An economic perspective of message-dropping attacks in peer-to-peer overlays
© Hamlen and Hamlen; licensee Springer. 2012
Received: 9 July 2011
Accepted: 12 March 2012
Published: 12 March 2012
Skip to main content
© Hamlen and Hamlen; licensee Springer. 2012
Received: 9 July 2011
Accepted: 12 March 2012
Published: 12 March 2012
Peer-to-peer networks have many advantageous security properties, including decentralization, natural load-balancing, and data replication. However, one disadvantage of decentralization is its exclusion of any central authority who can detect and evict malicious peers from the network. It is therefore relatively easy to sustain distributed denial-of-service attacks against these networks; malicious peers simply join the network and fail to forward messages.
This article shows that peer-to-peer message-dropping attacks can be understood in terms of a well-established category of economic theory: the theory of the second best. In particular, peers who wish to continue service during an attack seek a second best solution to a utility optimization problem. This insight reveals useful connections between economic literature on the second best and computer science literature on peer-to-peer security. To illustrate, we derive and test an economics-inspired modification to the Chord peer-to-peer routing protocol that improves network reliability during message-dropping attacks. Under simulation, networks using the modified protocol achieve a 50% increase in message deliveries for certain realistic attack scenarios.
Peer-to-peer networks are an increasingly popular vehicle for highly fault-tolerant, light-weight, and low-cost distributed computing across heterogeneous hardware. Cloud computing , digital music exchange , digital libraries , secure data management systems , and bioinformatics databases  are just a few of the venues where this technology is being used today. Unlike traditional networks, peer-to-peer networks lack any centralized server; every agent acts as both server and client. This provides a natural resistance to many attacks, since adversaries must compromise a large number of peers instead of just a few central servers to corrupt data integrity or disrupt its availability.
Unfortunately, decentralization can leave peer-to-peer networks vulnerable to a different sort of denial-of-service attack wherein malicious agents join the network and misroute or drop messages, thereby disrupting communication. Constraining this message-dropping behavior is difficult since victims typically learn only that their messages weren't delivered, not who was at fault. Even when malicious behavior is localized to a particular peer, there is no central authority who can evict the peer from the network, leaving it free to perpetuate the attack. A small number of malicious agents can amplify their message-dropping with a Sybil attack , in which each joins the network many times under various false identities to occupy a greater percentage of the overlay space. Since dropping messages is computationally inexpensive for the attacker, a relatively small number of attackers can significantly disrupt overlay traffic.
We gain insight into this problem by connecting it to economic theories of the second best  (cf., ). Second best economic solutions are required when one or more units contravene the first best solution, and there is no way to remove the misbehaving units from the system. The second best solution incorporates (takes as given) the misbehavior of the deviate units to obtain a second best optimum. In the case of peer-to-peer networks, we find that application of second best theory to the secure routing problem yields recommendations that advise non-malicious peers on how to route messages optimally given observed misbehavior of their neighbors. By taking the network topology as given, such recommendations can be implemented atop any given topology to achieve better performance during a message-dropping attack.
Adopting the piecemeal approach of Davis and Whinston  further allows each peer to optimize its own behavior with only local knowledge, and without requiring cooperation from other peers. Thus, the recommendations can be implemented fully automatically by individual peer clients without a central authority that has global knowledge, and without requiring other agents to adopt the new protocol.
We show how these theoretical insights can be used in practice by deriving a simple modification to the Chord peer-to-peer networking protocol  that improves overlay performance during message-dropping attacks. When faced with message-dropping agents, peers approximate a second best alternative to optimal overlay routes. Simulation of our modified protocol shows that message delivery rates improve by over 50% with a corresponding increase in overall system utility under realistic attack scenarios. The modified protocol is simple to implement since it does not require any change to the network topology and uses only information that is already available in a standard Chord network.
We begin by summarizing related work in §2. Section 3 reviews the economic theory of the second best and argues its relevance to peer-to-peer systems. The individual and social welfare perspectives are each elaborated in §4, yielding a general framework for expressing peer-to-peer message-dropping attacks as second best utility optimization problems. The framework is general enough to include many different definitions of utility, including those that incorporate both reliability and risk. Section 5 applies this framework to Chord, showing its effectiveness in resisting both non-coordinated and coordinated, distributed, message-dropping attacks. Finally, §6 concludes with a summary and suggestions for future work.
Over the past decade there has been an explosion of research devoted to peer-to-peer security (cf., ). Relevant issues include robust search , pollution prevention (i.e., inhibiting the spread of unwanted objects), secure data storage, and data confidentiality. Most work on these assumes a secure routing framework that facilitates reliable, robust communication between peers. For example, reputation-based trust managers such as EigenTrust , Credence , and Penny , aggregate local reputation information whose exchange requires a secure routing framework.
Secure routing is divisible into three sub-problems : secure identifier assignment, routing table maintenance, and message forwarding. Secure identifiers prevent attackers from misrepresenting or abusing their overlay positions to intercept more than their share of traffic. Secure routing tables maintain peers' connections to appropriate sets of neighbor peers. Finally, secure message forwarding delivers messages using the secure identifiers and routing tables. This last sub-problem is the focus of our work.
Secure message forwarding has been studied from an economic perspective in the context of selfish routing . Selfish routers enjoy the message-forwarding services provided by fellow peers, but fail to forward the messages of others. Unlike message-droppers, selfish routers desire services from the network. This has led to incentive-based solutions such as pricing networks , negotiating contracts for mutual message delivery , rewarding message delivery with increased reputation , and rewarding message delivery with increased quality of service . In contrast, message-droppers only desire to disrupt service, making incentivization inapplicable.
Economists have also studied peer-to-peer networks in the context of free-riding. Free-riding peers obtain shared resources from the network but fail to share their own resources. Krishnan et al.  observe that the shared resources resemble public goods --an insight that has generated a growing body of work devoted to incentivizing free-riding peers to share . However, unlike public goods, the connectivity that is threatened during a message-dropping attack is not equally available to all peers; it is influenced by the position of the attackers relative to each peer. This leads us to a different economic model for message-dropping.
Message forwarding in peer-to-peer networks can be divided into protocols for structured and unstructured networks. Structured networks route queries using a multi-hop protocol that passes the message from peer to peer. Examples include CAN , Pastry , Chord , and Tapestry . Unstructured peer-to-peer networks like Gnutella broadcast queries using a multicast protocol that floods the query to all peers within a given radius. The unstructured approach tends to be more robust against message-dropping because of its high redundancy, but it does not always scale well . Although our work is potentially applicable to unstructured topologies, we focus on structured ones since message-dropping tends to be a more significant threat in those contexts.
A large body of prior work improves the robustness of structured networks by augmenting their topologies with redundant routing paths (e.g., [29–31]). Route redundancy increases the probability that at least one message replica reaches its destination. Such topologies can be improved further via adaptive techniques that adjust the topology dynamically in response to observed failures (e.g., [32, 33]) or based on the interaction history of peers (e.g., [34, 35]). In contrast to these approaches, our work adapts routing flow rates without modifying the topology. Our work therefore complements the above by optimizing routing behavior once a (possibly dynamic) topology is chosen.
Adaptive techniques, including ours, require a means of detecting message-dropping behavior. Section 5 adopts a sampling approach in which non-malicious peers test for malicious behavior by periodically sending probe messages. Such sampling has been effectively used in unstructured networks to detect and identify message-droppers . Introduction graphs  and flow rate histories  can further help to identify and isolate malicious peers, but sampling has the advantage of being easy to implement atop networks that do not collect this extra information.
The theory of the second best has had a significant impact on economics throughout the past half-century, being applied to such subjects as health care, antitrust, and international trade . In the case of peer-to-peer overlays, the original design of the overlay topology can be thought of as a first best solution that optimizes message delivery when all peers are non-malicious. Adapting individual peer routing behavior to the presence of malicious peers can therefore be viewed as a second best solution to this optimization problem.
Economic theory generally begins with economic subunits such as consumers, households, or firms that attempt to optimize their own objective functions subject to various constraints. These economic subunits work within a larger administrative perspective that is defined by the set of rules governing the system and the degree of decentralization. This leads to a larger fundamental problem first formulated by Nobel laureate Paul Samuelson , who observed that every society acts as if it is attempting to maximize a (known or unknown) social welfare function subject to constraints.a The welfare function is so named because it incorporates the goals of all economic subunits. For any viable system, the optimal conditions derived from the fundamental problem must also be consistent with the optimal behavior of the economic subunits.
The objective function is F, the binding constraint is G, and the choice variables are x i with i ∈ 1..n. In a decentralized, consumer-oriented economy these choice variables are selected by independent economic subunits (e.g., consumers). The objective function is related to the maximization of the consumers' objective functions (utility functions) subject to constraints reflecting consumer income limitations. In a peer-to-peer network the choice variables are selected by individual peers and the constraints are those imposed by the routing protocol and the overlay topology.
where F i and G i are partial first derivatives and λ is a Lagrange multiplierb associated with the constraint in Equation 1. To obtain the first best solution, individual subunits solve their respective constrained optimization problems, and these must be consistent with the necessary conditions given by Equation 2.
Samuelson was the first to recognize that when some economic subunits fail to adhere to Equation 2, the ramifications extend beyond that deviate sector:
"First, what is the best procedure if for some reason a number of optimum conditions are not realized? What shall we do about the remaining ones which are in our power? Shall we argue that 'two wrongs do not make a right' and attempt to satisfy those we can? Or is it possible that failure of a number of conditions necessitates modifying the rest? Clearly the latter alternative is the correct one." [, p. 252]
In other words, if the first best solution is unobtainable because one sector behaves suboptimally, then the second best solution does not necessarily imply that the remaining sectors should continue to satisfy their first best optimization conditions; many subunits may need to change their optimal behaviors.
where F ji and G ji are the partial cross-derivatives between subunits i and j and μ is the new Lagrange variable associated with constraint 3. Thus, unless the cross-derivatives are zero, each sector i ∈ 1..n has optimal behavior that deviates from Equation 2.
The coefficients α i are the final weights given by the implicit social welfare to the utility of the economic subunits.d
These weights have a specific economic interpretation: Each consumer or household's weight is the reciprocal of its marginal utility of income. Thus, if a wealthy family places relatively low value on the last dollar earned, it receives a relatively high weight in the objective function of the society. In essence, the system tends to weight the more successful households (in terms of income).
We find a similar result in the case of peer-to-peer systems. During a message-dropping attack, non-malicious peers can be defined as those that derive utility from message deliveries. This leads to a social welfare (administrative objective) function that weights peers by the reciprocal of their relative reliability--i.e., their message delivery success rates. When all weights are equal (a standard assumption when applying utility theory to information systems problems ), this corresponds to the special case where all peers in the network are equally reliable.
Davis and Whinston  used Negishi's result to provide a piecemeal approach to the second best problem. They concluded that the difficulties of implementing a complex set of second best conditions is often overestimated since, based on Equation 5, many of the second derivatives are zero in a decentralized system and can therefore be dropped. In the context of a peer-to-peer network, this implies that it is possible to approach the second best solution without the need to share global information amongst peers. Instead, each peer adapts its own behavior individually, based on its own knowledge.
Based on the economic development above, there are two separate aspects of the problem: the mathematical method proposed by Lipsey and Lancaster, and the welfare and utility considerations discussed by Samuelson and Negishi. Section 3.2 examines the former aspect and §4.2 the latter.
Application of the second best approach to resisting message-dropping attacks in peer-to-peer overlays can be illustrated by a simple example. We begin by considering a single peer p of degree k in a network of size n (with k ≪ n). Peer p periodically receives messages for other peers, each of which it must forward to one of its k neighbors. We assume a flat identifier space for this example, and that peer p may forward each message to any one of its k neighbors (though for any given message, certain neighbors are better positioned than others to deliver it).
That is, a uniformly distributed set of random messages is delivered most effectively when the k neighbors of p have identifiers that are evenly spaced along the interval [0, n).
The above implicitly assumes that peers behave optimally, forwarding each message to the neighbor closest to its destination. A second best solution is needed when some peers behave suboptimally and there is no way (short of centralizing the system) to force optimal behavior. One option in this case is to implement a new first best solution, but this requires global information about the overlay topology, which isn't typically available to peers once the network has been deployed and malicious behavior becomes evident. The second best solution takes the topology as given and re-solves the optimization problem to obtain a new recommended optimal behavior for peer p given the suboptimal behavior of its neighbor(s).
Even though peer p cannot change the identifiers of its neighbors, it should forward its messages as if neighbor m - 1 had identifier and neighbor m + 1 had identifier . As peer m's reliability decreases, β increases and and approach N m . Peer p therefore forwards fewer messages to neighbor m since fewer destinations are closer to N m than to or . In the limiting case where (i.e., neighbor m is completely unreliable), peer p only forwards to m those messages whose final destinations are m itself.
We next generalize this approach to a larger class of topologies and message-dropping attacks, and we examine the second best approach from both the perspective of individual peers and that of the system as a whole.
Economic formulations of the second best typically have two aspects: an individual perspective in which individuals in the society seek to maximize their own utility subject to individual constraints, and an administrative perspective in which the society as a whole acts as if it is seeking to maximize an objective function subject to administrative constraints. In this section we develop the each of these aspects as they relate to message-dropping attacks in peer-to-peer overlays. The analysis of the individual perspective yields a piecemeal approach  to resisting message-dropping attacks, wherein each peer individually adjusts its optimal behavior to account for the suboptimal behavior of its immediate neighbors. The analysis of the administrative perspective yields a measure of the network's success in resisting message-dropping attacks, providing a means to evaluate defense effectiveness. We initially consider only peer reliability; risk is added in §4.3.
The first derivative of utility is the marginal utility and the second assumption above is the law of diminishing marginal utility.
where w ij ∈ [0,1] is the relative share of its messages that peer i forwards to neighbor j, and R ij (w ij ) is the reliability that peer i estimates for neighbor j. R ij is a function of w ij because the observed reliability of neighbor j typically varies with the share of messages it receives from i. As j receives a larger share, a greater portion of their destinations are farther from j, making those messages harder for j to deliver. Thus, ∂R ij /∂w ij ≤ 0.
where ϕ i and λ i are the Lagrange multipliers.
Hence, we advise peer i to use neighbor m less than it uses neighbor j by a factor of .
In this section we derive a measure of the social welfare (i.e., overall system utility) of a peer-to-peer system using the results from the previous sections. This provides a general measure of the performance of the system during a message-dropping attack in terms of peer utilities. In particular, networks that attain higher social welfare can be characterized as more robust against message-dropping attacks. Section 4.3 illustrates the generality of this metric by showing how it can incorporate risk as well as reliability, and §5 uses this measure to evaluate the performance of our method when implemented in an actual peer-to-peer network.
Thus, the system behaves as if an administrator determines the relative reliabilities of all members, knowing that the selection must ultimately account for the various utility functions of the members as well as their respective optimization behaviors.
A peer-to-peer network's success in resisting a message-dropping attack can therefore be measured by computing the objective function in Equation 15. Combining the optimality result of the individual behavior described by Equation 13 with the administrative optimal behavior described by Equation 15, we find (see the appendix) that consistency between the individual behavior and the administrator's optimal solution requires that , where δ is the Lagrange multiplier associated with the constraint in Equation 15 and . This implies that weight α i is directly related (up to common factor δ) to peer i's relative reliability and inversely related to its marginal utility. Using U i = log yields ϕ i = 1 for all i ∈ 1..n. Since constant factor δ has no effect on optimization problem 15, this simplifies to .
where is the fraction of the messages forwarded by peer i that were ultimately delivered to their destinations. This can be interpreted as a familiar result from information theory. It is the negation of the Shannon entropy of the peer-to-peer system, and the administrative problem therefore reduces to the problem of minimizing the entropy subject to the constraints. When there are no additional constraints, the optimal solution is obviously one in which all peers are equally reliable--i.e., . In the case where there are additional constraints (e.g., some peers are malicious and therefore have constrained reliabilities), the optimal solution is non-trivial, as we see in §5.
In coordinated, distributed, message-dropping attacks, malicious peers vary their behavior over time, dropping some but not all messages they receive in an effort to evade detection. Malicious peers may even coordinate their behavior changes so as to keep each individual peer's reliability relatively high while keeping overall availability of network services low. Peer reliability alone is not an adequate measure of malicious behavior during such an attack; one must also consider variance or risk.
where is the relative reliability of peer i as defined in §4.2 and Cov[X, Y] denotes the covariance of random variables X and Y.
The first best solution is obviously one in which all peers are invariably equally reliable. Since zero variation implies , this reduces to the same optimization problem as derived in §4.2; we therefore conclude that as before. When the variance is non-zero for some peers, we seek a second best solution. In that case the form of the social welfare function stays the same but is evaluated at the second best solution. Thus, in that case as well, and we conclude that social welfare can be measured by weighting each peer's expected utility by its relative reliability. The optimal conditions for Equations 19-20 are derived in the appendix.
Since the shares w ij are all relative, we choose some arbitrary benchmark neighbor b ∈ 1..k in terms of which peer i computes the other optimal shares.
Peers that use Equation 25 to guide their relative usage of their neighbors tend to maximize expected reliability and minimize risk as they forward messages. This can have some interesting ramifications for peer behavior. For example, depending on their risk aversion a i , they may sometimes forward messages through less reliable peers to avoid a more reliable but much riskier one. Risk-averse peers also tend to diversify their message-forwarding behavior similar to an investor's diversification of a portfolio. This can result in a better outcome when resending a dropped message since there is a higher chance that the message will not take the same route to its destination even when the overlay topology remains static.
To put our approach into practice, we implemented it within a Chord network . We begin with a review of Chord's overlay structure and routing protocol in §5.1. Section 5.2 then formulates the Chord protocol as a utility optimization problem using the second best. Finally, §5.3 describes our experimental methodology and results.
Chord  is a structured peer-to-peer protocol with a ring-shaped overlay. Each peer's ring position is defined by an integer identifier. Identifiers are derived via secure hash functions so that attackers cannot easily choose their positions. Each peer is directly connected to k = ⌊log2 n⌋ neighbors, where n is the size of the identifier space. For example, in a Chord network that can accommodate 2160 peers, each peer has 160 neighbors.
The neighbor set of peer i is densest near i and thins farther away. Specifically, the jth neighbor of peer i is the peer whose identifier is closest to (but no less than) (id i + 2 j-1) mod n (∀j ∈ 1..k). Thus, peer i's first neighbor is its successor in the ring, each subsequent neighbor is approximately twice as far from i as its previous neighbor, and peer i's last neighbor is approximately halfway around the ring. To send a message to peer h, peer i forwards it to the neighbor whose identifier is closest to but no greater than h's identifier (modulo n). When all peers adhere to this protocol, messages are delivered to their final destinations in at most O(log2 n) hops because each hop at least halves the distance from the message's current position to its destination. Without malicious peers, the topology is naturally load-balancing in that a uniform distribution of message sources and destinations tends to solicit equal relative use of each peer's k neighbors.
During a message-dropping attack, however, malicious peers drop the messages they receive instead of forwarding them. Since Chord is deterministic, a single malicious peer on the route from i to h can thereby prevent i from sending any messages to h until the topology changes (e.g., due to churn). With multiple attackers, the identifier assignment process tends to distribute attackers approximately uniformly across the identifier space. As a result, attackers can intercept a significant portion of the overlay traffic. For example, even when malicious peers comprise only 10% of the network they can intercept about 40% of the messages on average .
Peers can forward messages via different neighbors than the ones prescribed by the Chord protocol at the expense of longer message delivery paths. This flexibility allows peers to potentially improve message delivery rates in the presence of malicious peers via a second best routing strategy. Specifically, a peer can potentially forward each message to any neighbor between itself and the message's intended destination, not just the closest one to the destination.
However, this flexibility must be exercised in moderation to avoid unacceptably long routing paths, since forwarding messages in very small hops greatly increases the worst-case path length bound given in §5.1. For example, if each peer forwards messages to its nearest neighbor, the worst-case path length is O(n), which is clearly unreasonable when n ≈ 2160. More generally, when peers forward messages to their rth-closest neighbors, the worst-case path length increases by a factor of (r - log2(2 r - 1)) -1. Hence, forwarding to the 2nd-closest neighbor multiplies the worst-case path length by a factor of about 2.4, and forwarding to the 3rd-closest multiplies it by a factor of over 5.
To keep the worst-case path length reasonable, we therefore modify the Chord protocol to allow (non-malicious) peers to forward each message only to the closest neighbor or 2nd-closest neighbor to the message's intended final destination. In our experiments we found that allowing peers to forward to other neighbors is seldom useful, since during a message-dropping attack greatly increased path lengths almost always include at least one malicious peer.
respectively, for all i ∈ 1..n.
where A is defined by Equations 28-29 and ψ controls the rate of convergence. (In our implementation we used ψ = 1.) Equation 31 reflects the inflexibility of traffic forwarded to a peer's first neighbor (since no neighbors fall between a peer and its first neighbor).
In summary, non-malicious peers in our modified system continuously adjust their relative usage of neighbors in small increments, based on the most current information available concerning neighbor reliability and riskiness. These adjustments are made so as to maximize reliability and minimize risk. That is, each peer optimizes its own expected utility subject to the constraints imposed by the routing protocol.
To test our solution, we simulated a Chord network in which non-malicious peers maximize expected utility by adapting their relative use of their neighbors according to Equation 30. Malicious peers drop some or all messages they are asked to forward. To assess the network's success in resisting the attack, we computed the social welfare (Equation 16) that it attained over each simulation. We also measured the total percentage of messages that were successfully delivered. Each simulation involved sending a total of one million randomly generated messages through the overlay, and simulation results were averaged over 50 trials each.
We assume that senders learn whether their messages were ultimately delivered, but not who dropped undelivered messages. This is consistent with networks in which delivered messages solicit unforgeable, direct responses from recipients. For example, object lookups in Chord solicit a direct response that does not use the overlay, and that can be authenticated via cryptographic message signing. This information allows each peer i to estimate a running mean E[P ij ] and running variancef Var[P ij ] for each neighbor j ∈ 1..k. Each peer also tracks its own relative usage s ij of each neighbor.
Non-malicious peers begin the simulation with w ij = 1 and s ij = 1 for all i ∈ 1..n and j ∈ 1..k. That is, each peer initially behaves as in a traditional Chord network, forwarding each message to the closest neighbor and using all neighbors approximately equally. At regular intervals, non-malicious peers modify w ij according to Equation 30. (If w ij rises above 1 or descends below 0, it is truncated down to 1 or up to 0, respectively.) In our simulation, peers recomputed w ij after every 1000 messages they sent. We used a convergence rate of ψ = 1, a distance penalty of d = 0.8, and a risk aversion of a i = 1 to strike a roughly even balance between reliability maximization and risk minimization.
The curve for the optimal Chord network was computed by exhaustively deciding for each possible source-destination pair whether there exists a route through the overlay that does not include any malicious peers (subject to the constraint that non-malicious peers must not route messages farther away than their 2nd-closest neighbor to the message's intended destination). We simulated networks with up to 10K peers, but the number of peers did not influence any of our results (except that computing the optimal curve for very large networks was not feasible). The curves shown in Figure 1 are for a network with 256 peers.
We next considered a more sophisticated message-dropping attack in which the attackers vary their behavior over time in an effort to avoid detection. Malicious peers coordinate these behavior changes to keep each malicious peer's observed reliability relatively high while keeping overall network connectivity low. In our simulation, attackers chose their reliabilities from a normal distribution of mean 0.3 and variance 0.12. A coordinated, distributed, denial-of-service attack of this kind can be quite effective against defense mechanisms that rely on average reliability as the sole indicator of maliciousness. Our protocol's inclusion of risk as a secondary indicator was therefore important for resisting this attack.
During testing, our utility optimization strategy demonstrated little sensitivity to parameter changes and implementation details. For example, different convergence rates ψ, different distance penalties d, different approximation methods for Equations 28-29, and different refresh rates for recomputing shares w ij resulted in little or no change to the results reported here (except when parameters were set to extreme values). This seems to indicate that our method is does not require much manual tuning to perform well.
The theory of the second best has played a significant role over the past several decades in solving numerous important problems in economics. In this article we have shown that it also applies to the problem of resisting message-dropping attacks in peer-to-peer overlay networks. If one views the design of the underlying overlay topology as an optimization problem, the second best solution yields recommendations on how to make optimal use of that existing topology in the presence of malicious peers who drop messages.
This has implications both for individual peers and for the peer-to-peer system as a whole. For individual peers, the second best solution provides peer-specific recommendations on how to forward messages so as to maximize each peer's individual reliability and minimize its risk. For the system as a whole, it maximizes the overall objective of the system given the misbehavior of the attackers. We found that in this context the overall objective can be expressed as a weighted sum of the utility functions of the individual peers, where the weights are the relative reliabilities of the peers. When individual utility functions are standard Bernoulli logarithmic functions, this equates to minimizing the Shannon entropy of the peer-to-peer system.
As a practical application of our work, we solved the above optimization problem for the Chord peer-to-peer network protocol  and implemented it in a simulator. Non-malicious peers in our modified network forward messages according to the recommendations prescribed by the second best solution. Rather than compute the second best solution directly, each peer approximates it iteratively using an efficient quasi-Newtonian algorithm. We simulated simple message-dropping attacks in which attackers drop all messages, as well as coordinated, distributed message-dropping attacks in which attackers vary their behavior to avoid detection. The modified protocol achieves a 50% increase in message deliveries and a 60% increase in social welfare when malicious peers comprise about 20% of the network. Behavior variations are not effective as a means of disguising the attack; they only result in higher message delivery rates and higher social welfare in networks equipped with our adaptive protocol.
In future work we intend to apply our approach to other distributed computing paradigms, such as clouds. Tapestry  networks are more densely connected than Chord networks, incorporating extra routing links for improved fault tolerance. These extra links could provide more opportunities for second best optimization. CAN  poses interesting mathematical challenges for our method since it uses a multidimensional identifier space.
In addition, much prior work on adaptive overlay routing has focused on adapting the overlay topology in response to observed peer behavior and performance. Since our second best optimization approach takes the topology as given, it could be implemented atop one of these adaptive topologies. Future work should investigate the interaction between these two approaches.
Finally, we plan to investigate second best optimization approaches to protecting these networks from other forms of attacks, such as message misrouting, message integrity and confidentiality violations, and reputation mismanagement. These are all significant current-day threats to large, distributed data management systems, and would likely benefit from second best optimization.
for all i ∈ 1..n, where ϕ i is the Lagrange multiplier associated with the constraint.
The assumption in §4.1 that peer m is a factor ε less reliable than peer j implies that d im = εd ij . This yields the result given by Equation 14.
Section 4.2 describes how this result leads directly to the conclusion that .
In the above, ϕ i is the Lagrange multiplier associated with the constraint requiring that each peer i's relative usage of its neighbors sums to 1. In most situations the constraint would be binding and ϕ i > 0. This complicates the solution for any single w ij . We can, however, examine the ratio E[U i ]z ij = ϕ i to E[U i ]z ib = ϕ i for any two shares w ij , w ib > 0. The benchmark neighbor b is arbitrarily chosen by peer i as the standard by which its other neighbors are assessed. From the conditions above we see that z ij = z ib , leading to the system of linear equations given in Equation 23.
This work includes material supported by the National Science Foundation under award NSF-0959096. Any opinions or findings expressed are those of the authors and not of the NSF.