generated networks,Aand Boverlapped to over 80%. The overlapping factor is almost identical for the four different network types.
Simulation Results The setA∪Bcontains the nodes with the “best” topological properties in the network. The question is how many of those nodes are within the nodes identified by BridgeFinder. Figure 5.6 shows the results from the interSection of 2% (equivalent to 5) of the fastest converging nodes withA∪B. In 85% of the one-bridge networks, all five nodes have either high closeness or high betweenness, i.e., are inA∪B. Three of those five nodes have the same features in about 80% of the two-bridge and unit disc networks, and in about 60% of the three-bridge networks.
Thus, the top nodes identified by BridgeFinder lay exactly on the key positions in their networks. It is not surprising (as shown in Figure 5.5) that removing even a few such nodes can damage a significant portion of the underlying networks.
Next, we intersectA∪Bwith 5% (13 nodes) of the fastest converging nodes. Figure 5.7 displays the results. At least half of the fastest converging nodes lay on key topological positions in their networks. This is the case in more than 80% of the two-bridge networks and in over 90% of the one-bridge networks.
Our empirical results show that with very high probability, BridgeFinder identifies the same nodes one would obtain by using global network measures. In both cases, those are the few nodes keeping the network together.
Still, there are two very important differences between the two approaches. First, our algorithm is faster in several orders of magnitude than computing global network measures and furthermore produces very modest computational costs per node.
Second, and more importantly, BridgeFinder is a distributed approach. That makes it a useful tool that can be applied to a vast variety of real world networks.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 2 3 4 5 6 7 8 9 10 11 12 13
Number of Networks in %
Number of Overlapping Nodes One Bridge Unit Disk Graph Two Bridges Three Bridges
Figure 5.7: Intersecting the nodes with best centrality measures with 5% of the fastest converging nodes
Basic Approach The main idea behind our solution is that no node converges on its own. A node can only claim it has successfully converged when the fluctuations of the values possessed by the nodes surrounding it become relatively small. On the other hand, a node can only claim it has still not converged when the values maintained by its neighbors still vary significantly.
Therefore, each node needs just a scheme to estimate the fluctuations in the neighbors values either as acceptable or not acceptable. Then, it can protect both, itself and the whole network, from the following two types of possible attacks.
The first attack happens when a compromised node falsely claims it has converged (lies to its neighbors about its real values) in order to qualify for the list of fastest converging nodes. The second type of attack is when a node neglects the values sent to it by its neighbors and continues flooding the network with higher/smaller values, and thus preventing the algorithm from converging. If a node receives suspiciously small or high values from one of its neighbors, let us sayX, it can warn its other neighbors. If its suspicions are confirmed by any other nodes, they send a message through the network thatXhas been compromised. Then, all nodes havingX in their neighbor list excludeXfrom their communication flow.
To estimate whether the values sent by its neighbors are legitimate, a node can calculate the mean value of the values received from the neighbors. Then, it can use the average in a local decision process: each single value can differ only with a given factor from the mean value.
The idea of using the mean of the neighbors values within a gossiping-based application to estimate the impact of compromised nodes has already been studied in [KDG03]. There, the authors show how one can use the median to compute an acceptable quantile for the exchanged values under erroneous inputs from compro-mised nodes. As mentioned above, it is not the values we are interested in, but
rather the convergence speed.
Progression Speed We know that the fluctuations in the values are significant at the beginning of the algorithm and decrease progressively with each iteration.
The speed of that progression for a nodevat timeican be expressed through the difference of its new and its old values:
sv(i) := xi−xi−1 xi
(5.5) wherexiandxi−1are the current and the last values ofvrespectively. We callsv
the speed coefficient ofv. As the algorithm converges,svgoes to zero for all nodes in the network.
Furthermore, each node knows the number of exchange operations it has already carried out (cf. Section 5.4). Based on that number and the speed coefficients of the values it receives, each node qualifies them as suspicious or not suspicious.
The local decision making process for a nodevworks in three steps. When at iterationk,vreceives a new valuexfrom its neighborw: i)vcomputes the speed coefficient ofwatk,sw(k) (the one corresponding tox); ii) it computes the mean value of the speed coefficients of the rest of its neighborsMSv; and iii) it checks whether the following inequality holds:
|sw(k)−MSv| ≤ 1
k (5.6)
In case it holds, thenvaccepts the new value xofw. Otherwise, it marks xas suspicious and reports it to its other neighbors. If enough nodes (one can vary the number of required votes from one to all neighbors) confirm the suspicions regardingv, thenwcan be excluded from the network.
Figure 5.8 shows the progression of the averaged speed coefficient over all nodes in the corresponding network and the function 1/x. All plots are averaged results over 100 instances of each network type. The speed coefficients in all network types have similar gradients. They all are dominated by 1/xforx>70.
One can easily conclude that the decision rule proposed in 5.9 is inadequate within the first 70 iterations, but is very tight afterwords. That is, we allow com-promised nodes to lie about their values at the beginning of the algorithm. The huge fluctuations in the beginning of the algorithm make it highly unlikely that a meaningful mechanism for that phase of the algorithm exists. At the beginning, large values are exchanged with very small values in every exchange operation.
Our security mechanism remains successful if it overcomes the following three challenges: i) detect nodes falsely claiming they have converged; ii) detect nodes that manipulate their values after the network has stabilized; iii) detect malicious nodes changing their values always within the tolerance interval, which should not influence the convergence speed of the whole network.
0 0.005 0.01 0.015 0.02
50 100 150 200 250 300
Speed Coefficient
Number of Exchange Steps f(x)=1/x One Bridge 2 Bridges 3 Bridges Random
Figure 5.8: Average speed coefficient within one run of BridgeFinder on all four network types
We address the first issue directly. A node cannot possibly lie it has converged because once the network has stabilized, its neighbor will detect that its speed coefficient is extremely close to zero in comparison to its surrounding nodes.
From Section 5.9, one can also read the magnitude to which a given value can be manipulated. One can easily calculate that after only 100 iterations, even discrepancies within 5% of the real value will be detected as suspicious. This buffer decreases with each next iteration of the algorithm.
To address the final issue, we simulated the following scenario. Ten percent of the nodes are malicious. They all have an oracle that provides them with the mean value of the speed coefficients of their neighbors. These mean values are not known under realistic circumstances. Then, all malicious node lie within the maximum buffer at each fifth iteration. The results are displayed in figure 5.9. Even under those circumstances, the overall convergence times of all four network types remain intact.
We point out that this security mechanism does not prevent nodes from inserting false values as long as they stay within the current tolerance interval of the receiving node. That means that there is no guarantee that the output values have not been compromised. Therefore, any information that can be extracted from those values, e.g., number of nodes in the network, has to be used very carefully.
However, compromised nodes change convergence speeds only marginally. This guarantees the proper function of the BridgeFinder algorithm, even in the presence of compromised nodes.
0 0.005 0.01 0.015 0.02
50 100 150 200 250 300
Speed Coefficient
Number of Exchange Steps 1/x One Bridge 2 Bridges 3 Bridges Random Random
Figure 5.9: Optimal attack strategy every fifth iteration of BridgeFinder with 10%
of malicious peers