Detection and Removal of Malicious Peers in Gossip-Based Protocols∗

In addition to the popular structured peer-to-peer (P2P) overlays [2], a class of P2P protocols rely purely on gossip-based communication in an unstructured communication topology [6]. Examples of problems that can be solved through these protocols include membership management, information dissemination (as in lpbcast [5] and newscast [7]), and computation of aggregate functions (such as average and maximum) over distributed collections of numeric values [8, 10]. Since they do not rely on specific topologies such as trees, rings, butterflies, etc., gossip-based protocols over unstructured topologies are potentially more robust to massive benign failures. They are also extremely responsive and can adapt rapidly to changes in the underlying communication structure. And finally, they can be used as robust components to build other protocols. For example, [12] describes a technique for repairing or jump-starting a structured overlay using newscast. Properties that make unstructured gossip-based protocols attractive (in particular responsiveness and adaptivity) when all peers cooperate correctly become a detriment when even a small number of peers may be malicious and compromise the integrity of the system. In our opinion, a broader and more significant exploitation of the gossip paradigm will be possible only if we can develop a better understanding of the issues related to security in such protocols. This short paper is aimed at raising the problem and suggesting some initial ideas towards solutions. We first give a brief overview of the gossip paradigm. Then, we introduce a general framework for solving the security problem in such systems. Finally, we illustrate some preliminary results for the case of an aggregation protocol.