A robust reputation scheme for decentralized groups management systems

HAL Id: hal-00426476

https://hal.archives-ouvertes.fr/hal-00426476

Submitted on 26 Oct 2009

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

A robust reputation scheme for decentralized groups

management systems

Frédéric Cuppens, Nora Cuppens-Boulahia, Julien Thomas

To cite this version:

Frédéric Cuppens, Nora Cuppens-Boulahia, Julien Thomas. A robust reputation scheme for

decentral-ized groups management systems. ICISS : Fourth International Conference on Information Systems

Security, Dec 2008, Jntu, Hyderabad, India. pp.71-85. �hal-00426476�

Group Management Systems

Theoriginalpubli ationisavailableat http://www.springerlink. om

Julien A. Thomas, frédéri Cuppens, NoraCuppens-Boulahia Télé om Bretagne ; LUSSI Department

UniversitéEuropéenne de Bretagne Rennes, Fran e

O tober26,2009

Abstra t

Intheliterature,reputationsystemsareusedtoevaluateother en-tities behaviorand havemanyappli ations su h as,for instan e, the dete tion of mali ious entities. The asso iated models are based on mathemati formulae,inorder toformalydeneelementssu h asthe reputation evaluation and evolution and the reputation propagation betweenpeers. Currentproposalsdes ribethebehaviorsoftheir mod-elsbyexamples,withfew(ifnotno)formalanalyses. Inthisarti le,we statethe basi se uritypropertiessu h systemsrequireand we show that urrentsystemsmaynotsatisfythemonspe i s enarios,whi h an be used by mali ious entities to take advantage of the system. We also present a new reputation s heme, designed to satisfy these properties,andwe ompareittoexistingresear hworks.

Introdu tion

Inthe literature, reputation systems are usedto evaluate behaviors of sub-je ts, pro esses or systems and for instan e dete t mali ious entities. The asso iated models [1, 2 , 3℄, based on mathemati formulae, generally take into a ount two a tions: the operations to perform when an in orre t be-haviorisdete tedandtheoperationstoperformwhennomali iousbehavior isdete ted duringadenedintervaloftime. Thesemodelsrelyontwo main variables,

α

and

β

, whi h respe tively refer to the reputation in rease and de reaserates,in ase of orre t (respe tively in orre t) behaviors.

The globalpro ess an besummarized bythefollowing formulae:

•

when no mali ious behavior is dete ted for a node

n

i

, between two reputation he kpoints,the urrentnode

n

c

in reases itsreputation of

α

,whi h means

rep

n

•

When a node

n

i

has a bad behavior, its reputation de reases of

β

. If several mali ious behaviors are dete ted between two reputation he kpoints, some proposals onsider them as a single bad behavior (

rep

n

c

(n

i

) = rep

n

c

(n

i

) − β

),whileothers onsiderthemasseveralones (

rep

n

c

(n

i

) = rep

n

c

(n

i

) − nb

detection

· β

).

An exampleof appli ation ofthe reputationsystems isthemanagement ofgroups[4 ,5℄,forinstan einadho networks[6℄. Inthis ontext,groupsare used to join togethernodes whi h an then share information and ommu-ni ate. Insidethesegroups, whi haresometimes onsideredas ommunities insideundened and potentiallymali ous environments, thenotion oftrust is important as it an be used to dete t mali ious nodes. Stating se urity properties su h as the ollusion of mali ious nodes must not engender an evi tion of a orre t node and asserting that they will be respe ted is thus important. As the design of the reputation system and the values of its parameters,su has

α

and

β

,arelinkedtotheassertionofthese urity prop-erties, the system must be dened by taking these properties into a ount. In urrent resear h works, formal analyses of the system parameters and assertionsof su hse urityproperties arenot performed.

In this arti le,we thus propose aformal method to evaluate thesystem parameters, inorder to dene a robust reputation s heme. Inse tion 1 ,we rstpresent the notions bounded to the reputation systemsand we analyze the existing approa hes. We then introdu e in se tion 2 our reputation andre ommendationsystem,withthese uritypropertiesitmustsatisfy. In se tion3 ,wepresentourformalanalysesandspe ifythevaluesofoursystem parameters that satisfythese properties. We then present our simulations, performed on NS-2 [7℄, and we ompare our results with existing resear h works. The last se tion on ludesthearti le.

1 Limits of Existing Approa hes

Manystudies [1 , 2,3,8 ,9℄have proposed reputationsystems whi hrely on two basi systems: the reputation and re ommendation basedsystems and therefereesbasedreputation systems. Inthis se tion,we thuspresentthese systemsandweanalyzeexistingproposalsthatrelyontheminordertoshow their limits.

1.1 Reputation and re ommendation based systems

Inthere ommendationandreputationsystemproposedbyJinshan Liuand ValérieIssarny[1℄,severalparameters (whi haresummedupinthetable1 ) areasso iatedwithea hnodetoevaluateothernodes'quality. Amongthese parameters,

SExp

isthereputationderivedfromdire tintera tionsbetween the urrentnodeandtheanalyzedoneand

SRep

isanodereputationderived

node has information about other nodes re ommendation quality (

RRep

).

RRep

isusedasaweighting oe ientinthereputationevaluations. Finally,

Rec

is thereputation de laredbya node about a peerand istheonlyvalue sharedinthenetwork. For a orre t node,

Rec

a

(o) = SRep

a

(o)

.

SRep

a

(o)

t

node

o

's reputation, de laredby

a

,at time

t

RRep

a

(o)

t

o

'sre ommendation, about

a

,at time

t

SExp

a

(o)

t

Immediate experien eof

a

about

o

Rec

a

(o)

t

Re ommendationmade by

a

about

o

,at time

t

.

ρ

e

,

ρ

c

weighting oe ient of thereputationand re ommendation fun tions

Table1: Re ommendationand ReputationSystem Parameters An important aspe tof thisstudy isthedistin tionbetween re ommen-dationandreputation: whenanodeprovidesa orre tservi e,it analways beused,evenifitsre ommendationsarenot orre tandthus anbeignored.

Reputation evolution: For a node

n

c

, a node's reputation is based on three parameters: its old reputation, its new reputation a ording to

n

c

(whi h are both represented by

SExp

a

(o)

t

) and the other nodes de lared reputations

RRep

, where all these parameters are weighted by redibility and freshness oe ients. The reputation of a node

o

, a ording to a node

a

,is dened asfollows:

SRep

a

(o)

t

= ρ

e

· SExp

a

(o)

t

+ (1 − ρ

e

) ·

P

p

(RRep

a

(p) · Rec

p

(o))

P

p

RRep

a

(p)

Re ommendationevolution: Foranode

a

,there ommendationquality of a node

p

relies on the dieren es between the re ommendation made by

p

(Re

p

) and its personnal evaluation (SExp

a

) for ea h node

o ∈ N

. We thus have the basi formula:

dif f

1

(o)

=

|Rec

p

(o) − SExp

a

(o)|

. However, the dieren es between the values of two nodes an be due to analyses of dierent data (i.e. dierent ontexts). In order to solve this problem, they usethenotionoftoleran ethreshold

δ

a

. Wethenhaveadieren eevaluation

dif f =

1−dif f

1

δ

a

.

There ommendation evolutionme hanismsatisesthefollowing prin i-ple: the re ommendation of

p

at time

t

relies on thepre edent re ommen-dation at time

t

′

and the evaluation dieren esin this interval

∆t = t − t

′

:

RRep

a

(p)

t

= RRep

a

(p)

t

′

· ρ

c

(t−t

′

₎

+ dif f · (1 − ρ

c

(t−t

′

₎

)

.

1.2 Referees based reputation systems

Intheresear hworkbyConradandal.[2 ℄,thenotionofreputationisstudied in order to rst mimi the human trust formation and se ondly to have a

to apply their reputation system to e-servi es and on-line transa tions, as theresultsare quitebinary: eithertheresult is orre t, or not.

As for many studies, the reputation analysis is based on two prin ipal omponents: the node whi h performs the evaluation and the others. The reputationfun tion theysuggestis

reputation(c) = experience(c) · p + (1 −

p) · hearsay(c)

where

p

is the value to assign to our own redibility (

p =

self Conf idence(c)

).

The notion of self-experien e is based on two parameters: prior experi-en es andimmediate experien es. No weighting is madebetween these two parametersandwethushave

experience(c) =

immediateExperience(c)+experience(c)

2

.

Another interesting aspe t in this study is the way the hearsay parameter isevaluated: ontrary to the previous study,the nodesdo not take into a - ount the information from all the nodesof thenetwork. We have a notion of referees

R

that are used to analyze a servi e reputation:

hearsay(c) =

P

r∈R

reputation

r

(c)

|R|

. The hoi e of a orre t value of

|R|

is important: if we have a too small value, few analyses will be used and the result may not be representative while with a too big value, the reputation system be omes too slow. By performing simulations, they hose

|R| = 10

and

self Conf idence(c) = 30%

1.3 Analysis of existing proposals

The dieren es between the reputation and the re ommendation is impor-tant. A node an have a quite bad behavior in the group (due to energy problem, for instan e), but always a orre t re ommendation. In the oppo-site,anatta kwould onsistina tingwell,inordertoavoidatta kdete tion me hanisms,and lyingaboutthereputation ofothernodes, inorder for ex-ample to obtainprivileges.

InJinshanLiuandValérieIssarnystudyandinotherswhi haresimilar, su has[8,9℄,the reputationandre ommendation systemshave someaws: al uliarebasedonallthenodesofthenetworks. Therstandmostobvious issueisthes alabilityproblem. However,amoreimportantproblemhappens when the dete tion of mali ious behaviors an be performed only in lo al area: when the groupsize in reases, no signi ant reputationde rease may o ur. Consider thefollowing example:

•

the dete tion of mali ious behaviors an be performed only on dire t neighbors,whi hisoftenthe aseforthelowestlevelsoftheISOmodel

•

we have

N

nodes, andwe onsider thatea h node has

k

neighbors

•

we assumethatea h node gives orre tre ommendations

In the gure 1a, we an see that the reputation me hanism suers from s alability problems, when the number of nodes in reases. In the referee

basedapproa h [2℄,theauthors suggestto take into a ount onlythenodes thatbelongtothereferees

R

. Thispreventsthe aseillustratedinthegure 1 from o urring. However, no distin tion is made between the reputation and the re ommendation. This study is thus relevant to dete t in orre t behaviorsfor theservi es,usingneighbors' ooperation,but annotbeused to dete t mali iousnodesinsidethe network.

We have seen that existing proposals fail when some onditions o ur, su h as when the number of nodes in reases while the dete tion region re-mainsthesame. Theseproblemsarisebe auseformalanalysesofthesystem havenotbeenperformed. Forinstan e,thenotionoflo alregion

R

presented inthe referee-based systemis not fullydes ribed: how an we evaluate

R

? What are the impa t of the size of

R

on the reputation me hanism? As these questionshave not been answered, aws may be dis overed inthe fu-ture. We an on lude that thedenitionof a reputationsystemrequiresa formalanalysis ofthe systemand the environment, whi h isnot performed in urrent proposals.

2 Formal Model for Reputation and Re ommenda-tion fun tions

Asdes ribed inthe previous se tion, reputationsystemsmust be developed using a formal approa h. In this se tion, we des ribe our reputation fun -tions. An example of appli ation of the reputation systems is the manage-mentofgroups. Wethuspresentthe groupde isionprin iple andnallythe se uritypropertiesreputationsystemsmustsatisfy,basedonthesede isions. Formalanalysesarepresentedinthenext se tion.

2.1 Denitions of our reputation model

Aspresentedinthe se tion1, we areable to have a s alable me hanismby usinglo alregion. However,lo alregionsengender lo alreputations. Inour

(property4ofthese tion2.2.2 ),we musthaveglobalreputations. Thisthus preventsnodesfrom waitingthea knowledgement of their de isions.

As the notion of reputation is bound to the re ommendation, the way there ommendation isevaluated isalso not orre tfor group de isions. In fa t, the re ommendation we need is a group re ommendation, and not a node-dependent re ommendation, as presented in Jinshan Liu and Valérie Issarnyresear hwork. In this study,the re ommendation isdened by

rec

k

(i) = rec

k−1

(i) · ρ

rec

+ (1 − ρ

rec

) ·

P

n

j=0

dif f (rep

k−1

(j, i), rep

k−1

(j))

n

where

rep

k

(i, j)

is the reputation of

i

de lared by

j

at the step

k

. In this formula, the fun tion

dif f

is used to evaluate the dieren es between the re ommendations madebythe urrentnodeand theonesmadebythenode

i

.

In order to have a global re ommendation, we must evaluate the dier-en e of the node's evaluations with all the other nodes' evaluations. Our notionof groupreputation isdened asthefollowing:

group

_

reputation

k

(i) =

P

j∈R

i

rec

k−1

(j) · rep

k

(i, j)

P

j∈R

i

rec

k−1

(j)

(1)

Using this formula, we getthefollowing initial group re ommendation:

rec

k

(i) = rec

k−1

(i) · ρ

rec

+

(1 − ρ

rec

) ·

P

n

j=0

dif f (rep

k

(j, i), group

_

reputation

k

(j))

n

(2)

Notethat there ommendation fun tionis studied inse tion3.3 , asitdoes not ae tthe evaluationofour reputation fun tionin theworst ases.

Finally,thereputationis similarto the one presentedin[2℄:

rep

k

(i) =

100 · experiences +

P

j∈R

i

∧j6=myself

rec

k−1

(j) ∗ rep

k−1

(i, j)

100 +

P

j∈R∧j6=myself

rec

k−1

(j)

(3)

2.2 Group De isions Prin iple

In a group management algorithm, we an nd two groups of operations for group management proto ols: group operations and group agreements. The rst group des ribes all the basi de isions, su h as a request to add anodewhilethe se ondone des ribesallthegroup de isions,su hasthe groupaddsanode. Thisdistin tionisimportantastherstoperations an be de idedbyasinglenodewhilethese ondoneshaveto be de idedbythe wholegroup.

Asdes ribed above,these operationsaremade bya singlenode: depending on several parameters, a node may want to authorize a new node to join a group,or maywant to evi ta nodefrom the group.

Adding a node: A node

n

i

sends an adding message to thegroup ifthe lo alreputationofthenodeto addishigherthanorequalsto

threshold

Add

.

Removing a node: Asfor adding anode,a nodesends an evi tion mes-sageabout thenode

n

m

ifthenode

n

m

hasa reputationlowerthan orequal to

threshold

Evict

.

2.2.2 GroupAgreements

An important aspe tofthegroup agreementsis to have ommon de isions: ifanodestartsa removing or addingoperation at theproto olgroup layer, allnodesinthe network mustdo ittoo. Inorder to have stablegroup de i-sions,wedeneseveralfun tionalproperties. Theyrelyonthevariables

τ

add

,

τ

eviction

and

minimal

_

recommendation

whi hrespe tivelyrefertothe min-imalnumberof nodesto take an addingmessage into a ount, theminimal numberof nodesto take an evi tion message into a ount and theminimal re ommendation to onsider a node's message as trustworthy. Finally, the variable

τ

is linked to se urity of the systems :

τ

- 1 is the maximal num-ber of mali ious nodes the system supports. Thus, we have

τ ≤ τ

add

and

τ ≤ τ

eviction

.

For the groupde isions, there aremainlyfour fun tional properties:

Property 1: In order to start an adding operation, a node must have re eived

τ

add

adding messagesfromdistin t nodes inthenetwork.

Property 2: In order to start an evi tion, a node must have re eived

τ

eviction

evi tion messagesfrom distin tnodesamong thenetwork.

Property3: Anodemessageshouldbetakenintoa ountonlyifthenode re ommendation ishigher than or equal to

minimal

_

recommendation

.

Property 4: Uponre eivingagroup managementoperation,ea hnodeof thegroupmusttake thesame de ision.

Inthepreviousse tion,wehavepresentedthefun tionalpropertiesour rep-utation systemmust satisfy. However, inorder to develop a robust system, we mustalso state these urityproperties our systemmustsatisfy.

The rstone deals withtheimpa tof the reputationin rease rate. Se urity Property 1: the ollusion of mali iousnodesmust not engenderan evi tion ofa orre tnode

For thereputationde reases enario,twose uritypropertiesaredened. Se urity Property 2: A ollusionof mali iousnodesmustnot prevent a ma-li ious node fromhaving ade rease ofits reputation.

Se urity Property 3: Thegroup mustbe ableto evi ta mali ious node, a - ording to the fun tional properties, when its reputation ex eeds a dened threshold.

Finally,inordertopreventmali iousnodesfrominterferingwith orre t information about a node,their re ommendation mustde rease. Thisis ex-pressedbythe forthse urityproperty:

Se urity Property 4: a node re ommendation mustde rease if it a ts mali- iously.

3 Theoreti al quanti ation of the model's param-eters

In the previous se tion, we des ribed our reputation and re ommendation fun tions. In thisse tion, we analyse the parameters of thesefun tionsand theimpa toftheirvaluesonthereputationsystemandtheassessmentofthe se urityproperties. Insubse tions3.1and3.2,weintrodu etheglobalideas about the reputation fun tions evaluation and our solution, whi h solves three prin ipal problems: what is the value of the reputation in rease rate if a node a ts well? what is the value of the reputation de rease rate if a mali iousnodeisdete ted? How anwedene thelo alregion

R

ofanode? Finally, the evaluation of the re ommendation fun tion is given in se tion 3.3.

The evaluation of thedierent parameters is made by rst formulating the worst ases that an o ur. We then spe ify values that satisfy our se urityproperties. Dueto spa elimitation, ompletedemonstrationsofthe mathemati alequationsarenotgiveninthispaperbutone anreferto[10℄.

3.1.1 Worst Case 1: in orre t evi tion

Theusual worst ase isrelatedto the evi tion bymali iousnodesofa node a ting well. This an be represented by the following s enario:

τ

- 1 mali- ious nodesde lare a reputationof 0 for this node while others in rease its reputationby

α

.

A ordingtotheGroupAgreementProperty2,theevi tionofanode o - urresif

τ

eviction

nodessendanevi tionmessage. As

τ

eviction

≥ τ

,thismeans thatat leastone  orre t node hasto sendan evi tion message. Thus, to satisfythe Se urity Property 1, we must ensure thatno orre t node sends anevi tion message. This an beensured bythefollowingrequirements:

•

the reputation does not go under the evi tion threshold

Evic

threshold

(

Req1

)

•

the reputationis stillable toin rease (

Req2

)

To satisfythe rst requirement, we must assure that there is no

i ∈ N

su h that

rep

i

< Evic

threshold

. At the

n

th round, the reputation of the atta ked nodeisgivenby(

rep

0

isthe initialreputation):

rep

n

= rep

0

· a

n

₊

b·

P

n−1

i=0

a

i

where

a =

|R|−τ +1

|R|

and b = α·

|R|−τ +1

|R|

. Basedonthisformulaand onsidering dierent evi tion thresholds

Evic

threshold

,thetable2 illustrates thedierent valuesof

α

min

thatsatisfy

Req1

.

Evic

threshold

α

min

Evic

threshold

α

min

Evic

threshold

α

min

Evic

threshold

α

min

10 4 30 10 20 7 40 14

Table 2: Minimal valueof

α

depending on

Evic

threshold

,

|R| = 4 · τ

For the se ond requirement (the reputation is still able to in rease), we an analyze the impa ts of the reputation system parameters with several s enarios. We onsidered the following ones, where

V

0

is the intial value of thereputation:

•

{

α = 4, V

0

= 50, |R| = 2 · τ

} (gure2 a)

•

{

α = 4, V

0

= 50, |R| = 4 · τ

} (gure 2b)

•

{

τ = 20, V

0

= 50, |R| = 4 · τ

} (gure3)

We an see that as

τ

is proportional to |R|, its value does not intera t with the reputation in rease rate. However, the way |R| is evaluated does intera t withthe reputation in reaserate. Forinstan e, with

|R| = 4 · τ

,we manage to geta maximal reputation(i.e. 100)faster than with

|R| = 2 · τ

. The hoi eof

|R| = 4 · τ

isdue toseveral reasons. First,thein reaserate is

Figure3: Reputationin rease a ording to

α

's value, with

|R| = 4 · τ

more important than with

|R| = 2 · τ

, whi h means that orre tnodeswill rea h the maximal (and thus the best) reputation faster. Se ondly, if one de ide to take

R

su h that

|R| = 6 · τ

or

|R| = 2

τ

, we would have better results but the size of |R| would in rease very qui kly, whi h means that

τ

max

wouldbefarlessimportant andthatnodeswouldhavetokeepawat h on more nodes. Obviously, as for

R

,several values for

α

an be taken into a ount. We de ide to onsider

α = 4

, as thein rease rate is orre t (and

4 > α

min

for

|R| = 4 · τ

).

3.1.2 Worst Case 2: in orre t in rease rate

Anotherproblemo urredwhenmali iousnodes ooperateinordertoqui kly in reaseanode'sreputation: allofthemde ide togiveavalueof100 tothe reputation. Thisisrepresentedbytheformula

rep

k

=

100·(τ −1)+(rep

k−1

+α)·(|R|−τ +1)

|R|

.

Inthis ase,we must hooseavalueof

α

whi hleads toa orre treputation in rease. Theformula an berepresented by

rep

k

= rep

0

· a

n

_{+ b ·}

P

n−1

i=0

a

i

,

where

a =

|R|−τ +1

|R|

and

b =

100·(τ −1)+α·(|R|−τ +1)

|R|

Aswe anseeinthegure4,thereputationofthemali iousnodeevolves very qui kly, no matter the value of

τ

: with

|R| = 4 · τ

, ve iterations are needed to get the maximal reputation, starting from a value of 50 while it is of three for

|R| = 2 · τ

. A solution to this problem is to nd a way to de reaseinall the ases thereputation of themali iousnodes.

Figure4: Reputationin rease - maximalin rease ratewith

α = 4

3.1.3 Case 3: Common ase

Finally, the ommon ase is when ea h node in reases thereputation of

α

. We must hoose parameters values su h that the in rease rate is not too fast, inorder to prevent mali ious nodes fromre overing a good reputation too qui kly. In this ase, the evolution formula is

rep

k

=

(rep

k−1

+α)·|R|

|R|

=

(rep

k−1

+ α)

. So, the in rease is equal to

α

. With a value of 4 for

α

, 13 iterationsareneededtogetamaximalreputation,startingfromareputation of50.

A ording tothedierent possible ases,we anseethatavalueof4for

α

anda valueof

4 · τ

for

|R|

areinteresting.

3.2 Reputation de rease assessment 3.2.1 Standard reputationde rease

Theworst aseofthereputationde reases enarioisthefollowingone: allthe mali ious nodes ooperate in order to prevent the de reases of a mali ious node reputation. They send a reputation of 100 and others de rease the mali iousnode'sreputation of

β

.

Inthiss enario,wemust hoosethesizeofRand

β

sothatthereputation will still de rease. Moreover, wemust hoose a valueof

β

thatde reases in a signi ant way the mali ious node reputation, in order to in rease the time this node requires to re over the maximal reputation (also alled the re overing time).

With

β

a onstant,we havethe following worst ase:

rep

k

=

100·(τ −1)+(rep

k−1

_|R|

−β)·(|R|−τ +1)

,where

rep

0

= 100

A ording to these tion 3.1, we an analyze several values of

β

, whi h are des ribedinthetable5(with

τ = 25, |R| = 4·τ

). Themainideaisto hoosea orre tvalueof

β

thatimpliesalongre overingtime,whi htendstode rease thenumber of bad behaviors. For instan e, with

β

= 25, a mali ious node

Figure5: Inuen eof

β

on the reputation de rease

de rease rate

β

re overing time de rease rate

β

re overing time (nbof iterations) (nbof iterations)

10 7 3 30 43 8

20 25 5 40 60 10

has to wait for ve iterations before getting its maximal reputation ba k. Ifita tsmali iously duringea h reputationupdateintervals,its reputation will de rease and it would have a reputation of 50 after 5 iterations and a reputationof 30after 15 iterations.

However, a drawba k is that we may not be able to get a reputation of

threshold

Evict

for mali ious nodes, depending on

τ

and

β

. Moreover, ifwe useusualequations,aspe ial ase annotbetakenintoa ount: amali ious nodea tsbadly,waitsforitsreputationtoin reaseandrestartstoa tbadly. We need a group history to take this ase, namely the Moral Hazard [11 ℄ (byzantine behavior), into a ount. Thus, the urrent reputation fun tion doesnot satisfythe se urityproperty3 and hastobe modied.

3.2.2 Dynami reputation de rease

In a study made by Ba & Pavlou [12℄, an analysis of ebay's reputation me hanism has been made. Based on ebay'sreputation results, they mod-elled the ebay trust system with a orrelation between positive rates (PR) and negative rates (NR). It is given by the following formula:

T rust =

β

0

+ β

1

· Log(P R) + β

2

· Log(N R)

.

Inour situation,positiverates areimpli it: a node in reasesthe reputa-tionoftheothernodesatea h he k,ifthisnodedoesnothaveabad behav-ior. Our urrentequationtakesnegativeratesintoa ount withthevariable

β

,in whi h

β = f (N R)

. Using

N R

,we obtain

β(N R) = β

0

+ f (N R) · β

1

. The prin ipal s heme of

f

is that

f (0) = 0

and

f (N R

max

) =

100

β

1

− β

0

(as

β(N R

max

) = 100

). A ommon aspe t of

β(N R)

would be that its value is redu ed by2 at ea h bad behavior. Thus, with

β(N R) =

100

2

N Rmax

· 2

N R

,we have a reputationde rease thatsatisesthe Se urityProperty 2and 3.

3.3 Evaluation of the re ommendation fun tions Inexistingstudies, there ommendation fun tion isthefollowing:

rec

k

(i) = rec

k−1

(i)·ρ

rec

+(1−ρ

rec

)·

P

n

j=0

dif f (rep

k−1

(j, i), X

_

reputation

k

(j))

n

(4) where

X

_

reputation

k

(j)

an be

group

_

reputation

k

(j)

or thenode reputa-tion, fornode-orientedreputation me hanisms. Asfor thereputation me h-anism,we an seethatthis fun tionislinkedto thesize ofthegroup. Thus,

Asshownwiththesimulationresults(se tion 4.1 ),we got astabilizedstate where the mali ious nodes' re ommendation are still high (94%) while the atta ked node's reputation is low. In this ase, the Se urity Property 1 is not satised.

By analyzing these drawba ks of the re ommendation me hanism, we rstproposethefun tion5 ,whi hisnotgroupsize-dependent. Byusingthe

multiply

operation insteadof the

sum

one,isolated liesarenot hiddenand the umulationof liesamplify the re ommendation de rease.

rec

k

(i) = rec

k−1

(i) · ρ

rec

+

(1 − ρ

rec

) ·

Π

n

j=0

dif f (rep

k−1

(j, i), group

_

reputation

k

(j))

n

(5)

Thisfun tion is thus robust againstthe mentionned atta k. However, if we onsider intelligent mali ious nodes, similar drawba ks remain: in this fun tion, the de rease rate is dire tly asso iated to the dieren e between what the mali ious node says and the group_reputation value. Thus, by sending reputation values that are lower than the group_reputation, but not sofar, mali iousnodes anstill lie about others'reputation andthe de- rease of their re ommendation will not be important. Moreover, advan ed atta ks su h as the binary state { orre t, mali ious} an impa t the repu-tation me hanism. So, though atta ks need to be more sophisti ated, the me hanismmaystillbe ae tedbythe ollusion of mali iousnodes.

In our ase, we made a strong assumption whi h has not been taken into a ount yet: we de ided to hoose

R

su h that

R = 4 · τ

, with

τ − 1

being the maximal number of mali ious nodes our system has to support. Thus,we assumethatat least75%ofthenodesamong

R

arenotmali ious. Moreover, the hoi e of

R

(and

τ

) is made su h that ea h node among

R

is able to dete t if a node is a ting mali iously or not at the group layer. We are thus assuredthat most of the reputationvalues are orre t. So,we an ompareanodere ommendation withthemajorityvalue,insteadofthe groupvalue withthefollowing fun tion (in whi h

majority

_

reputation(k)

refersthe majorityvaluefor thereputation about thenode

k

):

rec

k

(i) = rec

k−1

(i) · ρ

rec

+ (1 − ρ

rec

) · lieV alue(i)

lieV alue(i) =



0 if

∃j ∈ R/rep

k

(j, in) 6= majority

_

reputation

k

(j)

100 otherwise

(6) Aswhenanodeliesitsre ommendationissetto0,nomatterhowmu h in orre tinformation itprovides, itisobviousthattheSe urityProperty4, a node re ommendation must de rease if it a ts mali iously,is satised.

4.1 Results and Comparisons

In the previous se tion, we have presented several re ommendation ev alua-tions. In orderto ompare them,we have used theNS-2 [7℄ simulator with theUM-OLSR [13℄implementation of theOLSRAdho routing proto ol.

Inthesimulation,we have ompared thedierent re ommendation fun -tions:

•

P 10

and

P 25

referto the equation 4with

τ

equal to 10%and25%

• Π10

and

Π25

refer to theequation5 with

τ

equal to 10% and25%

• Π10b

refers to the equation 5, with

τ = 10%

and the atta k whi h onsistsinalterning orre t andmali ious behaviors.

• lying10

and

lying25

refer to theequation 6 with

τ

respe tively equal to 10%and25%

We ompared the fun tions by using the following issues: when do the mali ious nodes' re ommendation (gure 6a) and the atta ked node repu-tation (gure 6 b) are stabilized? What are the stabilized re ommendation (gure6 )andreputation(gure6d)? A ording tothese urityproperty4,

Figure6: Comparisonof re ommendation evaluationfun tions there ommendation valueofthemali iousnodesmustbenull. It iseasyto seethatthispropertyisnotassuredbythestandard re ommendation evalu-ations. Withthe updatedre ommendation evaluationwe suggest(equation 5),there ommendationevaluationandthereputationevaluationare orre t inthe aseofbasi mali iousnodes,with

τ = 10%

. However,whenwerea h

theextreme ase

τ = 25%

,theatta kednode'sreputationisimpa ted. With

τ = 10%

and advan ed mali ious nodes, the atta ked node's reputation is not really mali ious and the mali ious nodes' re ommendations are neither onsideredasgoodnor bad. Finally,we an see thatthelying method pro-vides really good results, as mali ious nodes re ommendations are always null and the stabilized states are qui kly rea hed. Thus, our proposals re-spe t our se urity properties and the system stability is qui kly rea hed, whi his important in adho networks.

4.2 Evaluation of the history parameter

ρ

rec

Theparameter

ρ

rec

denestheimportan eofthehistoryand thus will have onsequen es and the system's evolution. In this ase, the hoi e of

ρ

rec

is important. For instan e, with

ρ

rec

∼ 0

, an in orre t behavior will have immediatereper ussion, whilteit isnot the asewith

ρ

rec

∼ 1

.

The table 3 illustratesthe importan e of

ρ

rec

inseveral ases whi h are partsof theworst ases presented inse tion3.1 :

• stability

1

illustratesthe re ommendationde reaseof amali iousnode inthe worst ase1 ofthereputation in rease

• stability

2

illustratesthe re ommendation in reaserateinthe ommon ase

• stability

3

illustrates the re ommendation de rease of orre tnodesin the reputationde rease ase,starting witha reputationof 100

• stability

4

illustrates the re ommendation de rease of mali ious nodes inthereputationde rease ase, starting witha reputationof 100

ρ

rec

stability

1

(%)

stability

2

stability

3

stability

4

Π

lying (%)

β = 20

β = 40

lying

β = 20

β = 40

lying 0 14 100 100 5 10 0 15 30 100 0.1 12.6 90 90 4.5 9 0 13.5 27 90 0.2 11.2 80 80 4 5 0 12 24 80 0.5 7 50 50 2.5 5 0 7.5 21 50 best max max max min min min max max max

Table3: inuen e of

ρ

rec

onthereputation me hanism,

τ = 25%

With

ρ

rec

∼ 1

, the re ommendations of the mali ious nodes and the at-ta ked nodes de rease very slowly. This is the opposite in the ase of no re ommendation history. By hoosing

ρ

rec

= 0.2

,welimit the re ommenda-tion de reases of the orre t nodes, and we also redu e thein rease rate in ommon states, whi h prevents mali ious nodes from alterning orre tand mali iousbehaviors.

Inthisarti le,wehaveshownthatdesigningareputationand re ommenda-tion me hanism at the group layer requires to develop a reputation shared between the nodesand not a lo alreputation, asproposedinexisting stud-ies. This kind of system relies on many parameters, su h as update rates, syn hronization intervals and thresholds, whi h arelinked together in om-plex ways. We have dened basi se urity properties (su h as the ollusion of mali ious nodes must not engender an evi tion of a orre t node) whose enfor ement requires a orre t setting of the system parameters. We have analyzed the system parameters and determined values that satisfyour se- urityproperties.

Moreover, as the re ommendation aspe t isasimportant asthe reputa-tion aspe t, we have studied the existing re ommendation evaluation. We have shown that the basi prin iple a node re ommendation must de rease if it a ts mali iously is not assured in the worst ases, whi h may engen-derin orre t stabilizedstates. Wehave thenproposed two modi ations of the evaluation s heme: a re ommendation fun tion that improves the ex-isting fun tion and a new one, designed under hypotheses about the group environment, whose results areeven better.

Our reputation system may be used in dierent ontexts, su h as the groupmanagementinadho networks,asareinfor ementofexisting propos-alssu h as[6 ℄,and thereinfor ement ofrouting proto ol withmisbehaviors dete tion[14℄.

Referen es

[1℄ Liu, J.,Issarny,V.: Enhan ed reputationme hanismfor mobileadho networks. In: iTrust.(2004) 4862

[2℄ Conrad, M., Fren h, T., Huang, W., Maple, C.: A lightweight model of trust propagation in a multi- lient network environment: To what extent does experien e matter? In: ARES '06: Pro eedings of the First International Conferen e on Availability,Reliability and Se urity (ARES'06), Washington, DC, USA, IEEE Computer So iety (2006) 482487

[3℄ Guha,R.,Kumar,R.,Raghavan,P.,Tomkins,A.: Propagationoftrust and distrust. In: WWW '04: Pro eedings of the 13th international onferen e onWorldWideWeb,NewYork,ACMPress (2004)403412 [4℄ Wong, C.K., Gouda, M.G., Lam, S.S.: Se ure group ommuni ations using key graphs. In: Pro eedings of the ACM SIGCOMM '98 on-feren e on Appli ations, te hnologies, ar hite tures, and proto ols for omputer ommuni ation. 6879

groups using one-way fun tion trees. IEEE Transa tions on Software Engineering 29(5) (2003) 444458

[6℄ Cuppens, F., Cuppens-Boulahia, N., Thomas, J.A.: STGDH: An en-han ed group management proto ol. In: Pro eedings of the CRISIS Conferen e, Maro o, Marrake h(July 2007)

[7℄ Fall, K., Varadhan, K.: The ns Manual. http://www.isi.edu/nsnam/ns/do /

[8℄ Anantyalee, T., Wu, J.: Reputation-based system for en ouraging the ooperationof nodesin mobilead ho networks. In: IEEE ICC, 2007. (24-28 June 2007)

[9℄ Carbone, M., Nielsen, M., Sassone, V.: A formal model for trust in dynami networks. InCerone, A.,Lindsay,P., eds.: Pro eedingsofInt. Conf.onSoftwareEngineeringandFormalMethods,SEFM2003,IEEE Computer So iety (2003)5461

[10℄ Cuppens, F.,Cuppens-Boulahia, N.,Thomas, J.A.: Malevolen e dete -tion andrea tions inad ho networks. Te hni al report(June 2007) [11℄ Dembe, A.E.,Boden, L.I.: Thestory ofthe moral. In: New Solutions.

(2002) 257279

[12℄ Ba, S., Pavlou, P.A.: Eviden e of theee t of trust building te hnol-ogy in ele troni markets: Pri e premiums and buyer behavior. MIS Quarterly 26(3) (2002)

[13℄ Ros, F.J., Ruiz, P.M.: Implementing a New Manet Uni ast Routing Proto ol inNS2. Te hni al report, Dept. of Information and Commu-ni ations Engineering Universityof Mur ia(De ember2004)

[14℄ Cuppens, F.,Cuppens-Boulahia, N., Ramard,T., Thomas, J.A.: Mis-behaviors dete tion to ensure availability in olsr. In: MSN, Mobile Sensor Networks. Volume 4864 ofLe ture Notes inComputer S ien e., Springer (2007) 799813