Reputation Attacks in Mediated and Automated Systems Joseph R. Rabaiotti∗ , Howard Chivers∗ , John A. Clark† , Pau-Chen Cheng‡ , Natalie Ivanic§ , Shane Balfe¶ ∗ Department
of Information Systems, Cranfield University, Defence Academy of the United Kingdom, Shrivenham, Swindon SN6 8LA, UK. Email
[email protected] [email protected] † Department of Computer Science, University of York, York, UK. Email:
[email protected] ‡ IBM Watson Research Center, Hawthorne, NY, USA. Email:
[email protected] § U.S. Army Research Laboratory, Adelphi, MD, USA. ¶ Information Security Group, Royal Holloway, University of London, Egham, UK. Email:
[email protected]
Abstract—Trust is a measure of the behaviour that is expected of another party in a transaction; there are many approaches to estimating trust, many of which are based on combining direct and indirect experience of transactions into a recommendation. This paper reviews the types of attack that are found in existing reputation-based systems, and their relevance to both human teams and to future military networks. Many of the attacks are forms of misuse or misrepresentation. For a reputationbased system to take account of such attacks it must include assessments of service quality based on the wider context of a transaction or the outcomes of a large number of transactions; these requirements are difficult to meet in fully automated networks, so reputation systems may be unsuitable as the primary source of trust in dynamic military networks. The results also highlight the difference between unmediated and mediated human interactions.
I. E XTENDED A BSTRACT A. Introduction This work examines how both existing mediated human reputation systems, and fully automated reputation systems are attacked, and draws on this to analyze and highlight issues with the use of reputation as the basis for trust in future military networks. Parallels will be drawn between users’ cheating behaviours on the eBay online auction site and common attacks against the BitTorrent distributed file transfer protocol, and related to possible attacks against military mobile autonomous networks (MANETs).
2) By Potential Bidders, Bidders, and Buyers: These may cheat by bidding disruptively (e.g. placing an enormous bid simply to disrupt the auction and then not paying), using false identities and “sock puppets” (the same person using multiple eBay accounts to create virtual “allies”), time races (e.g. sniping, though sniping is not banned by eBay, and some consider it a legitimate or even optimal strategy – [1],[2],[3]), failing to pay, attempting payment using a stolen or fraudulent instrument and abusing feedback, which includes simple abuse (insults, libel, defamation, harrassment, etc.), extortion (using the threat of negative feedback to force the other party to make concessions) or retaliation (e.g. leaving negative feedback for the other party just because they left negative feedback for you, whether deserved or not). C. Attacks in an Automated Reputation System (BitTorrent) There are few operational networks that rely on reputation metrics; however, peer-to-peer systems such as BitTorrent use similar mechanisms, and also have some of the characteristics of future military networks, despite lacking coherent hierarchical mission structures. Possible attacking behaviours include freeloading (where a node tries to obtain files while offering no effective service in return – [4], [5], [6]), critical node attacks, data poisoning [7], reflection attacks [8], and forged connection reset attacks such as those reputed to be carried out by certain ISPs. D. Classification of Cheating/Attacking Behaviours
B. Cheating between Individuals in a Mediated Environment (eBay) 1) By Sellers: Sellers on eBay may cheat by misrepresenting what they have to sell, attempting to “fence” stolen goods or pass off counterfeits, setting unreasonable terms and conditions, attempting to manipulate eBay’s search and browse processes to gain an unfair advantage, shill bidding (where a seller or a confederate bids on an item they are selling to drive up the price), feedback trading, failing to deliver goods in a reasonable time period and attempting to sidestep eBay’s communication methods to avoid anti-fraud checks (out-ofband transactions).
ACITA 2008
The behaviours described above may be separated into three general groups as follows: • Transaction Protocol Violations • Transaction Quality Violations • Reputation Integrity Attacks In human transactions the formation of a “contract” (e.g. a purchase agreement) is atomic, and can be identified with a specific protocol in a similar manner to machine transactions. Protocol violations involve one party violating part of the protocol to gain an unfair advantage. Examples include eBay search and browse manipulation, shill bidding, identity falsification and sybil attacks [9], and time races. Within
Page 352
MANETs, it should be possible to detect or prevent protocol violations, but this will depend upon the protocol in use. Comparable threats include the manipulation of directories to force users into using subverted or fake services (a current example of such an attack is DNS poisoning to facilitate Phishing), and creating false network nodes, for example, by manufacturing identities using captured cryptographic keys. False identity attacks may be effective even if the network authentication system cannot be subverted, since for denial of service purposes it is often sufficient to partially engage with a low level protocol. Outside that transaction there are important side conditions: in the case of eBay that money is paid, that goods are delivered, and that the goods are of the type and quality expected. A similar distinction can be made in a network environment; the network protocol that enables a transaction is a specific exchange of messages; however, each transaction takes place in a wider system context, which is related to the quality of the files delivered, or the execution of an agreed action. These are transaction quality factors. Examples of quality violations include misrepresentation, unreasonable terms and conditions, delivery failure, fraud, disruptive bidding and data poisoning. Reputation integrity attacks are attempts to directly manipulate reputation metrics; the actual metrics concerned are system dependent, for example, in BitTorrent they include ‘credit’ for uploading files to other nodes. In normal unmediated interaction, reputation includes aspects such as the perceived ability, integrity and benevolence of individuals [10]. This obviously describes feedback-based attacks in eBay (extortion, abuse, libel, retaliation, trading) as well as attempts to exploit the BitTorrent startup protocol to facilitate painless freeloading as described by Sirivianos [5] and Locher [6]. E. Conclusion A number of key considerations can be drawn from the above examples. Firstly, the range and number of ‘service quality’ attacks, which can only be detected over a relatively long period, is significant. Secondly, it is evident that reputation must be based on factors that include retrospective satisfaction of service delivery, not merely satisfactory execution of an atomic network transaction. Thirdly, the need to consider retrospective satisfaction is likely to be a major impediment in the successful use of fully automated reputation systems in a dynamic military network. Fourthly, some attacks on peer-to-peer protocols make use of special attributes of dynamic distributed systems: a significant danger for dynamic military networks; although in a military network the lowest level of communications and routing may be dynamic and opportunistically reconfigurable, it is difficult to avoid some nodes with special characteristics that can be the target of critical node attacks; for example time services, directories, and gateways. Finally, the dominant number of attacks are service quality violations, and all these have direct parallels in unmediated team behaviour; these behaviours may therefore
ACITA 2008
repay further study, particularly in the context of military coalitions. This paper has reviewed attacks on existing reputation systems with a view to determining the range of threats that they need to counter. Many of the attacks observed are directed toward quality factors, such as the validity of delivered data or the degree to which a service is encumbered; this suggests that reputation must be based on factors that include retrospective satisfaction of service delivery, not merely execution of a network protocol. This condition is met in moderated human reputation systems, but is likely to be major impediment in the design of fully automated reputation systems, to the extent that reputation systems may prove unsuited as the basis for trust in dynamic military networks. ACKNOWLEDGMENT The ideas presented in this paper were developed during project discussion at the ITA project workshop in January 2008, to which a large number of project 5 and 6 staff contributed. We are grateful for their considerable contribution. Research was sponsored by the U.S. Army Research Laboratory and the U.K. Ministry of Defence and was accomplished under Agreement Number W911NF-06-3-0001. The views and conclusions contained in this document are those of the author(s) and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Army Research Laboratory, the U.S. Government, the U.K. Ministry of Defence or the U.K. Government. The U.S. and U.K. Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. R EFERENCES [1] T. Schonberger, “Snipers attack eBay market: Savvy bidders hold their fire to score those items you crave,” NOW Magazine (Toronto), 2006, http://www.nowtoronto.com/issues/2006-05-11/goods next.php, accessed 21st April 2008. [2] I. Yang and B. Kahng, “Bidding process in online auctions and winning strategy: Rate equation approach,” Physical Review E, vol. 73, 2006. [3] A. E. Roth and A. Ockenfels, “Last-Minute Bidding and the Rules for Ending Second-Price Auctions: Evidence from eBay and Amazon Auctions on the Internet,” American Economic Review, vol. 92, no. 4, pp. 1093–1103, September 2002. [4] M. Piatek, T. Isdal, T. Anderson, A. Krishnamurthy, and A. Venkataramani, “Do incentives build robustness in BitTorrent?” in 4th USENIX Symposium on Networked Systems Design and Implementation, 2007. [5] M. Sirivianos, J. H. Park, R. Chen, and X. Yang, “Free-riding in BitTorrent Networks with the Large View Exploit,” in 6th International Workshop on Peer-to-Peer Systems (IPTPS 07), 2007. [6] T. Locher, P. Moor, S. Schmid, and R. Wattenhofer, “Free Riding in BitTorrent is Cheap,” in ACM SIGCOMM Fifth Workshop on Hot Topics in Networks (HotNets V), 2006. [7] D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica, and W. Zwaenepoel, “Denial-of-Service Resilience in Peer-to-Peer Filesharing Systems,” ACM SIGMETRICS Performance Evaluation Review, vol. 33, no. 1, pp. 38–49, June 2005. [8] K. E. Defrawy, M. Gjoka, and A. Markopolou, “BotTorrent: Misusing BitTorrent to Launch DDoS Attacks,” in USENIX 3rd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI ’07), 2007. [9] J. R. Douceur, “The Sybil Attack,” in 1st International Workshop on Peer-to-Peer Systems (IPTPS 02), 2002, pp. 251–260. [10] R. C. Mayer, J. H. Davis, and F. D. Schoorman, “An Integrative Model of Organizational Trust,” The Academy of Management Review, vol. 73, no. 3, pp. 709–734, 1995.
Page 353
