Managng Resource and Servent Reputaton n P2P Networks Makoto Iguch NTT Informaton Sharng Platform Laboratores guch@sl.ntt.co.jp Masayuk Terada NTT DoCoMo Multmeda Laboratores te@mml.yrp.nttdocomo.co.jp Ko Fujmura NTT Informaton Sharng Platform Laboratores fujmura@sl.ntt.co.jp Abstract The openness and anonymty of P2P fle-sharng networks have been wdely accepted over the last few years. Enormous fle-sharng communtes n whch numerous anonymous users share a varety of resources have been establshed wth the ad of the P2P networks. Users can jon the communtes wth ease wthout dsclosng ther denttes. However, the openness and anonymty rases the problem of trust, because openness and anonymty also assst malcous users n explotng the networks and, at the same tme, complcate ther detecton and locaton. We propose a remedy for ths trust problem by ntroducng a new reputaton management model. The unque features of applyng reputatons to both resources and servents, and dvdng the servent reputatons nto contrbuton score and evaluaton score allow the model to represent the servents past behavor more accurately. We demonstrate the robustness of our reputaton model by subjectng t to several known attacks. 1. Introducton Over the last years, we have wtnessed an exploson n the popularty of Peer-to-Peer (P2P) fle sharng. Unlke the tradtonal clent-server model, n whch the roles of nodes are fxed, clents request resources and servers provde them, the P2P model lets every node (servents) play the roles of both server and clent. The model connects servents n a decentralzed and autonomous fashon, allowng servents to jon and wthdraw from the P2P networks freely wthout dsclosng ther true dentty. The flexblty and scalablty of the model enable users to partcpate n large-scale fle sharng communtes wth ease. Examples of such P2P fle sharng networks nclude Napster, Gnutella, and Freenet. The open and anonymous nature of P2P networks rases the problem of servent trust. Malcous servents may explot the networks to dstrbute Trojan horses and vruses [9]. They can also mplement spammng by answerng postve to all queres and then offerng fake resources. The trust ssue s hard to solve. Because of openness, malcous servents can nject ther resources and fly away nstantly, and because of anonymty, malcous servents can explot the network whle exposng only ther pseudonyms. Both aspects make the detecton and tracng of malcous servents dffcult n P2P networks. An effectve soluton to ths trust problem s to utlze reputaton [10]. Reputaton, a summary of a servent s past behavor, s a powerful tool for predctng the servent s future actons. A hstory of a resource recevng postve evaluatons from multple servents s a powerful reason for trustng that resource. Ths paper presents a new model for managng reputaton. The model assgns reputaton scores to both resources and servents, and these reputaton scores nteract mutually and autonomously n the model n such a way as to make the reputaton model robust aganst attacks. Furthermore, the model scores servent reputaton n two categores, servent contrbuton score and servent evaluaton score, to represent the servents past behavor more accurately. Secton 2 revews prevous works on reputaton management n P2P networks. Secton 3 overvews our reputaton management model n detal. Secton 4 proves the robustness of our model by showng that our model can resst several attacks known to have been drected aganst P2P reputaton management systems. Secton 5 dscusses a method for mplementng our reputaton management model n completely decentralzed P2P networks. 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 1
2. Related Works A well-known example of a reputaton management system s ebay's system [7]. After a transacton, the partcpants (buyer and seller) evaluate each other and vote ther ratngs. The ratngs are aggregated to form the reputaton score for each partcpant. The score acts as a reference when a partcpant wants to nteract wth another partcpant for the frst tme. Some of the prevous works on reputaton systems on P2P networks use a smlar approach [1] [6]. Ther models bascally adopt ebay s dea for use n a dstrbuted envronment. After the transacton, each servent rates the partner (servent) accordng to her experence durng the transacton. For example, she may rate the partner negatvely f she fnds the downloaded fle unacceptable (e.g. f the fle was actually a vrus). These ratngs are kept locally n a dstrbuted manner, and later are aggregated to formulate the overall reputatons of servents. Whle the models successfully manage the servent reputatons so as to provde references for users n judgng servent trustworthness, they ntroduce the cold start problem for newcomers. New servents wthout past transacton records have to nteract wth other servents to create ther reputatons, yet ther low reputatons as newcomers hnder them from partcpatng n P2P fle sharng actvtes. It s desrable to gve newcomers a chance to buld ther reputaton. For nstance, t s better f newcomer servents could buld ther reputatons by downloadng reputable resources from exstng servents, by evaluatng the resource properly, and by sharng these reputable resources wth P2P network members. In ths case, the servents are actually contrbutng to the P2P fle-sharng network n two ways; by evaluatng the qualty of the resources properly and by sharng reputable resources. Another method, ntroduced by Daman et al., combnes the reputatons of servents and resources [4]. By ntroducng resource reputatons, the model successfully takes advantage of both servent reputatons and resource reputatons. The ntroducton of resource reputatons makes t possble for newcomer servents to mmedately partcpate n fle sharng actvtes by dstrbutng well-known resources. The lnk between the resource reputatons and the servent reputatons, however, s weak n ther model. It s desrable to weght the votes made by servents on resources n such a way that the evaluatons made by reputable servents have a greater mpact on the resource reputaton than those made by dsreputable servents. Whle the concept of servent credblty [3] s ntroduced n ther model to acheve a smlar purpose, ther credblty score s merely a reference for judgng whether to trust the votes submtted by the correspondng servents. We beleve that servent credblty should have more drect mpact on the resource reputaton; the amount the resource reputaton ncreases should be weghted by the credblty of the votng servent. 3. Reputaton Management Model 3.1. Basc Assumptons Our reputaton management model lnks the reputatons of resources and servents as follows. Resource reputaton score R represents the trustworthness of resource r. The resource reputaton score s a measure that summarzes the past record of the evaluatons (votes) submtted for the resource. A hgh R value ndcates that resource r has receved postve votes from servents. We use two scores to determne servent reputaton, namely servent contrbuton score, SC, and servent evaluaton score, SE, for servent s. SC s a measure that summarzes the past behavor of s relatve to ts resource contrbuton. A hgh SC value ndcates that the resources provded by s are regarded as trustworthy by other servents. SE s a measure that summarzes the past behavor of s relatve to ts resource evaluatons. A hgh SE value ndcates that the evaluatons provded by s are regarded as relable by other servents. Our model treats the contrbuton score and the evaluaton score separately, because the probablty of a servent contrbutng trustable resources and the probablty of a servent ssung relable resource evaluatons are totally dfferent. We formulate these reputatons usng the followng assumptons: 1. A resource s trustable f a servent who has offered trustable resources s provdng t. 2. A resource s trustable f servents who have been evaluatng resources relably support t. 3. A servent s contrbuton s trustable f the resources provded by the servent have receved postve votes. 4. A servent s evaluaton s relable f resources on whch the servent has voted 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 2
postvely (negatvely) have receved postve (negatve) votes from other servents. Assumpton (1) allows a resource reputaton score to be assgned to a newly ntroduced resource. There s no hstory about the new resource, so t s reasonable to determne ts ntal resource reputaton score from the servent contrbuton score of the servent provdng the resource. We derve the followng: Resource reputaton score R of newly ntroduced resource r, ntroduced by servent s, s derved from the servent contrbuton score SC of s. Assumpton (2) allows a resource reputaton score to be updated upon recevng a vote on the resource. The updatng procedures are as follows. Frst, t s reasonable to regard a resource recevng postve votes from multple servents as trustable. Second, f there exst two votes, one submtted by a servent wth low servent evaluaton score and the other by a servent wth hgh servent evaluaton score, t s reasonable to weght the latter vote more heavly when updatng the resource reputaton score. The same noton apples for negatve votes. Ths yelds the followng: Resource reputaton score R of exstng resource r {ncreases/decreases} as the resource r receves {postve/negatve} vote from servent s j, and the nfluence of the vote s a functon of the servent evaluaton score SE j of s j. Assumpton (3) allows the servent contrbuton scores to be updated. Each servent contrbuton score should be updated so as to express the latest status of the servent and to render assumpton (1) vald. Snce the servent contrbuton score s a measure that represents the trustworthness of resources provded by the servent, the contrbuton reputaton should be accumulated as the resource reputaton scores of the resources provded by the servent ncrease. The same noton apples to the depleton of the servent contrbuton score. Updatng can be descrbed as follows: Servent contrbuton score SC of servent s {ncreases/decreases} as resource reputaton R of resource r that the servent s has contrbuted to the P2P network {ncreases/ falls}. Assumpton (4) allows the servent evaluaton scores to be updated. The servent evaluaton score should be updated so as to express the latest status of the servent and to make assumpton (2) vald. Snce the servent evaluaton score s a measure that represents the relablty of votes provded by the servent, the score should be accumulated as the votes made by the servent are found to be relable. The collaboratve nature of the reputaton system, n whch numerous servents cooperate wth regard to resource evaluatons, yeld the followng defnton of relable vote : a vote that evaluates a resource n complance wth the majorty decson. Updatng can be descrbed as follows: Servent evaluaton score SE j of servent s j {ncreases/decreases} as the resource reputaton R of resource r on whch the servent s j has voted changes n the {same/opposte} drecton. 3.2. Reputaton management mplementaton Let us now explan our reputaton management model n more detal. Here, we wll concentrate our dscusson on a Napsterlke centrally coordnated P2P fle sharng system. (See Secton 5 for dscusson on mplementng our reputaton management model on decentralzed P2P systems). The central server manages the reputatons of both servents and resources along wth a lst of resources shared by actve servents. In response to a query sent by a servent, the central server returns the reputaton nformaton to the servent along wth the download canddate lsts. Servents, after downloadng the resources, evaluate the resources and submt ther votes to the central server. The central server mantans the followng reputaton-related nformaton: 1. Resource reputatons: for each resource shared on the P2P network; the server mantans a set of resource dentfers and resource reputaton scores. 2. Servent evaluaton/contrbuton reputatons: for each servent on the P2P network; the server mantans a set of servent dentfer, 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 3
servent contrbuton score, and servent evaluaton score. 3. Votes submtted by servents: for each resource shared on the P2P network; the server mantans the votes submtted on the resource. The server also mantans the dentfers of the servents who submtted the votes. Resource dentfers and servent dentfers are used for ndexng purposes, and so should be unquely defned for each resource and servent. One example s to use a dgest of the resource content calculated by a secure hash functon as the resource dentfers, and to use nonoverlappng pseudonyms, regstered on the central server, as the servent dentfers. Our reputaton management model conssts of four phases: sendng a fle lst to the central server, locatng the target resource/servent, selectng and downloadng target resource/ servent, and votng and updatng resource and servent reputatons. Phase 1: Sendng a fle lst to the central server Upon connectng to the P2P network, a servent sends a lst of resources and assocated descrptons to the central server. (The servent also sends addtonal nformaton such as ts IP address and port number that wll be used when establshng actual connectons for resource transfer). For reputaton management purposes, the servent also calculates the resource dentfers assocated wth the resources, and sends these resource dentfers and ts own server dentfer to the central server as well (Fg. 1). Servent (servent_d, resource lst) ack Server Compute resource reputaton scores for newly ntroduced resources Fgure 1. Sendng a fle lst to the server The central server adds the lst of resources and assocated descrptons to ts drectory ndex. Then, for each resource dentfer t receves, the central server checks to see f the correspondng resource reputaton score already exsts. If there s no resource reputaton score assocated wth the resource dentfer (.e. the resource s new), the server calculates the score and stores the result. The calculaton s based on the servent contrbuton score of the correspondng servent. For the case where servent s wth servent contrbuton score SC ntroduces new resource r, the resource reputaton score R of resource r s calculated by the followng equaton: R = SC (1) The equaton s a straghtforward mplementaton of assumpton (1) descrbed n Secton 3.1. Phase 2: Locatng target resource/servent The servent submts a query to the central server. The central server returns a lst of matchng resources and a lst of servents who possess the resources. The correspondng resource reputaton scores and the servent contrbuton scores are also returned to the servent (Fg. 2). Servent (search condton) (resource nfo, servent nfo+)* Server resource nfo := {resource d, resource reputaton score, resource descrpton}* servent nfo := {resource d, servent contrbuton score}+ Fgure 2. Locatng target resource/servent Phase 3: Selectng and downloadng target resource/servent Usng the nformaton gven n Phase2, the servent selects the target resource (to download) and the target servent (from where the target resource s to be downloaded). The selecton s up to the user, but most lkely the followng polces would be appled: 1) If there are multple resources that match the query, the user wll select the resource wth the hghest resource reputaton score. Theoretcally, the servent can pck any servent that offers the resource, but most users wll feel comfortable n selectng the 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 4
servent wth the hghest contrbuton reputaton score. 2) If all of the canddate resources have relatvely low scores, the user wll refer to the servent contrbuton score nstead and select the resource offered by the servent wth the hghest servent contrbuton score. For example, suppose the response to a query s as shown n Table 1. The servent can choose ether 1) resource Cool mpeg wth the resource reputaton score of 3, and download t from ether servent X-man or Y-wng, or 2) regard the resource reputaton score of 2 and 3 as too low, and nstead focus on servent ZZZ wth the servent contrbuton score of 7 and decde to download the resource Cool move from the servent ZZZ. Table 1. An example of response to query Resource Canddates Cool mpeg(score:3) Cool move (Score:2) Havng chosen the target resource and servent, the servent accesses the target servent and downloads the target resource. Phase 4: Votng and updatng resource/servent reputatons After downloadng the resource, the servent evaluates the resource and submts a vote to the central server. The actual content of the vote s a real value rangng from 1 to +1. A postve value represents satsfacton wth the resource, whereas a negatve value represents dssatsfacton. After recevng the vote, the central server updates the correspondng resource and servent reputaton scores (Fg. 3). Servent (servent_d, resource d, vote) ack Servent sharng the resources X-man (Contrbuton Score: 4) Y-wng (Contrbuton Score: 3) ZZZ (Contrbuton Score: 7) Iguch (Contrbuton Score: 1) Server Fgure 3. Votng and updatng resource/servent reputatons Update the correspondng reputaton scores Frst, the resource reputaton score of the downloaded resource s updated. The update procedure follows assumpton (2) of Secton 3.1. If resource r s downloaded by servent s j wth servent evaluaton score SE j and vote e j s then submtted by servent s j on r, resource reputaton score R s recalculated as follows: R =e SE (2) j Snce the resource reputaton score s updated, the servent contrbuton score of the servent who provded the resource s also updated. Servent contrbuton score SC of servent s (the servent who has offered resource r ) s recalculated as follows: SC = (3) R where R s the change n the resource reputaton score as calculated by Equaton (2). Note that the update procedure follows assumpton (3) of Secton 3.1. The change n the resource reputaton score also affects the servent evaluaton scores of all servents who have been votng on the resource, followng assumpton (4) descrbed n Secton 3.1. If servents s k (k=1, 2 n) have submtted votes e k on resource r, each servent evaluaton score SE k of s k (k=1, 2 n) s recalculated as follows: SE = e R (k=1,2, n) (4) k k where R s the change n the resource reputaton score as calculated by Equaton (2). Note that SE becomes: k - Postve f e k and R have the same sgn (.e. the votes submtted by servents s k have the same drecton as the change n the resource reputaton score) - Negatve f e k and R have dfferent sgns (.e. the votes submtted by servents s k are opposte to the change n the resource reputaton score) 4. Securty Consderatons Recent studes on reputaton management systems pont out that several attacks aganst them are possble [5] [8] [10]. We analyzed the j 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 5
robustness of our reputaton management model by subjectng t to these attacks. 4.1. Reputaton nullfcaton The smplest attack aganst the reputaton system s explotng cheap pseudonyms [8]. In ths attack, a malcous servent msbehaves for a whle, dscards ts pseudonym, and regsters a new pseudonym wth a fresh servent reputaton; The servent can dscard her negatve reputaton and pckup a new reputaton. Our reputaton model can counter ths attack by settng the ntal servent reputaton score under the lowest possble servent reputaton score. Ths makes the reputaton nullfcaton attack unproftable, because a newly regstered servent always has a lower reputaton score than ts prevous score. It may seem that ths countermeasure would dscourage newcomers. The newcomers mght be demoralzed f ther low servent reputaton mpedes them from partcpatng n the actvtes. The reputaton model we propose allevates ths problem n two ways. Frst, we ntroduce the resource reputaton score; newcomers can actvely partcpate n fle sharng actvtes from the begnnng by sharng resources wth hgh reputaton. By offerng hghly reputable resources to the P2P network, they can easly buld ther servent contrbuton score. Second, we clearly dvde the servent contrbuton score from the servent evaluaton score. The algorthm we use to calculate the servent evaluaton score provdes newcomers wth a chance to ncrease ther servent evaluaton score quckly by ratng downloaded resources correctly. 4.2. Reputaton self-manpulaton Some servents may try to manpulate ther servent reputatons. If there s a way to cheat the reputaton algorthm, the malcous servents wll explot the weakness to manpulate the reputaton scores n ther favor. Fortunately, our reputaton algorthm prevents ths type of attack. Both the servent contrbuton score and the servent evaluaton score requre the concurrence of other servents to ncrease ther reputatons, as shown n Equatons (3) and (4) n Secton 3.2. The servent contrbuton score only ncreases when the resource that the servent has provded receves postve votes from other servents, and the servent evaluaton score only ncreases when the resource on whch the servent has submtted a {postve/negatve} vote {gans/loses} ts resource reputaton by recevng {postve/negatve} votes from other servents. The fact that other servents wtnesses are needed to change the reputatons suggests a possble attack of smulatng wtnesses. The pseudospoofng attack [10], for example, explots the cheap pseudonym natures of the reputaton system by controllng multple pseudonyms smultaneously and smulatng fake wtnesses. For example, a malcous user can ncrease servent A s contrbuton score by smulatng resource download from servent A to pseudo servents B and C and by votng postvely on the resource as servents B and C. A straghtforward countermeasure s to restrct such smulatons by assgnng only one pseudonym to each user. Ths can be easly acheved by checkng users n the pseudonym regstraton process. If ths check s unfeasble, however, other countermeasures should be appled. (In ths case, the countermeasures for another type of attack, the shllng attack, can be appled. Refer to the dscusson on shllng attack n the next secton). 4.3. Reputaton manpulaton through colluson Instead of decevng the reputaton system alone, several malcous servents may decde to collude to manpulate the reputatons. Shllng s an attack of ths type; n the attack, consprator servents submt postve votes on a resource provded by ther frend s servent to strengthen her reputaton (ballot stuffng) or negatve votes on a resource provded by ther compettor servent to weaken her reputaton (bad-mouthng) [5] [10]. Unlke the pseudospoofng attack, the votes come from real servents n the shllng attack, so one pseudonym per user tactc s no barrer to the shllng attack. Our reputaton model can block the shllng attack through the servent evaluaton score. In our model, shllng s effectve only f the servents submttng fake votes have hgh servent evaluaton scores. It s unlkely, however, that servents wth hgh evaluaton scores wll engage n shllng attacks because the actons wll degrade ther evaluaton scores. Shllng attacks performed by servents wth low evaluaton scores have lttle mpact on overall reputatons, makng the attack neffectve. Therefore, consprators have to strengthen ther 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 6
servent evaluaton scores pror to conductng the attack. Unfortunately for them, buldng strong evaluaton scores requres a past hstory of relable vote submsson, and constructng such records s tme-consumng. Note that offerng multple resources to the P2P network to create the appearance of a trustworthy servent cannot fool our reputaton management mechansm, because the trck mght strengthen the contrbuton score of the servent (whch s totally legtmate) but wll not strengthen the evaluaton score of the servent. The effectveness of shllng s further mnmzed n our model because the overall reputatons are calculated by aggregatng votes from numerous servents. The malcous servents would have to persuade a large number of servents to submt shlls n order to manpulate reputatons. 5. Implementaton on decentralzed P2P networks So far, we have descrbed our reputaton management model wth a Napster-lke centrally coordnated P2P network n mnd. Recently, another type of P2P network, namely the completely decentralzed P2P network, has been attractng attenton. In ths type of P2P network, there s no central server responsble for coordnatng servents (.e. provdng a drectory of resources). Gnutella and Freenet are examples of systems wth ths type. When applyng our reputaton management model to completely decentralzed P2P fle sharng systems, the followng ssues have to be solved. 1) There s no central server to store resource and servent reputatons securely. 2) There s no central server to collect votes submtted by servents. The frst problem can be solved by makng each servent keep track of her own reputatonrelated nformaton (.e. the nformaton that are derved from her experence wth other servents). The second problem can be dealt wth by requestng other servents to send ther opnons (votes they have submtted) on a resource as the need arses. More precsely, each servent s requred to hold the followng local reputaton-related nformaton. 1. Resource reputatons: The servent mantans a set of resource dentfers and resource reputaton scores for each resource that she has experence wth (.e. resources that the servent has prevously downloaded). 2. Servent evaluaton/contrbuton reputatons: The server mantans a set of servent dentfer, servent contrbuton score, and servent evaluaton score for each servent that she has experenced wth (.e. the servents that she has prevously downloaded resources from). 3. Votes submtted by servents: the servent mantans a set of a vote submtted on the resource and an dentfer of the servent who submtted the vote for each vote that she has submtted when she has downloaded the resource and for each vote that she has experenced wth (.e. the vote that the servent has collected from other servents. See Phase 2 below for more detals). In ths condton, our reputaton model can be mplemented on a decentralzed P2P network as follows: 1 Phase 2: Locatng target resource/servent A servent broadcasts a query to the P2P network. Servents possessng resources that match the query respond wth a set of {r, s } where r s an dentfer of the resource and s s an dentfer of the respondng servent. After recevng the responses, the servent determnes a temporary resource reputaton for each r t receves usng the followng rules: - If resource reputaton score R of resource r exsts n the local reputaton-related nformaton, use ths value as the temporary score. - If R does not exst but servent contrbuton score SC of the servent s exsts n the local reputaton-related nformaton, then the temporary resource score s calculated usng equaton (1) n Secton 3.2 and servent contrbuton score SC. - If both R and SC do not exst, the servent frst assgns a new SC (and also SE ). The servent then calculates the temporary resource score usng equaton (1). SC s usually set low because servent s s a newcomer. 1 Phase 1 s omtted because the phase s rrelevant n a decentralzed P2P network envronment. 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 7
Next, for each r, the servent broadcasts another query and asks other servents to send ther votes on r. Servents who have prevously downloaded r respond to the query wth a set of {s j, e j } where s j s the respondng servent s dentfer and e j s a vote that s j has submtted on r. The servent, after recevng the responses, updates the resource reputaton by applyng equaton (2) n Secton 3.2 for each {s j, e j } t receves. Whle updatng the resource reputaton, the follow rules apply: - If servent evaluaton reputaton score SE j of s j exsts n the local reputaton-related nformaton, the servent updates R by applyng ths SE j and e j to equaton (2). - If SE j does not exst n the local reputatonrelated nformaton, the servent frst assgns a new SE j (and also SC j ). The servent then updates R by applyng ths SE j and e j to equaton (2). Here, SE j s usually set low because servent s j s a newcomer. The servent may receve {s j, e j } from a servent whose vote s already part of her local reputaton-related nformaton. In ths case, an approprate acton, such as dscardng old vote, should be taken n order to prevent reflectng multple votes from the same servent on R. Phase 3: Selectng and downloadng target resource/servent Usng the nformaton determned n Phase 2, the servent selects the target resource and the target servent. Detals of ths selecton strategy are the same as n the centrally coordnated P2P network scheme. Phase 4: Votng and updatng resource/ servent reputatons After downloadng the resource, the servent evaluates t. The result of the evaluaton, vote e, s then used to update the resource reputaton R usng equaton (2). The change n R trggers an update of server contrbuton score SC of the target servent s. Ths s done usng equaton (3) n Secton 3.2. In ths scenaro, however, R s defned as: (R just after reflectng vote e) (the temporary R n Phase 2). The change n R also trggers updates of servent evaluaton scores SE k of all servents s k who have sent ther votes on r. Ths s done by applyng equaton (4) n secton 3.2; ths tme R s defned as: (R after reflectng vote e) (the temporary R n Phase 2) e SE k k. In other words, R used for updatng SE k s defned as the fluctuaton caused by all votes collected n Phase 2, excludng the vote submtted by servent s k tself. Fnally, the servent updates her local reputaton-related nformaton so as to reflect new R, SC k, and SE k calculated n Phase 4. Note that the above mplementaton works effectvely only f attacks conducted by malcous servents to pollute others local reputaton by submttng fake votes wth fake denttes are prevented. Fortunately, some technques for preventng such attacks n decentralzed P2P networks have been proposed n [4], and we beleve that applyng smlar technques wll allow our reputaton management model to conquer ths problem. Another problem that should be consdered s the self-centered local reputaton problem. Collectng all votes from all servents n P2P network n Phase 2 s not realstc, so t s practcal to collect votes only from servents who resde near the vote-collectng servent. The local reputaton at each servent s thus constructed wth lmted scope, allowng devaton n the local reputaton mantaned at each servent. For nstance, servent A may overestmate average-qualty servent B as very relable f the votes servent A collects about servent B happen to be all postve. Ths s a weakness of the dstrbuted local reputaton scheme compared to the centrally-coordnated global reputaton scheme, n whch the reputaton s constructed usng all votes submtted by all servents. One soluton for allevatng ths weakness s to ntroduce the concept of reputaton equalzaton. Its basc dea s to perodcally refer to other servents local reputaton, and adjust one s own local reputaton f t dffers sgnfcantly from other s reputaton. We beleve that a technque smlar to the trust updatng method employed n Poblano [2] can be appled to acheve equalzaton of local reputaton. Establshng the actual methodology for achevng such local reputaton equalzaton, however, requres more dscusson and s part of future work. 6. Concluson Ths paper has proposed a reputaton management model for P2P fle sharng networks. We have shown that our mechansm, 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 8
whch s based on mutually nteractng resource reputaton scores, servent contrbuton scores, and servent evaluaton scores, realzes an effectve and robust reputaton scorng system. 7. References [1] K. Aberer and Z. Despotovc, Managng Trust n a Peer-2-Peer Informaton Systems, Proc. of 10 th Internatonal Conference on Informaton and Knowledge Management (CIKM 2001), 2001. [2] R. Chen and W. Yeager, Poblano: A Dstrbuted Trust Model for Peer-to-Peer Networks, Sun Mcrosystems Techncal Paper, 2000, http://www.sun.com/ software/jxta/poblano.pdf. [3] F. Cornell, E. Daman, S. De Captan d Vmercat, S. Parabosch, and P. Samarat, Choosng Reputable Servents n a P2P Network, Proc. of 11 th Internatonal World Wde Web Conference, 2002. [4] E. Daman, De Captan d Vmercat, S. Parabosch, P. Samarat, and F. Volante, A Reputaton-Based Approach for Choosng Relable Resources n Peer-to-Peer Networks, Proc. of 9 th ACM Conference on Computer and Communcaton Securty, 2002. [5] C. Dellarocas, Immunzng Onlne Reputaton Reportng System Aganst Unfar Ratng and Dscrmnatory Behavor, Proc. of 2 nd ACM Conference on Electronc Commerce, 2000. [6] R. Dngledne, M. J. Freedman, and D. Molnar, The Free Haven Project: Dstrbuted Anonymous Storage Servce, Proc. of the Workshop on Desgn Issue n Anonymty and Unobservablty, 2000. [7] Ebay. http://www.ebay.com/. [8] E. Fredman and Paul Resnck, The Socal Cost of Cheap Reputaton, Telecommuncaton Polcy Research Conference, 1998. [9] A. K. Ghosh, and M. Schmd, Executon Control Lsts: An Approach to Defendng Aganst New or Unknown Malcous Software, Proc. of 3 rd Informaton Survvablty Workshop (ISW2000), 2000. [10] A. Oram, edtor, Peer-to-Peer: Harnessng the Power of Dsruptve Technologes, O Relly & Assocates, 2001. 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 9