MIS: Malicious Nodes Identification Scheme Network-Coding-Based Peer-to-Peer Streaming Qiyan Wang, Long Vu, Klara Nahrstedt, Himanshu Khurana Department of Computer Science University of Illinois at Urbana‐Champaign IEEE INFOCOM 2010 Outlines • • • • Introduction MIS: Malicious Node Identification Scheme Simulation Results Conclusion Network Coding • New paradigm of routing: – Packet mixing at intermediate nodes A Traditional routing : store-and-forward A = f( , , ) Network coding • Benefits: – Maximum throughput, robustness to link failure, energy efficiency … • Applications: – Multicast/broadcast, wireless unicast, P2P streaming, P2P file distributing … 2 Network Coding in P2P Streaming Networks 3 • Benefits of network coding in P2P streaming: – – – – Higher playback quality Shorter buffering delays Minimal bandwidth Better resilience to peer dynamics A D G Video stream … S E B H … C F Segment [b1, b2, … , bm] 3 Pollution Attacks in Network Coding 4 • Malicious nodes inject corrupted blocks. A D G Video stream … S B … C Segment [b1, b2, … , bm] E H Pollution rapidly spreads over the network! F Failure to decode the original blocks! 4 The Pollution Attack • Attacker joins an ongoing video channel • Attacker advertises it has a large number of chunks • When neighbors request chunks, attacker sends bogus chunks • Receiver plays back bogus chunks • Each receiver may further forward the polluted chunks P. Dhungel, X. Hei, K. W. Ross, N. Saxena, “The Pollution Attack in P2P Live Video Streaming: Measurement Results and Defenses,” Sigcomm P2P-TV Workshop, Kyoto, 2007. 6 Peer Peer request Peer Polluter Peer Peer Peer Peer 7 Existing Defense Strategy: 5 • Checking corrupted blocks at the runtime – Too computationally costly for real‐time streaming A D G Video stream … S B … C Segment [b1, b2, … , bm] E H Drop corrupted blocks at the runtime F 5 Pollution Defense Strategy • Blacklist • Traffic Encryption • Chunk Signing – Use PKI – Every video source has public-private key pair – Source uses private key to sign the chunks – Receiver uses public key of source to verify integrity of chunk P. Dhungel, X. Hei, K. W. Ross, N. Saxena, “The Pollution Attack in P2P Live Video Streaming: Measurement Results and Defenses,” Sigcomm P2P-TV Workshop, Kyoto, 2007. 9 The Idea of MIS (Malicious Identification Scheme) • Optimal online efficiency: – We don’t check corrupted blocks at the runtime (before decoding). • Fundamental limit on pollution attacks: – Instead, we identify malicious nodes whenever pollution attacks take place. – We “permanently” remove the identified malicious nodes from the overlay, so that the system is free from pollution attacks in the future. 6 MIS (Malicious node Identification Scheme) D A H M B E I L S‐server C F G J K 7 MIS (Malicious node Identification Scheme) • Infected nodes: I, J, K, M, L D A H M B E I L S‐server C F G J K 8 MIS (Malicious node Identification Scheme) • Detect the existence of pollution attacks based on the content of decoded original blocks. D A B E Alert (with the sequence number of the segment, a time stamp, the reporting node’s ID) M H I L S‐server C F G J K 9 MIS (Malicious node Identification Scheme) • S‐server generates a random checksum for the polluted segment. • S‐server disseminates the checksum to the overlay. D A H M B E I L S‐server C F J Checksum G K 10 MIS (Malicious node Identification Scheme) • The checksum can help the infected node (K, or I) to find out which neighbor (J, or F) has sent him a corrupted block. D A H M B E I L S‐server C F J Checksum G K 11 MIS (Malicious node Identification Scheme) • The Infected node (K, or I) reports the discovered suspicious neighbors (J, or F) to the M‐server, and forwards the checksum to the reported suspicious neighbors (J, or F). D A H M‐server M B S‐server C E F G I F is suspicious L J J is suspicious K J F Suspicious node list (SNL) 12 MIS (Malicious node Identification Scheme) • With the received checksum, an innocent suspicious node (J) can find another suspicious node (F), but the malicious node (F) cannot. D A H M‐server M B E I L S‐server C F G J F is suspicious K J F Suspicious node list (SNL) 13 MIS – Security Guarantees • Correctness – A malicious node cannot deny having sent a corrupted block or disparage any innocent node. • Guarantee – When a suspicious node is reported, an evidence is shown to the M-server to demonstrate that this reported node has indeed sent out a corrupted block. • Approaches – Public-key signature scheme • Let each node sign the block it sends out using a public-key signature scheme, and the signature associated with the block can be used as the evidence. • This approach requires applying public key signature on each transmitted block, introducing substantial computational delays due to the expensive signature generation and verification. – Non-repudiation transmission protocol Fig. 2: An example to illustrate network coding in P2P streaming. Each segment consists of m = 2 blocks, and each block has d = 3 codewords. Peer X receives two coded blocks e1,i, e2,i in Si from the S-server, and produces a new coded block e3,i for peer Y . Non-Repudiation Transmission Protocol X: the suspicious node Y: the reporting node λ=6 δ=3 Downstream neighbor Upstream neighbor e Verify evidence with γ2 , γ4, γ5 Non-Repudiation Transmission Protocol • Table I lists the probabilities that a malicious party succeeds in our protocol under several sample parameter selections. • Prob X (or Prob Y) – the probability that a malicious X (or Y ) succeeds. The space overhead includes Φ(e) and Seq(e) (one byte for Seq(e)). 0 ≤ θ ≤ λ- δ Evaluation • Simulation based on real PPLive overlays obtained in our previous work [TOMCCAP’09] – The overlay contains 1600, or 4000 nodes – Malicious nodes are picked at random – Each segment consists of 32 blocks, and each block has 256 codewords in GF(256) – Time taken to identify malicious nodes is less than 6 seconds [TOMCCAP’09] L. Vu, I. Gupta, K. Nahrstedt, and J. Liang “Understanding the Overlay Characteristics of a Large‐scale Peer‐to‐Peer IPTV system”, ACM TOMCCAP, 2009. Comparison • Online computational times: MIS (5‐10us), Null‐key (1‐2us), MAC‐based (2ms), Homomorphic signatures or hashes (> 1s). • Per‐block communication overhead: MIS (22B), Homomorphic signatures or hashes (128‐256B), Null‐key and MAC‐based (>256B). 17 Conclusions • We propose a novel scheme (MIS) to limit network-coding pollution attacks by identifying malicious nodes. • MIS can fully satisfy the requirements of P2P live streaming systems. • MIS has high computational efficiency, small space overhead, and the capability of handling a large number of corrupted blocks and malicious nodes. References • • • • • • • [5] M. Krohn, M. Freeman, and D. Mazieres, “On-the-fly Verification of Rateless Erase Codes for Efficient Content Distribution”, in Proc. IEEE Symp. on Security and Privacy (Oakland), 2004. [6] C. Gkantsidis, and P. R. Rodriguez, “Cooperative Security for Network Coding File Distribution”, in Proc. of IEEE INFOCOM, 2005. [7] Q. Li, D.-M. Chiu, and J. C. S. Lui, “On the Practical and Security Issues of Batch Content Distribution Via Network Coding”, in Proc. of IEEE International Conference on Network Protocols (ICNP’06), 2006. [9] Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An Efficient Signature-based Scheme for Securing Network Coding against Pollution Attacks”, in Proc. IEEE INFOCOM, 2008. [10] E. Kehdi, and B. Li, “Null Keys: Limiting Malicious Attacks Via Null Space Properties of Network Coding”, in Proc. of IEEE INFOCOM, 2009. [11] Z. Yu, Y. Wei, B. Ramkumar, Y. Guan, “An Efficient Scheme for Securing XOR Network Coding against Pollution Attacks”, IEEE INFOCOM, 2009. [16] L. Vu, I. Gupta, K. Nahrstedt, and J. Liang, “Understanding the Overlay Characteristics of a Large-scale Peer-to-Peer IPTV System”, ACM Transactions on Multimedia Computing, Communications and Applications (TOMCCAP), 2009. Related Works • Homomorphic signatures or hashes [Krohn04, Gkantsidis05, Li06, Charles06, Yu08, Boneh09] – It’s computationally expensive to verify/generate the signature for each packet at each hop. • Null‐key based on the property of null space [Kehdi09] – Verification key needs to be repeatedly distributed. • MAC‐based scheme [Yu09] – Substantial communication overheads are introduced. • Error‐correction codes [Jaggi07, Kotter07] – Achievable throughput is determined by the power of the adversary • Combining homomorphic MAC and TESLA [Dong09] – It introduces authentication delay and is suspicious to DoS attacks.