. Figure 17 shows that the new Some countermeasures have also to be set to
scheme achieves about 40% improvement in com- protect from peers that report a value for AF i,j ,
parison to IDA. This gain will continue to increase although no file download has happened. Some
with the number of requests as MDA makes more peers could fake additional identities and use this
and more good decisions. scheme to increase their own reputation. One
Note that our scheme achieves good perfor- suggested approach to solve this issue is to use a
mance even if we have a high number of mali- token given by the supernode of the sender peer
cious peers. As stated earlier, without any repu- that has to be sent with the feedback. This way,
tation management scheme we can expect 42.4% the supernode receiving the feedback can check
of inauthentic uploads. After the 30000 requests whether this is a valid feedback for a download
considered, our scheme reduces this to about 6% that has indeed occurred. These issues are under
with a peer satisfaction of almost 88%. investigation and left for future research.
8. Open Issues 9. Related Works
If providing an appreciation is manually per- 9.1. Reputation in Centralized P2P Sys-
formed and a rewarding mechanism is not pro- tems
vided, the system may not be able to collect suf- Reputation Management in eBay
ficient amount of appreciations to compute repu- eBay [16] uses the feedback profile for rating
tation scores accurately. Some of the incentives their members and establishing the members’ rep-
for peers to provide appreciations are high prior- utation. Members rate their trading partners
ity and extensive search requests from their su- with a Positive, Negative or Neutral feedback,
pernodes. Usually, a peer sends search requests and explain briefly why. The reputation is calcu-
to download a file. If the peer is sending sev- lated by assigning 1 point for each positive com-18 Loubna Mekouar, Youssef Iraqi and Raouf Boutaba
ment, 0 points for each neutral comment and -1 have provided the vote by exchanging TrueVote
point for each negative comment. and TrueVoteReply messages. In the enhanced
The eBay feedback system suffers from the fol- polling algorithm, AreYou and AreYouReply mes-
lowing issues: sages are used to check the identity of the voters.
This will further increase the network overhead.
• Single point of failure Moreover, each peer has to keep track of past ex-
• It is not an easy task to look at all feedbacks periences with all other peers. In addition, the
for a member in the way the feedback profile reputation of the peers is used to weight their
is presented on eBay. opinions, however, as we have shown earlier the
reputation score (i.e. Authentic Behavior ) is not
• A seller may have a good reputation by sat- enough to reflect the credibility of a peer.
isfying many small transactions even if he
did not satisfy a transaction with a higher 9.2.2. Reputation Management using
amount. EigenTrust Algorithm
In [11], the EigenTrust algorithm assigns to
• No special mechanism is provided to detect each peer in the system a global trust value. This
members that lie in their feedbacks. value is based on its past uploads and reflects
9.2. Reputation in Completely Decentral- the experiences of all peers with the peer. This
ized Systems scheme is a reactive one, it requires reputation to
Several reputation management schemes have be computed on-demand which requires cooper-
been proposed for completely decentralized P2P ation from a large number of peers in performing
systems. As these schemes do not apply for par- computations. As this is performed for each peer
tially decentralized systems which is our target having the requested file with the cooperation of
in this paper, we will present only the following all other peers, this will introduce additional la-
approaches. tency as it requires long periods of time to collect
statistics and compute a global rating. Most of
9.2.1. Reputation Management by Choos- the proposed reputation management schemes for
ing Reputable Servents completely decentralized P2P systems are reac-
In [10], the distributed polling algorithm tive and hence suffer from this drawback. More-
P2PRep is used to allow a servant p looking for over, they tend to consider the reputation (i.e.
a resource to enquire about the reputation of of- Authentic Behavior ) as a score for the credibility
ferers by polling its peers. After receiving a re- of a peer which was shown in this paper to be
sponse from all offerers available to provide p with ineffective.
the requested resource, p selects a set of servants
from offerers and polls its peers by broadcasting a 9.2.3. Limited Reputation Sharing in P2P
message asking them to give their opinion about Systems
the reputation of the servants. Two variants of In [17], the proposed algorithms use only lim-
the algorithm are provided. In the first variant ited reputation sharing between nodes. Each
(the basic polling), peers send their opinion and node records statistics and ratings regarding
p uses the vote to determine the best offerer. In other peers. As the node receives and verifies files
the second variant of the algorithm (the enhanced from peers, it updates the stored data. Nodes
polling), peers provide their own opinion about can share their opinions and incorporate them in
the reputation of the offerers in addition to their their ratings. In the proposed voting reputation
identities. This latter will be used by p to weight system, the querying node receives ratings from
the vote received. peers and weights them accordingly to the rat-
This scheme incurs considerable overhead by ings that the peer has for these peers to com-
polling peers for their votes. In addition, the ba- pute a quorum rating. The peers can be selected
sic polling algorithm checks whether the voters from the neighbor list (Neighbor-voting) or fromYou can also read
