Fun with Networks:
Social, Sensor, and Shape-Shifting
Phillip B. Gibbons
Intel Research Pittsburgh
DISC’08 / Graal’08
September 24, 2008
Slides (except those borrowed from colleagues) are © Phillip B. Gibbons
Fun with Networks
 Social Networks
– SybilLimit: Defending against Sybil Attacks in P2P
 Sensor Networks
– Synopsis Diffusion: Robust in-network aggregation
 Shape-Shifting Networks
– Claytronics: Aggregation in programmable matter
3
Phillip B. Gibbons, DISC’08/Graal’08
Background: Sybil Attack
 Sybil attack:
Single user assumes
many fake/sybil identities
– Already observed in real-world
p2p systems
 Sybil identities can
become a large fraction
of all identities
– “Out-vote” honest users in
collaborative tasks
4
Phillip B. Gibbons, DISC’08/Graal’08
honest
malicious
launch
sybil
attack
Background:
Defending Against Sybil Attack
 Using trusted central authority (TCA)
– Ties identities to human beings
– Not always desirable: who to trust, privacy, etc.
– Practice: Gmail accounts
 Much harder without a TCA [Douceur’02]
– Resource challenges not sufficient
– IP address-based approach not sufficient
– Practice: Wikipedia IP blocking
 Widely considered real & challenging
– 40 papers on sybil attacks, no distributed solution
5
Phillip B. Gibbons, DISC’08/Graal’08
SybilGuard/SybilLimit Basic Insight:
Leveraging Social Networks
SybilGuard
[SIGCOMM’06, TON 2008],
SybilLimit
[Oakland’08]
(with Haifeng Yu*, Michael Kaminsky)
First to leverage social networks for thwarting
sybil attacks with provable guarantees
 Nodes = identities
 Undirected edges =
strong mutual trust
– E.g., colleagues,
relatives in real-world
– Not online friends !
6
* Primary author
Phillip B. Gibbons, DISC’08/Graal’08
Attack Model
 n honest users: One identity/node each
 Malicious users: Multiple identities
each (sybil nodes)
sybil
nodes
honest
nodes
Attack edge: edge
between honest node
& sybil node
attack
edges
sybil nodes
may collude –
the adversary
malicious
users
Observation: Adversary cannot create extra attack edges
7
Phillip B. Gibbons, DISC’08/Graal’08
SybilGuard/SybilLimit Basic Insight
Dis-proportionally
small cut
disconnecting a
large number of
identities
But cannot search
brute-force…
attack
edges
honest nodes
8
sybil nodes
Phillip B. Gibbons, DISC’08/Graal’08
SybilLimit End Guarantees
 Completely decentralized
 Enables any given verifier node to decide
whether to accept any given suspect node
– Accept: Provide service to / receive service from
– Ideally: Accept and only accept honest nodes –
unfortunately not possible
 Bounds # of accepted sybil nodes (w.h.p.)
 (log n) per attack edge [up to On / log n attack edges]
 Accepts (1- )n honest nodes (w.h.p.)
We also prove that SybilLimit is O (log n) away from optimal
9
Phillip B. Gibbons, DISC’08/Graal’08
Example Application Scenarios
If # of sybil nodes
accepted is
< n/2
Then applications
can do
byzantine consensus
<n
majority voting
< n/c for some constant c
secure DHT
[Awerbuch’06,
Castro’02, Fiat’05]
…
10
…
Phillip B. Gibbons, DISC’08/Graal’08
Identity Registration
 Each node (honest or sybil) has a locally
generated public/private key pair
– “Identity”: V accepts S means
V accepts S’s public key KS
– We do not assume/need PKI
 Every suspect S “registers” KS on some
other nodes
11
Phillip B. Gibbons, DISC’08/Graal’08
Registration Goals
 Ensure that sybil
nodes (collectively)
register only on
limited number of
honest nodes
– Still provide enough
“registration
opportunities” for
honest nodes
K: registered keys of
sybil nodes
K: registered keys of
honest nodes
K
K
K
K
K
K
K
K
K
K
K
K
K
K
K
K
honest region sybil region
12
Phillip B. Gibbons, DISC’08/Graal’08
Acceptance Criteria
 Accept S only if KS
is register on
sufficiently many
honest nodes
– Without knowing
where the honest
region is !
– Circular design? We
can use small cut
against adversary
K: registered keys of
sybil nodes
K: registered keys of
honest nodes
K
K
K
K
K
K
K
K
K
K
K
K
K
K
K
K
honest region sybil region
13
Phillip B. Gibbons, DISC’08/Graal’08
Key Idea
 Take random “walks” of w=  (log n) hops
– Honest nodes: likely to remain in honest region*
– Sybil nodes: must cross an attack edge to reach
honest region
K
K
K
• Register key at
K K
K K
last hop of “walk”
K
K
K
K K
* w = Social network’s
K
K
K
mixing time
End up
K
at ~random edge
in honest region
honest region sybil region
14
Phillip B. Gibbons, DISC’08/Graal’08
Random Route: Convergence
f
a
b
ad
randomized b  a
routing table c  b
dc
d
c
de
ed
f f
e
Random 1 to 1 mapping between
incoming edge and outgoing edge
Using routing table gives Convergence Property:
Routes merge if crossing the same edge
15
Phillip B. Gibbons, DISC’08/Graal’08
Implication of Convergence
attack
edge
K
honest
nodes
K
K
K
Route length w
sybil
nodes
 Claim: There are at most w K’s per
attack edge
– Proof: By the Convergence property
– Regardless of whether sybil nodes follow protocol
Use 
16
 m  independent instances of random routing
Phillip B. Gibbons, DISC’08/Graal’08
Verification Procedure
Earlier: Each node registers at 
 m  tails
AB
1. request S’s set of tails
2. I have three tails
AB; CD; EF
V
S
3.common tail: EF
4. Is KS registered?
5. Yes.
V accepts S
17
EF
F
CD
4 messages involved
Tails intersect + key registered
Phillip B. Gibbons, DISC’08/Graal’08
Further Details in Paper
 Birthday paradox
V & honest S
share a common tail w.h.p.
 Limit on sybil Ks in honest region
V&
sybil S don’t share a common tail w.h.p.
– Unless V has a tail in sybil region: Handled in paper
 How to estimate parameters: w & m
 Evaluation w/ real-world social networks
– Friendster, LiveJournal, DBLP (Added sybil nodes)
18
Phillip B. Gibbons, DISC’08/Graal’08
Conclusions (to Part I)
 Sybil attack:
– Widely considered a real & challenging problem
 SybilLimit: Fully decentralized defense
protocol based on social networks
– Provable near-optimal guarantees
– Experimental validation on real social networks
 Open Problem (in SybilLimit & Politics):
Honest users not voting
19
Phillip B. Gibbons, DISC’08/Graal’08
Fun with Networks
 Social Networks
– SybilLimit: Defending against Sybil Attacks in P2P
 Sensor Networks
– Synopsis Diffusion: Robust in-network aggregation
 Shape-Shifting Networks
– Claytronics: Aggregation in programmable matter
20
Phillip B. Gibbons, DISC’08/Graal’08
Wireless Sensor Network Aggregation
 Aggregate in-network over a tree
– Each node sends 1 short message (saves energy)
70
% Nodes Included
10
3
1
2
7
1
3
3
1
1
1
1
60
50
40
30
20
10
0
0
10
20
30
Time
21
Phillip B. Gibbons, DISC’08/Graal’08
40
50
The Problem and the Goal
 Tree topology used to avoid
double-counting
 Aggregation and routing
are tightly coupled
712
33
51
1 1 1
34
1
1
 Our goal: Decouple the two components
– They can be independently optimized
– Robust multi-path routing can be used
– Can exploit the broadcast medium
In contrast, a gossip approach requires
point-to-point messages & explicit acks
22
Phillip B. Gibbons, DISC’08/Graal’08
Synopsis Diffusion
[with Suman Nath*, Srini Seshan, Zach Anderson, SenSys’04, TOSN 2008]
 Each node generates a small
synopsis of its readings (SG)
 Starting with outer ring, each
node broadcasts its synopsis
 Synopsis Fusion (SF): Each
node in next ring combines
all synopses it hears into
its own synopsis
 SF must be order- and
duplicate- insensitive (ODI)
e.g., Compute count or sum using Flajolet-Martin’s
distinct-values counting [Considine et al, ICDE’04]
23
* Primary author
Phillip B. Gibbons, DISC’08/Graal’08
Example
Topology:
Rings
SD Example: Uniform Sample of Size K
 SG(): Each node selects a random r in
[0,1], and creates a synopsis (r, id, val)
 SF(s,s’): Output the K (r,id,val) triples
from s U s’ with maximum r-values
 SE(s): Output the K val’s in s
K=2:
(.4,1,v1),
{(.4,1,v1),(.7,2,v2)}
(.7,2,v2),
(.3,3,v3),
(.8,4,v4)
{(.7,2,v2),(.3,3,v3)} {(.3,3,v3),(.8,4,v4)}
{(.7,2,v2), (.4,1,v1)}
{(.7,2,v2),(.8,4,v4)}
24
Phillip B. Gibbons, DISC’08/Graal’08
{v2,v4}
Key Challenge & A Solution
Result
SE
S1
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF
Potentially large
unknown set of
combinations!
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF
SF SF
SF
SG SG SG SG
SG
r1
r5
r2
r3
r4
Aggregation Topology
Key Result:
Give 4 simple,
locally testable
properties for
ODI correctness
(necessary &
sufficient)
Makes topology
independence tractable
ODI Goal: S1 is always the same
25
Phillip B. Gibbons, DISC’08/Graal’08
Order- & Duplicate-Insensitive
Synopses
 Necessary & sufficient conditions
1. SF is commutative
2. SF is associative
3. SF is same-synopsis idempotent: SF(s,s) = s
4. If readings r and r’ are “duplicates”,
then SG(r) = SG(r’)
E.g., suppose use SF(s1,s2) = (s1+s2)/2, which of P1-P3 fails?
P2: SF(2,SF(6,30)) = 10 but SF(SF(2,6),30) = 17
26
Phillip B. Gibbons, DISC’08/Graal’08
Implications
 SF forms a semi-lattice
 Lattice property
can tell if another
ODI synopsis accounts for my synopsis
10111
E.g., SF is bitwise-OR
00101
Not true for
non-ODI
e.g., sum
6
4
Implicit acks (Listen to what parent sends to
know if your message was “received”)
Efficient adaptation to dynamic message loss,
even when asymmetric links
More robust routing
27
More accurate answers
Phillip B. Gibbons, DISC’08/Graal’08
ODI-Correct Algorithms
Count, Count Distinct, Sum, Average,
Standard deviation, Second moment,
Uniform sample, k’th statistical moment,
Quantiles, Frequent items,
Range aggregates, Inner product queries
For ODI-correct algorithms:
Approximation guarantees
=
same
3
5
28
2
2
…
… 3 5 2 2
Well-studied
Streaming Model
Phillip B. Gibbons, DISC’08/Graal’08
Synopsis Diffusion on Rings
TAG (tree)
Rings
Adaptive Rings
Flood
600 sensors in 20x20
Count query
Scheme
Tree (TAG)
A. Rings
Flood
RMS Error
1
0.8
0.6
0.4
Energy
41.8mj
42.1mj
685mj
0.2
0
0
0.2
0.4
0.6
0.8
Loss Rate
More robust than TAG
29
1
Almost as energy
efficient as TAG
Phillip B. Gibbons, DISC’08/Graal’08
Synopsis Diffusion vs. Tree
Communication Approximation
error
error
Number
of Packets
SD
1%
10-15%
1-3
Tree
60%
0-5%
1
Delta
Tributary-Delta: run both
simultaneously, depending on:
• regional loss rate
• accumulated aggregation
[with Amit Manjhi, Suman Nath, ICDE’05]
30
Tributary
Phillip B. Gibbons, DISC’08/Graal’08
Conclusions (to Part II)
 Synopsis Diffusion
– ODI-correct algorithms + any multi-path routing
 Open Problems
– ODI-correct subtraction
– Use Synopsis Diffusion in other contexts:
– P2P, mobile, etc.
– ODI-correctness requires the same synopsis
for all aggregation topologies
– However, too strong: E.g., quantiles – always
meets guarantees but answer depends on order
– What is a formal framework for such scenarios?
31
Phillip B. Gibbons, DISC’08/Graal’08
Fun with Networks
 Social Networks
– SybilLimit: Defending against Sybil Attacks in P2P
 Sensor Networks
– Synopsis Diffusion: Robust in-network aggregation
 Shape-Shifting Networks
– Claytronics: Aggregation in programmable matter
32
Phillip B. Gibbons, DISC’08/Graal’08
The Vision: A Material That
Changes Shape
 Large groups of tiny robot modules (106
-109 units), working in unison to form
tangible, moving 3D shapes
 Not just an illusion of 3D (as with stereo
glasses), but real physical objects
 Both an output device (rendering,
haptics) & an input device (sensing)
33
Phillip B. Gibbons, DISC’08/Graal’08
Suppose Software Could
Control Shape
Video: CMU Entertainment Technology Center
34
Phillip B. Gibbons, DISC’08/Graal’08
Applications
 Product design
 Medical visualization
 Adaptive form-factor devices
 Telepario
 3D fax
 Smart antennas
 Paramedic-on-demand
 Entertainment
 Etc.
35
Phillip B. Gibbons, DISC’08/Graal’08
Claytronics
[PIs: Seth Goldstein, Jason Campbell, Todd Mowry]
 Each sub-millimeter module (“catom”)
integrates computing & actuation
 Key issues:
– very high concurrency (106 -109 catoms)
– nondeterminism & unreliability
– efficient actuators, strong adhesion
– power, heat, dirt
– complex, dynamic networking (network diameters
≥ 1000, and changing topologies)
36
Phillip B. Gibbons, DISC’08/Graal’08
Moving Catoms Without Moving Parts:
Two Potential Actuation Methods
 Magnetic field
one coil
two assembled magnet rings
2 magnetic-field
prototype catoms
 Electric field
electrostatic
latch design
37
completed latch
Phillip B. Gibbons, DISC’08/Graal’08
Making Submillimeter Catoms
patterned “flower”,
including actuators
& control circuitry
2 mold wafers
bonded around
1 thinned logic wafer
arms curl up
due to stresses
between layers
Note: Both are
early attempts
[J. Robert Reid,
Air Force Research Labs]
38
[Igal Chertkow & Boaz Weinfeld,
Intel]
Phillip B. Gibbons, DISC’08/Graal’08
Catom Design
 Actuation: Roll across each other (using
electrostatics) under software control
– Planned motion, Reactive motion
 Power: Form own power grid
– Connected to external power source
 Communication: Between physically
adjacent modules
– Either electrical contact, capacitive-coupled
connections, or free space optics (wire-like)
– Simultaneously with multiple neighbors
39
Phillip B. Gibbons, DISC’08/Graal’08
Aggregation Goal
 In order to self-organize into a desired
shape, the catom ensemble must:
– Be able to measure key aggregate properties
(e.g., center of mass)
– Coordinate their activities
…in real time
Diameter too large for standard
hop-by-hop approach
Ensemble too dense for
longer range wireless
40
Phillip B. Gibbons, DISC’08/Graal’08
Speculative Forwarding
[with Casey Helfrich, Todd Mowry, Babu Pillai,
Ben Rister, Srini Seshan]
E.g., regular 2D grid
Standard approach:
(regular) gradient
Our approach:
• Hierarchical Overlay
• Speculative forwarding
on the long links
41
Phillip B. Gibbons, DISC’08/Graal’08
Speculative Forwarding
 Each catom maintains incoming-tooutgoing link mapping (e.g., last used)
 Each bit along incoming wire sent on
outgoing wire according to the mapping
 When accumulate header, check for
miss-speculation
Initial results
are promising
Many issues:
• miss-speculations
• creating overlay
• shape changes
42
Aggregation deferred to nodes in the overlay
Phillip B. Gibbons, DISC’08/Graal’08
Conclusions (to Part III)
 Shape-Shifting Networks pose a new
problem domain for algorithmic research
– Details are in flux; realizations years away
– Key issues: scale, dynamics, soft real-time
 Open Problems
– Much theory work to be done:
Formal modeling, new algorithms,
new insights, lower bounds, etc.
– E.g., what is a robust, low-latency
communication/aggregation
scheme for catom ensembles?
Brownian hole motion
– Ensemble algorithmics: local algs Grow/consume holes
43
Phillip B. Gibbons, DISC’08/Graal’08
Fun with Networks
 Social Networks
– SybilLimit: Defending against Sybil Attacks in P2P
 Sensor Networks
– Synopsis Diffusion: Robust in-network aggregation
 Shape-Shifting Networks
– Claytronics: Aggregation in programmable matter
44
Phillip B. Gibbons, DISC’08/Graal’08