Mechanism Design and Computer Security - PowerPoint PPT Presentation

About This Presentation
Title:

Mechanism Design and Computer Security

Description:

Blind obedience, rational self-interest, malicious disruption ... Prevent tragedy of the commons. Include security measures. Economics = adaptive behavior ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 46
Provided by: johncmi4
Category:

less

Transcript and Presenter's Notes

Title: Mechanism Design and Computer Security


1
Mechanism Design and Computer Security
  • John Mitchell Vanessa Teague
  • Stanford University

2
The Internet
Three kinds of behavior Blind
obedience, rational self-interest, malicious
disruption
3
Outline for this workshop talk
  • Some network problems
  • Congestion control, Interdomain routing
  • Algorithmic mechanism design
  • Pricing function provides incentives
  • Distributed mechanisms and security
  • Distributed impl by rational agents
  • Prevent malicious acts by rational agents
  • Open problem irrational malicious agents

Warning bait and switch
4
TCP/IP Transmission
Source
Destination
  • TCP guarantees packet delivery
  • Source packets have sequence number
  • Destination acknowledges
  • If packet lost, source resends

5
TCP Congestion Control
Source
Destination
  • If packets are lost, assume congestion
  • Reduce transmission rate by half, repeat
  • If loss stops, increase rate very slowly
  • Design assumes routers blindly obey this policy

6
Competition
Source A
Destination
Source B
Destination
  • Amiable Alice yields to boisterous Bob
  • Alice and Bob both experience packet loss
  • Alice backs off
  • Bob disobeys protocol, gets better results

7
Whats the point?
  • TCP/IP assumes honesty
  • If everyone follows protocol, transmission rates
    adapt to load
  • Incentive for dishonesty
  • Dishonest TCP works better, as long as others
    follow standard TCP backoff
  • Security risks
  • Vulnerable to denial of service, IP-spoofing, etc.

8
Goal More robust networking
  • Introduce economic incentives
  • Routers administered autonomously
  • Reward good behavior
  • Prevent tragedy of the commons
  • Include security measures
  • Economics gt adaptive behavior
  • Better load balancing to increase welfare
  • Accounting gt increased instrumentation
  • Detect, quarantine malicious behavior

9
Interdomain Routing
earthlink.net
Stanford.edu
Exterior Gateway Protocol
Autonomous System
Interior Gateway Protocol
connected group of one or more Internet Protocol
prefixes under a single routing policy (aka
domain)
10
Transit and Peering
Peering
Peering
Transit
  • Transit ISP sells access
  • Peering reciprocal connectivity
  • BGP protocol routing announcements for both

11
BGP overview
  • Iterative path announcement
  • Path announcements grow from destination to
    source
  • Subject to policy (transit, peering)
  • Packets flow in reverse direction
  • Protocol specification
  • Announcements can be shortest path
  • Nodes allowed to use other policies
  • E.g., cold-potato routing by smaller peer
  • Not obligated to use path you announce

12
BGP example D. Wetherall
3
4
1
8
2
5
6
7
  • Transit 2 provides transit for 7
  • 7 reaches and is reached via 2
  • Peering 4 and 5 peer
  • exchange customer traffic

13
Issues
  • BGP convergence problems
  • Protocol allows policy flexibility
  • Some legal policies prevent convergence
  • Even shortest-path policy converges slowly
  • Incentive for dishonesty
  • ISP pays for some routes, others free
  • Security problems
  • Potential for disruptive attacks

14
Evidence Asymmetric Routes
Alice
Bob
  • Alice, Bob use cheapest routes to each other
  • These are not always shortest paths
  • Asymmetic routes are prevalent
  • AS asymmetry in 30 of measured routes
  • Finer-grained asymmetry far more prevalent

15
Mechanism Design
  • Charge for goods
  • Assume agents have rational self-interest
  • Provide incentives via pricing function
  • Traditional use
  • Maximize social welfare
  • Make honesty the best policy (revelation
    principle)
  • Network applications
  • Maximize throughput, resilience to attack
  • Fake money as good as real money

16
Grand Plan
Goal
17
Multicast cost sharing
Node
link
Node
  • Distribute some good
  • Each node has some utility for the good
  • Each link has some cost
  • Which nodes get the transmission?

link
link
Node
Node
18
Multicast solutions
  • Centralized scheme FPS
  • Pricing algorithm that elicits true utility
  • Controlled distributed scheme FPS
  • Works for tamper-resistant nodes
  • Problems if nodes are dishonest
  • Autonomous distributed scheme
  • Use signatures to verify data
  • Verifying node must not share incentive to cheat

19
Traditional Goals
  • Efficient
  • Maximize overall welfare
  • Welfare total utility of agents that get good
  • ? total network costs for links
    used
  • Strategyproof
  • Agent cannot gain by lying about its utility
  • May not maximize profit for sender

20
FPS Network Assumptions
  • Nodes and agents
  • Each node has trusted router
  • Router connected to untrusted agents
  • Transmission costs
  • Link cost known to the two nodes at each end

Simplification will assume one agent per node
21
Centralized Scheme
  • Data collection
  • Agent reports utility to central authority
  • Computation
  • Compute welfare of each subtree
  • Routing decision
  • Transmit good to subtree if welfare ? 0

22
Welfare of Subtree
  • Welfare of a subtree T i with cost ci
  • W i u i ci if node i
    is leaf
  • W i ui ci ? max(Wk, 0) otherwise
  • Welfare is aggregate benefit minus cost

k child of i
23
Example Maximum welfare
cost 2
utility 3
cost 3
cost 4
utility 2
utility 1
cost 1
utility 7
If welfare is secret, how do we determine outcome?
24
How much should a node pay?
  • Announced utility?
  • Agent may gain by lying

Leaf will announce utility 2 since this is enough
to get the good
cost 2
utility 5
  • Similar incentive for internal nodes

25
FPS Pricing Mechanism
  • If agent does not receive the good
  • Agent pays nothing
  • If agent receives the good
  • Agent pays
  • the minimum bid needed to get the transmission,
    given the other players bids
  • This is a VCG mechanism

26
Example price calculations
cost 2
utility 3
Welfare 1-3 6 4
cost 3
cost 4
Agent pays 0
utility 2
utility 1
Welfare 7-1 6
cost 1
Agent pays 3
utility 7
27
Strategyproof and Efficient
  • Efficient (max welfare) by construction
  • Add omitted subtree -gt decrease welfare
  • Remove routed subtree -gt decrease welfare
  • This argument assumes agents tell truth
  • Agent can bid true utility
  • Payment is independent of bid, given outcome
  • Bid more than utility ?
  • doesnt help, or pay too much
  • Bid less than utility ?
  • doesnt help, or dont get the transmission

28
Tell truth if you buy the good
Dont get transmission
min bid to get transmission
Get transmission
utility bid
true u
Dont get good you want
29
Tell truth if you dont buy good
Pay more than u
Dont get transmission
min bid to get transmission
Get transmission
utility bid
true u
30
Profit for content distributor?
  • Whats the worst-case return?
  • Marginal-cost pricing does not guarantee profit
  • May lose money, fail to capture utility

cost 100
utility 0
cost 0
cost 0
utility 100
Agent pays 0
utility 100
31
Distributed implementation
cost 2
utility 3
cost 3
cost 4
utility 1
utility 2
cost 1
1) Send welfare up tree
2) Send min welfare Wmin down tree
utility 7
3) Compute payment utility -Wmin
32
Autonomous distributed model
  • Agents control nodes
  • They can use different utilities for different
    messages
  • An agent with children can lie about the
    childrens utilities
  • There is nothing to force an agent to pay the
    correct amount

33
Node can cheat its children
The truth
The cheat
source
source
cost 3
cost 3
utility 2

utility 2

cost 5
cost 5
utility 7
utility 7

Parent pays 0 Child pays 7
Parent pays 1 Child pays 6
Child cant see that parent doesnt pay
34
More ways to cheat
  • Second example
  • Node can cheat but all messages look consistent
  • Conclusion
  • Need to use payment and messages to detect
    cheating

35
Second Example
Truthful computation
source
cost 2
utility 2
1
cost 1
cost 1
utility 1
3
utility 1
2
36
Example 2
Agent 1 behaves as if utility4 until time to
pay, then utility2 Each child thinks other has
utility 3
What agent 3 thinks
Deception
source
source
cost 2
cost 2
utility 4?
utilty 2
1
1
cost 1
cost 1
cost 1
cost 1
3
3
2
2
utility 1
utility 1
utility 3
utility 1
37
Prevent cheating
  • Assume public-key infrastructure
  • Each node has verifiable signature
  • Augment messages
  • Sign data from FPS algorithm
  • Parent returns signed W to child
  • Nodes send payment proof
  • Proof is signed data showing payment is
    calculated correctly
  • Two improvements yet to come

38
Node J sends payment and proof
New data used in js proof
p
Sign(p, Wmin), Sign(p, W j )
Sign(j, W j)
j
Sign(d2, W d2 )
Sign (d1, W d1 )
Sign(j, Wmin)
Sign(j, Wmin)
utility Wd2
d2
utility Wd1
d1
Agent j pays Pj Uj min(Wmin, Wj)
where Uj cj Wj (Wd1 Wd2)
Calculation of Pj is verifiable from messages
signed by p, d1, d2.
39
Node J sends payment and proof
  • Lemma
  • If parent p and children d1, , dk are honest,
    then node j cannot improve own welfare by not
    sending correct values
  • Proof idea
  • If node does not send correct proof, we punish j
    ? node sends correct W j
  • Node j cannot gain by sending incorrect data down
    tree, since these do not change P j

40
Shortcomings
  • Proof checked by central authority
  • Node can be mischievous
  • Node cannot increase own welfare by sending bad
    values down tree
  • But node can make life worse for others
  • Wmin too low gt nodes below pay too much
  • Wmin too high gt pay too little, distributor loses

41
Randomized checking
  • Nodes pay and save proof
  • Randomly select node to audit
  • If node has correct proof, OK
  • If node cannot show proof, punish
  • Fine node, or prohibit from further transmission
    (route around bad node)
  • Make punishment high enough so expected benefit
    of cheating is negative
  • Reduce traffic, same outcome
  • Bombay bus fine

42
Prevent Mischief
p
j
Sign(j, Wmin)
Sign(d1, Wmin)
d2
d1
  • Receive signed confirmation from child
  • Confirmation is required as part of proof

43
Status of Multicast Cost Sharing
  • Pricing function provides incentive
  • Distributed algorithm computes price
  • Techniques to encourage compliance
  • Nodes save signed confirmation of msgs
  • Randomized auditing incents compliance
  • Alternative neighbors rewarded for turning in
    cheaters
  • Route around nodes that cause trouble

44
Grand Plan
Goal
45
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com