Ostra: Leveraging trust to thwart
unwanted communication
Alan Mislove†‡ Ansley Post†‡ Peter Druschel† Krishna Gummadi†
†MPI-SWS ‡Rice University
NSDI 2008
16.04.2008 NSDI’08 Alan Mislove
Digital communication
Electronic systems provide low-cost communicationEmailVoIPBlogsIMContent-sharing
Democratized content publication Can make content available to (millions of) users
2
16.04.2008 NSDI’08 Alan Mislove
Unwanted communication
Low cost abused to send unwanted communicationSpamUnwanted Skype invitations
Affecting content-sharing sites Mislabeled content on YouTube
Users are not accountableBanned users can create new identity
3
Filter based on contentHard for rich media (videos, photos)
16.04.2008 NSDI’08 Alan Mislove
Previous approaches
4
VIAGRA
Filter based on contentHard for rich media (videos, photos)
16.04.2008 NSDI’08 Alan Mislove
Previous approaches
4
Charge money to sendRequires micropayment infrastructure
VIAGRA
Filter based on contentHard for rich media (videos, photos)
16.04.2008 NSDI’08 Alan Mislove
Previous approaches
4
Charge money to sendRequires micropayment infrastructure
Introduce strong identitiesResisted by users
VIAGRA
16.04.2008 NSDI’08 Alan Mislove
Ostra
New approach to preventing unwanted communicationLeverages an (existing) social network
Works in conjunction with existing communication systemNo content filteringNo additional monetary costNo strong identities
Key idea: Exploit cost of maintaining social relationshipsInspired by trust in offline world
5
16.04.2008 NSDI’08 Alan Mislove
Outline
Inspiration: Hawala
Ostra in detail
Evaluation
Related work
Conclusion
6
Inspiration: Hawala
System for transferring moneyOriginated in India, centuries old
Give money to a hawala dealerOften someone you know alreadyTransfered via hawala dealer social network
Hawala dealers only exchange notesSettle up in the future
Comparable to debt between banksBut trust is only pairwise
16.04.2008 NSDI’08 Alan Mislove
Hawala
8
India
$
System for transferring moneyOriginated in India, centuries old
Give money to a hawala dealerOften someone you know alreadyTransfered via hawala dealer social network
Hawala dealers only exchange notesSettle up in the future
Comparable to debt between banksBut trust is only pairwise
16.04.2008 NSDI’08 Alan Mislove
Hawala
8
Hawala dealers
India
$
System for transferring moneyOriginated in India, centuries old
Give money to a hawala dealerOften someone you know alreadyTransfered via hawala dealer social network
Hawala dealers only exchange notesSettle up in the future
Comparable to debt between banksBut trust is only pairwise
16.04.2008 NSDI’08 Alan Mislove
Hawala
8
Hawala dealers
India
$
System for transferring moneyOriginated in India, centuries old
Give money to a hawala dealerOften someone you know alreadyTransfered via hawala dealer social network
Hawala dealers only exchange notesSettle up in the future
Comparable to debt between banksBut trust is only pairwise
16.04.2008 NSDI’08 Alan Mislove
Hawala
8
Hawala dealers
India
$
16.04.2008 NSDI’08 Alan Mislove
Why does hawala work?
9
16.04.2008 NSDI’08 Alan Mislove
Why does hawala work?
Links take effort to form/maintainCan’t get new links easily
9
16.04.2008 NSDI’08 Alan Mislove
Why does hawala work?
Links take effort to form/maintainCan’t get new links easily
Misbehavior results in being ostracizedShort-term gain vs. long-term loss
9
16.04.2008 NSDI’08 Alan Mislove
Why does hawala work?
Links take effort to form/maintainCan’t get new links easily
Misbehavior results in being ostracizedShort-term gain vs. long-term loss
Result: Social network used to transfer money
9
Ostra
16.04.2008 NSDI’08 Alan Mislove
Ostra
Uses social network to prevent unwanted communicationSame mechanism as hawala
Ostra does not need a high level of trustCost of failure in hawala is high → high level of trust neededFar less at stake in Ostra
Can be applied toMessaging (email, IM, VoIP)Group communication (mailing lists)Content sharing (YouTube, Flickr)
11
16.04.2008 NSDI’08 Alan Mislove
Ostra’s social network
Most communication systems embed social networkEmail contacts IM buddiesSocial network friends
Can be explicit or implicit
AssumptionsLinks take some effort to form and maintainTrusted site maintains social network
12
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Destination
Source
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Destination
Source
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Destination
Source
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
xDestination
Source
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Source
Destination
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Source
Destination
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Source
Destination
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Source
Destination
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
High-level overview
13
Source
Destination
x
Recipients classify messagesCan be implicit (e.g., deleting or responding to a message)
Messages are sent directly
16.04.2008 NSDI’08 Alan Mislove
Link accounting
14
B
0
16.04.2008 NSDI’08 Alan Mislove
Link accounting
Each link has a credit balance BHow much one user is “in debt” with the other
14
B
0
16.04.2008 NSDI’08 Alan Mislove
Link accounting
Each link has a credit balance BHow much one user is “in debt” with the other
Link also has credit bounds [L,U]Maximal debt each user is willing to accept (L ≤ B ≤ U)
14
B
L U0
-5 +5
16.04.2008 NSDI’08 Alan Mislove
Link accounting
Each link has a credit balance BHow much one user is “in debt” with the other
Link also has credit bounds [L,U]Maximal debt each user is willing to accept (L ≤ B ≤ U)
14
-1
0
16.04.2008 NSDI’08 Alan Mislove
Sending a message
15
When message is sent, lower bound is temporarily adjustedReset once message classifiedIf adjustment cannot be made, message is delayed
If recipient marks message unwanted, balance is adjusted
0
16.04.2008 NSDI’08 Alan Mislove
Sending a message
15
When message is sent, lower bound is temporarily adjustedReset once message classifiedIf adjustment cannot be made, message is delayed
If recipient marks message unwanted, balance is adjusted
0
16.04.2008 NSDI’08 Alan Mislove
Sending a message
15
When message is sent, lower bound is temporarily adjustedReset once message classifiedIf adjustment cannot be made, message is delayed
If recipient marks message unwanted, balance is adjusted
0
16.04.2008 NSDI’08 Alan Mislove
Sending a message
15
When message is sent, lower bound is temporarily adjustedReset once message classifiedIf adjustment cannot be made, message is delayed
If recipient marks message unwanted, balance is adjusted
0
16.04.2008 NSDI’08 Alan Mislove
Sending a message
15
When message is sent, lower bound is temporarily adjustedReset once message classifiedIf adjustment cannot be made, message is delayed
If recipient marks message unwanted, balance is adjusted
0
16.04.2008 NSDI’08 Alan Mislove
Sending to non-friends
16
Process iterates for sending to non-friendsFind any path from source to destination
Intermediate users indifferent to outcomeIn either case, total credit is the same
16.04.2008 NSDI’08 Alan Mislove
Sending to non-friends
16
Process iterates for sending to non-friendsFind any path from source to destination
Intermediate users indifferent to outcomeIn either case, total credit is the same
16.04.2008 NSDI’08 Alan Mislove
Sending to non-friends
16
Process iterates for sending to non-friendsFind any path from source to destination
Intermediate users indifferent to outcomeIn either case, total credit is the same
S
16.04.2008 NSDI’08 Alan Mislove
Guarantees
17
Received spam
What is the per-user bound on sending spam?
S
16.04.2008 NSDI’08 Alan Mislove
Guarantees
17
Received spam
What is the per-user bound on sending spam?
Lower bound
|L| +
S
16.04.2008 NSDI’08 Alan Mislove
Guarantees
17
Received spam
What is the per-user bound on sending spam?
N ∗Number of links
Lower bound
|L| +
16.04.2008 NSDI’08 Alan Mislove
Guarantees for groups
Analysis is same for any subgraphConservation of credit: Credit can neither be created nor destroyed
Result: Collusion doesn’t help attackers
18
N ∗ |L| + S
16.04.2008 NSDI’08 Alan Mislove
Guarantees for groups
Analysis is same for any subgraphConservation of credit: Credit can neither be created nor destroyed
Result: Collusion doesn’t help attackers
18
N
N ∗ |L| + S
16.04.2008 NSDI’08 Alan Mislove
Adjustments
An average user will occasionallyReceive an unwanted message (receive credit)Send mail marked as unwanted (lose credit)
May cause user’s balance to hit boundsIf (B = L), cannot sendIf (B = U), cannot receive
Introduce credit decay dOutstanding balance (+ or −) decays (e.g., d=10% per day)
Preserves conservation of credit
19
16.04.2008 NSDI’08 Alan Mislove
Adjustments (cont.)
Offline users may cause credit reservationBounds adjusted until message classified
Introduce classification timeout T Message treated as “wanted” if unclassified after T
Also offers plausible deniability of receipt
20
16.04.2008 NSDI’08 Alan Mislove
Applying Ostra to content-sharing
Create “virtual” identity for content-sharing siteUploads are message to this identity
Site uses existing mechanisms to determine if unwanted
21
16.04.2008 NSDI’08 Alan Mislove
Ostra security
Can conspiring users “create” credit?
Could Ostra reach starvation?
What about users with multiple identities?
Can attackers disconnect the network?
22
16.04.2008 NSDI’08 Alan Mislove
Ostra security
Can conspiring users “create” credit?
Could Ostra reach starvation?
What about users with multiple identities?
Can attackers disconnect the network?
22
} In paper
16.04.2008 NSDI’08 Alan Mislove
What about multiple identities?
23
16.04.2008 NSDI’08 Alan Mislove
What about multiple identities?
23
{MultipleIdentities
16.04.2008 NSDI’08 Alan Mislove
What about multiple identities?
23
{MultipleIdentities
16.04.2008 NSDI’08 Alan Mislove
What about multiple identities?
23
{MultipleIdentities
16.04.2008 NSDI’08 Alan Mislove
Can attackers target vital links?
Social networks tend to have dense core [IMC’07]
Min-cut is almost always at source or destination (see paper)
24
16.04.2008 NSDI’08 Alan Mislove
Can attackers target vital links?
Social networks tend to have dense core [IMC’07]
Min-cut is almost always at source or destination (see paper)
24
16.04.2008 NSDI’08 Alan Mislove
Evaluation
Is Ostra effective in blocking unwanted communication?
Does Ostra delay message delivery?
What is the complexity of finding paths?
How do parameter settings affect performance?
Does incorrect message classification break Ostra?
Are there vulnerable links in social networks?
25
16.04.2008 NSDI’08 Alan Mislove
Evaluation
Is Ostra effective in blocking unwanted communication?
Does Ostra delay message delivery?
What is the complexity of finding paths?
How do parameter settings affect performance?
Does incorrect message classification break Ostra?
Are there vulnerable links in social networks?
25
} In paper
16.04.2008 NSDI’08 Alan Mislove
Simulating Ostra
Need a social network and a message traceSocial network trace from YouTube (446K users, 1.7M links)Email trace from MPI (150 users for 3 months, 13K messages)
Simulated Ostra in three scenariosMessaging with random trafficMessaging with proximity-biased trafficCentralized content-sharing site
Simulation parametersSelected random attacking usersBounds of [-3,3] and d=10% per day
26
16.04.2008 NSDI’08 Alan Mislove
Does Ostra block spammers?
Ostra limits amount of unwanted communicationEven with 20% attackers, only 4 messages/good user/week
27
0.1
0.01
0.001
0.0001
10.10.010.001
Un
wa
nte
d m
es
sa
ge
s r
ec
eiv
ed
(me
ss
ag
es
/us
er/
we
ek
)
Proportion of attackers (%)
Expected
RandomProximityYouTube
16.04.2008 NSDI’08 Alan Mislove
Do messages get delayed?
Very few messages get delayed
28
Classification delay (h) Fraction delayed Average delivery delay (h)
2 1.3% 4.1
6 1.3% 16.6
16.04.2008 NSDI’08 Alan Mislove
Related work
Preventing unwanted communicationContent filtering: DSPAM, SpamAssassinWhitelisting: LinkedIn, RE: [NSDI’06]
Using social networksPGP Web of TrustSybilGuard [SIGCOMM’06]
SybilLimit [Oakland’08]
29
16.04.2008 NSDI’08 Alan Mislove
Conclusion
Ostra: a new approach to preventing unwanted communicationInspired by offline trust
Leverages social network that often already exists
Desirable propertiesDoes not require global user identitiesDoes not rely on automatic content classificationRespects recipient’s notion of unwanted communication
Can be applied to messaging, as well as content sharing
30
16.04.2008 NSDI’08 Alan Mislove
Questions?
31
16.04.2008 NSDI’08 Alan Mislove 32
Bound on amount of spam becomes bound on rate of spam
d ∗ N ∗ |L| + S
16.04.2008 NSDI’08 Alan Mislove
Updated guarantees
33
System decay
Rate of incoming spamNumber of links
Lower bound
16.04.2008 NSDI’08 Alan Mislove
What’s up with U and L?
Link balance B and bounds [L,U] are from one user’s perspectiveLink can be viewed from from other’s perspective, too
For link X ↔ Y, all values symmetric
BX = −BY
LX = −UY
UX = −LY
34
=
16.04.2008 NSDI’08 Alan Mislove
Why can’t I receive when B=U?
When B=U on a linkFor other user, B=L
Thus, other user can’t sendSo you can’t receive
35
=
16.04.2008 NSDI’08 Alan Mislove
Full decentralization
So far, assumed a centralized siteKeeps link stateFinds paths
In paper, sketch of decentralized designRouting using techniques from MANETsLink state is kept decentralized
Work in progress
36
16.04.2008 NSDI’08 Alan Mislove
Can attackers target users?
Can attackers prevent users from receiving messages?Send victim lots of unwanted communicationVictim has too much credit to receive
But, victim has simple way outCan “donate” credit to friendsAnd attackers quickly run out of credit
37
16.04.2008 NSDI’08 Alan Mislove
Who do people talk to?
Users communicate with close usersReduces path computation complexity
38
0 0.2 0.4 0.6 0.8
1
1 2 3 4 5 6 7
CDF
Distance between source and destination (hops)
Observed
Random Destination Selection
16.04.2008 NSDI’08 Alan Mislove
More on content sharing
Why don’t links in the YouTube graph run out of credit?
39