Heal Gossip: A Secure Overlay for Unstructured P2P Networks

: Gossip-based protocols are an e cient mechanism for man-aging pure unstructured peer-to-peer (P2P) networks. Such protocols are Newscast, Cyclone, Lbpcast


Introduction
Now days, the Internet plays a great role in any type of digital communication. The continuously expansion of Internet lead to the discard of traditional client-server based system. Alternative way is to use of distributed architecture. Peer-to-Peer (P2P) network is a kind of distributed application architecture. In this, the system nodes or peers are equally privileged and collaborate with each other to carry out a service. It refers to network communication without servers and allows host to communicate directly with other peers. Basically P2P system architecture is based over the Internet architecture. It is implemented as an abstract overlay network built over application layer. It is used to handle various complex services such as le sharing system, data containing digital formats e. g, audio les, and real time data e.g, VoIP telephony traffic passed through P2P system. P2P networks are mainly categorized into two types: Structured and Unstructured based on how the peers in the overlay are connected to each other.
Structured P2P system has a predefined specific connection between nodes, and connection of the nodes is based on their assigned IDs. Structured P2P overlays also known as distributed hash tables (DHT). They provide a natural support to do such functionality. DHTs logically organize peers in a well-de ned structured. In P2P systems, DHTs are of great importance as they support to perform an exhaustive and exact search in very large-scale systems [1].
Unstructured P2P systems, peers are linked either randomly or probabilistically based on some proximity metric between the nodes. The overlay achieves random topology, which is allowing more flexibility in its structure. Regarding this, gossip-based protocols came as an efficient way to construct such unstructured overlays [2,3].
Gossip protocols can connect overlays even in the presence of high churn where nodes joining and leaving the system at any time. Such connected random overlays provide an efficient support for range and keyword-based queries. Gossip-based protocols [4,5] have come as popular paradigm for pure unstructured P2P systems. Interestingly these gossip protocols have been designed pre-serve to connectivity even if 70% of nodes at a time become dead or leave from existing overlay [6,8]. In these protocols, each node maintains a set of links to a small set of neighbours, constituting a partial view of the network. The resulting connected graph forms an unstructured overlay [9,10].
Thus, the major drawback of gossip protocols is that a few malicious nodes can easily create a hub and partition the network. SPSS [11], TooLate [12] and S-Gossip [13] are some known protocols are able to secure unstructured P2P networks against Hub attacks. Some other papers such as Uniform and Ergodic Sampling [14] and Brahms [15] are also mentioned about the effects of malicious nodes.
SPSS approach is intuition based. A node having large in-degree assumed to possess potentials to become a hub, so malicious. There is a central authority keeps a watch on every node and determines threshold for in-degree. It maintains two lists, namely, (i) blacklist, and (ii) whitelist. Nodes having in-degree higher than the threshold are stored in blacklist. Every node first checks with central authority to determine if the selected peer for gossip belongs to whitelist. If so, then gossip is carried out.
Since gossiping process is quite fast, before a node determines whether the selected node is in blacklist or whitelist, there is high probability that the malicious nodes can pollute the cache or view. Also central authority may fail or can be hacked. Therefore, SPSS cannot provide integrated security features one would expect from a secured gossip protocol. To address this issue, namely, the problem of centralized blacklist as stated above, TooLate was proposed. TooLate is a completely decentralized protocol for secured gossip which tightly couples maintenance of blacklist with the base gossip protocol.
Recently, S-Gossip is proposed to reduce multiple instances of Toolate. In this protocol, each node maintains three tables to ban malicious nodes. These tables are referred as three level of filtering for the overlay nodes. Third level of filtered nodes are marked as malicious one and restricted from the gossip.
Further, the work is organized to start with describing the basic of S-Gossip in section II. Section III explains the propose Hide and Seek attack model. The security mechanism of HealGossip is discussed in section IV. Simulation results are analyzed in the section V. Finally, we conclude our research work with future direction in section VI.

Basic of S-Gossip
S-Gossip has been proposed to reduce communication overhead while protecting with malicious nodes. Unlike Toolate security protocol, it uses only one instance of protocol. There is no central authority as in SPSS. For capturing malicious nodes, it uses three tables on each node. The tables are Genuine Table (GT), Suspicious Table (ST) and Malicious  Table (MT). The tables are updated on each gossip. All tables are maintained with different descriptors for node entries. GT has Node Identification (NID), Suspicious Count (SCount) and Time-to-Live (TTL) values of a node while ST maintains Malicious Count (MCount) instead of SCount. On the other hand, MT has only NID and TTL values. All tables is maintained a unique NID and is forced to shift when the de ned threshold will be crossed. The threshold of GT is defined on SCount. The average or mean value of SCount is computed through equation 1 and standard deviation through equation 2.
Here, N is the size of overlay. While updating the table entries, the nodes of GT are shifted to ST when the node's SCount will be more than the addition of mean and standard deviation of entire SCount of the table. The shifting of nodes from ST in to MT is happened whenever MCount value of the node will be exceeded the MCount threshold. The value is prede ned which is equal to the View Table (ViTab) length of the S-Gossip. ViTab refers as view of a node in the traditional gossip mechanism.
The mechanism assumed that the entry of nodes inside malicious table will be declared as malicious. This table maintains only TTL value for the captured nodes and the value is reinitialized whenever the node reappear while gossip. From this mechanism of S-Gossip, it ensures that the captured actual malicious nodes inside Malicious table will be stuck in a loop. The value of TTL is initialized with the predefined ViTab length size. The nodes are free from tables as soon the TTL value becomes zero.
The mechanism tried to eliminate false + ve and false -ve from the tables. S-Gossip proved through simulation that it can provide secure from Hub attack. But, the mechanism gets in trouble if the malicious nodes will stop gossip for some interval. This will reduce the SCount and MCount of the malicious nodes. The side effect of this it that the malicious nodes may come out from ST or MT tables. This effect will be reduce to get knowledge of malicious nodes from neighbours. But in S-Gossip, there is no provision to inform a captured malicious entries among neighbours.

Hide and Seek Attack Model
We propose an attack model especially for those networks who care about frequency of hits of the malicious nodes while updating their routing tables. As discussed that some security protocols are very effectively captured the malicious nodes while gossiping with others such as in Toolate, S-Gossip, etc. They used to measure the frequency of continuously gossiping nodes and mark as malicious if they crossed the predefined threshold.
The basic mechanism of the proposed HnS attack model is that it rst attacks the overlay with malicious peers and then hide from the overlay. In case of hide, it performs indirect attack from sending the affected non-malicious nodes. These affected non-malicious nodes are managed in such way that all non-malicious nodes are confused to mark the malicious nodes. For implementing the attack, malicious nodes have two tables rst for own malicious peers, called Malicious Peer The propose HnS attack mechanism insures, in worst situation, that each non-malicious node is maximum two hops away from malicious peers. After leaving all malicious nodes they divide the overlay in several partitions. The best case of the attack is to make complete partition of the overlay. In such situation, the non-malicious nodes can be forced to connect only one hop away from malicious nodes. After leaving all malicious nodes, the attack insures the complete partition of the overlay. The complete partition occurs only in the case of 100% direct attack of malicious nodes, which is equivalent to Hub attack. The HnS attack is able to protect malicious peer to being paralysed, which is shown in the Figure 1. Here, S-Gossip captures only few malicious nodes in HnS while more in Hub. It indicates that the propose HnS attack can miss-lead non-malicious nodes regarding malicious nodes.

Heal Gossip
HealGossip assists non-malicious nodes to identify and prevent malicious nodes from being involved in gossip with non-malicious node in the network. The in-formation about suspicious nodes get disseminated in normal course of gossip. This process heals the overlay before affected from malicious nodes.
Having described the main idea behind HealGossip in the following sub-sections, first we discuss the sharing and the dissemination information among nodes in the network through gossip. Next we introduce the concept to update of different node tables. Finally, we discuss the rationale behind the rules used for table updates.

Gossip Modes
Unlike other gossip-based protocol, HealGossip uses two modes for gossip with neighbours. One mode is called General Gossip and the second is called Protect Gossip. While gossiping, HealGossip assumes that the General Gossip contains malicious or non-malicious nodes, and the Protect Gossip contains malicious nodes to inform about them to neighbours.

Table Update
In terms of HealGossip protocol, the common of nodes represent those nodes which appear in any of the three tables of the gossiping pair and the respective neighbours received at the two ends. The occurrence of a common node is con-sidered as a hit. The value of hits of the nodes in any table determines whether the node is suspicious, malicious or reliable.
Suppose, the initiator of gossip is denoted by A, the node selected for gossip is denoted by B, and C i denotes a node received through the gossip. The descriptors are updated in tables while maintaining view. Maintain view is described in the Algorithm 1. (ii) If B reports that C i is malicious and C i neither in A's S-Tab nor in M-Tab then A inserts C i in its S-Tab. If the gossiping node B belongs to S-Tab, then it is viewed as a suspicious node. So, B's information about Ci is treated with suspicious. (i) If B reports that is C i non-malicious then A places C i in its S-Tab (ii) If B reports that C i is malicious then A places C i in its S-Tab. When a hit occurs for the first time, the corresponding common node can only be in ViTab. In case, the number of hits is increased and then the node moves from one table to another depending whether the hit crosses the thresholds set for movement of the corresponding move. The thresholds are calculated at each gossiping cycles. The update process is mentioned in the Algorithm 2.
On the basis of previous knowledge of long stayed nodes, we can take an action on related behaviour newly arrived nodes within few cycles. Hence the identification time will be reduced for the new nodes and take action on group of nodes, instead of single node. It also helps to identify dead and live nodes, which results to reduce false +ve and false -ve. This concept is able to scale the cope to strengthening security in P2P.

Storing Objects
The objects are hashed by respective source node to get an object ids (objIDs). Each object is assign a version id (verID) whenever they will be updated. The latest verId helps to update the old version of the object. The HealGossip ensures that the replication of an object can be done and they are up to dated by source node only. For this reason, a hopCount value increments by one after each gossip. The increment will be stop after reaching at source. The final value of hopCount considers as the maximum replication path of the object. The objIDs can be updated within its own hopCount only. For each object, the hopCount value will be di erent. The objID, verID and hopCount refer as object descriptors. These descriptors are used to manage objects in the overlay by each node.

Routing Process
The routing process starts whenever a request will arrive on an active node. The requested object id (objID) is checked in ViTab and response after finding the id. In absence of the key or objID, the node forwards to an random neighbour from its ViTab. A sample routing process where an object key, say 101, to be searched on a node, say N0. In this scenario, the node N0 does not contain the key 101. Hence, the request message will be forwarded to a random, say node N3, which selects from its ViTab. The process is stopped at a node, say N8, after nding the key. The node N8 reply the response message to the requested node. The path of request and response message are di erent with high probability.
The routing process is depends on the network connectivity. Healthy connected overlay can route efficiently. Hence, the work focus on the connectivity of the overlay instead of routing. The issue of connectivity based on the ViTab nodes, which refers to the neighbours of a node. The nodes are polluted when non-malicious nodes of ViTab will be replaced by malicious nodes. It is called ViTab or cache pollution. More percentage of cache pollution indicates more separation from good nodes. In presence of malicious nodes, the propose security mechanism tries to reduce percentage of cache pollution to make overlay connectivity as closer to healthy overlay. The comparative analysis is performed in the following section.

Results and Analysis
Results of the proposed HealGossip protocol are compared and analyzed with existing security protocol S-Gossip. For healthy comparison, both security protocols are run on Cyclon [9] gossip mechanism. Simulations have been performed with the help of Peersim simulator.
Analysis of Hub Attack Figure 2 describes the Hub attack affects on the security protocols. The affect is comparatively less in the proposed HealGossip due to additional acknowledgement property of malicious nodes. The average malicious nodes inside ViTab or cache are reduced. The percentage is also reduced in presence of 2% churn rate and the result shows in the Figure 3. In these simulations, there are 1,000 nodes in the network and 2% malicious nodes are taken.

Analysis of Hide and Seek Attack
The effects on the cache shows in the Figure 4. Initial hype of HealGossip shows the affect of HnS indirect attack. Since there is no room for indirect attach, S-Gossip does not have such hype. But, the proposed gossip mechanism able to reduce the pollution after spreading the malicious messages among neighbours.

Conclusion
The proposed HealGossip enhances the gossiping mechanism for gossip-based protocols in unstructured P2P network. Each node has capability to capture or detect malicious nodes independently. They also share their malicious entries which helps them to detect more malicious nodes. Spreading the information of malicious node is very unique feature which is introduced first time in such type of networks. These features make HealGossip protocol very scalable in respect of providing security if the malicious nodes will change their behaviours in future.