SLBA: A Security Load-balancing Algorithm for Structured P2P Systems

Journal of Computational Information Systems 8: 7 (2012) 2751 2760 Available at http://www.jofcis.com SLBA: A Security Load-balancing Algorithm for Structured P2P Systems Wei MI, Chunhong ZHANG, Xiaofeng QIU School of Information and Communication Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China Abstract Dynamic load balancing is one key adaptation mechanism often deployed in networking and computing systems. Numerous proposals exist for load balancing in peer-to-peer networks. All of them will enhance the availability of P2P system to some extent. However, few attentions have been paid on security threats introduced by the load balancing. This paper analyzes the security vulnerabilities of the typical DHT load balancing mechanism; then proposes an algorithm that both facilitates good performance and does not dilute security. Our algorithm, SLBA, achieves load balance by targeted interval ID generation and higher convergence rate load transfer algorithm, and limits any fundamental decrease in security by basing each node s set of identifiers on a single certificate and considering security factor in load transfer among nodes. Performance evaluation shows that, compared to the classical algorithms, the load balancing effect of SLBA algorithm is significant, the convergence rate and load balancing security are significantly raised. Keywords: P2P; Load Balancing; Security 1 Introduction Decentralized structured overlays and distributed hash tables (DHT) proffer a unique vision of computing: a collection of computing and communication resources shared by active users. However, nodes are heterogeneous, workload assigned to system may be heavy-tailed, node availability and churn rates may change over time. Load balancing is a key step towards adapting to these characteristics and ensuring the reliability and availability. There is a large body of literature on load balancing of DHT system and all proposed load balancing schemes can be broadly characterized as ID manipulating solutions and virtual server solutions. ID manipulating solutions [1-3] balance load owned by nodes through elaborately assigning and reassigning node IDs. To balance load, many node IDs need to be reassigned This work is supported by China-Finland Cooperation Project (No. 2010DFA12780), National Key Program (No. 2011ZX03005-004-02) and Key Laboratory of Universal Wireless Communications, Ministry of Education. Corresponding author. Email address: miwei1985@gmail.com (Wei MI). 1553 9105 / Copyright 2012 Binary Information Press April 2012

2752 W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 when a node joins or leaves overlay. This results in transferring a lot of data. In virtual server solutions [4-9], each physical node runs multiple virtual DHT servers proportional to its capacity. Virtual servers can also be created, deleted and transferred dynamically based on the changing load distribution. However, these solutions have some deficiencies as following: the convergence rate is still low, which needs more detecting messages and higher detecting overhead; algorithm relies on some fixed nodes for collecting load information and generating reassign policy in the system, which requires additional equipments and higher cost; the main killer issue is give up on important security properties. A key issue in the operation of a p2p network is whether or not one assumes it may contain malicious nodes. A malicious node can subvert content or attempt to control particular portions of the identifier space. In this paper, we analyze the security vulnerabilities of the typical DHT load balancing solutions. Then, we propose SLBA, a security load balancing algorithm for DHT that supports wide variation in skew, heterogeneity, and churn while retaining security. At a high level, SLBA works as follows: (1) at joining time, based on targeted interval verifiable ID generation, an u- nique semi-ca server generates a set of verifiable IDs for node, which can limit any fundamental decrease in security and greedily reduces discrepancies between capacity and load; (2) during its run-time, experiencing overload node should execute security-aware load transfer algorithm, which can significantly raise the convergence rate and load transfer security. This paper proceeds as follows. In Section II, we introduce the related work. In Section III, we analyze the security vulnerabilities of load balancing solutions. In Section IV, we present SLBA algorithm in detail. In Sections V, we evaluate performance of SLBA. Finally, we conclude and present future work in Section VI. 2 Related Work ID manipulating load balancing. These solutions balance load owned by nodes through elaborately assigning and reassigning node IDs. ID manipulating solution causes too much additional overhead if load balancing requirement is stringent. To balance load, many node IDs need to be reassigned when a node joins or leaves overlay. This results in migrating a lot of data. It also increases maintenance overhead because many messages are needed to update routing table, which is due to the changes of node IDs. Reference [1] has proposed the use of the power of two choices paradigm to achieve better load balancing. Each object is hashed to d 2 IDs, and is placed in the namespace of the least loaded node. Reference [2] introduces a scheme where a physical host maintains a set of virtual servers which have overlapping links in the routing table. However, there will still be overloaded nodes. Reference [3] proposes algorithm for ID space balancing. They assign multiple positions of the ID space to every node, but choose only one of those virtual nodes to become active at a time. However, this algorithm needs to frequently adjust the node ID, causing higher load regulation overhead. Virtual server load balancing. In these solutions, each physical node runs a number of virtual servers proportional to its capacity. So the load of a physical node is determined by the amount of all the load segments owned by its virtual servers. Based on the changing load distribution, virtual servers can be created, deleted and transferred dynamically.

W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 2753 Both CAN [4] and Chord [5] had achieved load balancing, and assumed that the capacity of all nodes is equal. CFS [6] simplifies load transfer by removing the virtual server, which may lead to the other nodes overloaded and convergence time longer. Reference [7] describes three load balancing algorithms: one-to-one, one-to-many, many-tomany, based on virtual server and directory, which are used in static heterogeneous networks and are expanded to dynamics heterogeneous networks [8]. The assignment of virtual nodes is typically performed by one or more directory nodes, which can result in single-point failure. Reference [9] builds a structure on top of the P2P network: k-ary tree, which is responsible for the collection and the release of node information, as well as the transfer strategy of virtual server. The algorithm makes the network structure more complicated so that the balancing speed and fault tolerance are degraded. Security models for load balancing. There are only few studies on security models for load balancing in distributed systems [10]. According to virtual server idea, it proposes k-choices, a load balancing algorithm for structured overlays that retains the security afforded by verifiable IDs. However, it only consider security of node joining, there are also some security vulnerabilities in load distribution collection, load transfer strategic decisions and execution. 3 Security Vulnerabilities Analysis In order to achieve load balancing, these solutions balance namespace or adjust the number of documents for node through transferring virtual servers or multi-hash, but the emphasis is different. ID manipulating solutions have main characteristic: (1) need to measure and calculate the changing load distribution; (2) balance load owned by nodes through elaborately assigning and reassigning node IDs. Whereas virtual server solutions main characteristic: (1) each node runs multiple virtual server; (2) need to measure and calculate the changing load distribution; (3) based on the changing load distribution, virtual servers can be created, deleted and transferred dynamically. A key issue of P2P is whether or not one assumes it may contain malicious nodes. A malicious node can subvert content or attempt to control particular portions of namespace. Based on main characteristic, our exposition is focused on load balancing policies security vulnerabilities. Node ID generation and ID assignment. To achieve good performance, those solutions let nodes join as normal and reactively position nodes to arbitrary locations in namespace. Arbitrarily choosing IDs forfeits an important security goal for p2p. Attacks that center around the falsification of a node s identifier are called Sybil [11] and ID mapping [12] attacks. The load balancing solutions may facilitate the execution of these attacks. Douceur outlines having a logical center, trusted authority to issue IDs is the only practical way to guarantee a one-to-one correspondence between IDs and the physical entities. Node Joins, Leaves and Churn. In virtual server solution, when one node departs, it must take its log(n) VSs with it, causing log(n) times more adjustments to be made. So, it may result in churn attack [13] is easier to implement and more efficient. Load distribution collection and data correctness and confidentiality. To balance load, it need to measure and calculate the changing load distribution. To make a correct and

2754 W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 validity load transfer strategic decision, it must guarantee that the collected load distribution is valid. Load transfer strategic decisions and execution and nodes security levels. During load transferring, the security level of transfer node is important for transfer security. On overlay, each node is a node in traditional network. It has a kind of operation system, network protocol. If a node has low security, attackers may intrude the weak nodes, then penetrate into the whole P2P through them. In P2P, the reputation [14] of a node can represent the security level. It is a long-term evaluation. Nodes behavior is restricted on the basis of the evaluation, or provides the reputation of the node as a reference when choosing a node to cooperate. 4 SLBA Design Considering the security vulnerabilities of load balancing policies, we design a security load balancing algorithm called SLBA for DHT. Based on the virtual server, SLBA include a novel verifiable virtual ID generation (targeted interval verifiable ID generation) and a security virtual server transfer algorithm (security-aware load transfer algorithm). A. Targeted interval verifiable ID generation Arbitrarily choosing IDs forfeits an important security goal for P2P. While having a logical center, trusted authority to issue IDs is the only practical way to defend ID attacks. So, we propose that virtual IDs are generated by a central semi-ca server. This option is scalable, because each node contacts server as it joins/leaves and transfers virtual servers. In DHT system, data distribution is under uniformly random or Zipf query distribution [15]. Under these two distributions, the proportion of data the node is responsible for is also strongly depends on the proportion of the node s hash space. Thus, hash space assignment during node join is very important for load balancing. We achieve namespace balance through special ID generation mode and examine load balancing under uniformly random and Zipf queries. To evaluate the balancing degree of load distribution precisely, we need to define a mathematical way for evaluation. Suppose nodes are indexed from 1 to N. The capacity of node i is C i. Each node s capacity can be estimated by the node itself or operator in the same standard. RSpace i is the proportion of hash space which node i actually owns. Then the proportion of hash space which node i should owns is OSpace i = c i / N C k. We define node s LB (Load Balancing Factor) as k=1 LB = RSpace/OSpace 1, so LB is closer to zero means that load distribution is more balanced. To make sure that node joining won t break the load balance, virtual IDs are generated with the current load distribution status. Suppose nodes that already in the overlay are indexed from 1 to N-1 and the joining node is N. When node N joins, it first sends a single unit of certified information to semi-ca server, server runs targeted interval verifiable ID generation to generate virtual IDs for node N. Procedure targeted intervals verifiable ID generation mode if N=1 else generate C 1 V random virtual IDs for node N

W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 2755 Compute hypothetic LB of node 1 to N-1 in system: LB i = RSpace i /OSpace i 1; Create new virtual IDs of new node N end if while (RSpace N < OSpace N ) Select node x: LB x = max(lb i ); Select biggest VID of node x: Space(V ID) = max(space(x s virtual ID)); Create new virtual ID (xid): xid = rand(prodecessor(v ID), V ID); Computer LB x, RSpace x, RSpace N : end while RSpace x = RSpace x Space(xID); LB x = RSpace x /OSpace x 1; RSpace N = RSpace N + Space(xID); LB N = RSpace N /OSpace N 1; In this algorithm, we first find the largest space virtual server VID of node x whose LB is biggest. Then, we generate new ID xid randomly in targeted interval of virtual server VID responsible for. B. Security-aware load transfer algorithm Once the load balance is broken, virtual IDs are transferred from heavily loaded nodes to light-load nodes according to current load distribution status. However, in DHT systems, the load distribution is unpredictable. How to find light-load nodes quickly and correctly is the key problem. Furthermore, there also are some security vulnerabilities in load distribution collection, load transfer strategic decisions and execution. For this reason, we propose the security-aware load transfer algorithm (SALT). In SALT, we adopt ant colony optimization, which can quickly and correctly find candidate light-load nodes in the unknown load distribution system. In addition, both nodes load status and reputation are introduced in light-load nodes discovery, so it can achieve good load balancing and ensure the load transfer security. Considering the real load skew, we define the node utilization rate µ refers to the ratio of load of node L to its largest carrying capacity C, that is, µ = L/C. And the system utilization rate can be described as µ = N L i / N C i. To assure QoS, we set a threshold LT for µ and prevent i=1 i=1 node s µ becoming higher than LT. According to the ant colony optimization, we also define some related terms and parameters. Define 1 Pheromone We define the pheromone ph as available capacity of node i, ph(i) = C i L i. To make the

2756 W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 speed faster and the cost lower, producing and updating of pheromone is complete with DHT node routing table update process. Define 2 Heuristic We define the safety factor as the reputation of node. The reputation (rep) is also introduced in routing selection as a heuristic factor, which can guarantee load transfer security. Define 3 Forward probability p k (i, j) In DHT routing, according to pheromone ph and heuristic rep, next hop is determined. Suppose that node i receives ant k, it will select neighbor j as next hop by p k (i, j). p k (i, j) = ph(j) α rep(j) β ph(u) α rep(u) β routt able(i) ph(j) α rep(j) β routt able(i), ph(j) > 0 & j routt able(i) tabu(k) ph(u) α rep(u) β, ph(j) < 0 & j routt able(i) tabu(k) 0, others Where, α and β is the relative important factor of pheromone and heuristic; routtable(i) is the routing table entry of node i; tabu(k) is the taboo list of search ant k. Define 4 Constraints (s.t.) In light-load nodes searching, the target nodes must meet some constraints (s.t.) as follow s.t. L(s) Load transfer C(s) LT m M L(m) + Load transfer(m) C(m) µ M Load transfer(m) Load transfer m=1 m M rep(s) rep(m) Where, Load transfer is total load which source node transfers out; Load transfer(m) is the load of node m receives. Overloaded node s µ can drop below LT, light node s µ can t exceed µ, and the light node s reputation value is higher than resource node s. Once node FN s capacity utilization reaches LT, FN will run the security-aware load transfer algorithm. Procedure security-aware load transfer algorithm 1) Node FN generates kth(k is initialized to 1) Search ant and set antid, constraints s.t., tabu list, TTL, pheromone and heuristic list of visited nodes; 2) according to the formula (1), node FN chooses the neighbor j whose p k (i, j) is kth largest as the next hop and forwards search ant k to node j ; 3) On reciving ant k, node j puts its ID, Ph(j) and rep(j) into tabu list and pheromone and heuristic list; according to s.t., node j judges whether it is a valid candidate node ; a. if node j meets s.t., it should generate guid ant which return node FN directly, update TTL=0, and end forward search ant k. b. if node j does not meet s.t., and all neighbors are in tabu list,it should generate guid ant which return node FN directly, update TTL=0, and end forward ant k. (1) (2)

W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 2757 c. if node j meet s.t., nor all neighbors are in tabu list,it should update TTL=TTL-1; if TTL=0, it generates guid ant which return node FN directly, otherwise node j chooses neighbor m whose p k (j, m) is largest as next hop, and forwards ant k, then go to step 3 4) on receiving guide ant, source node FN should make all candidate nodes form list, and selects target node, then doing load transfer. 5) source node FN caluates the new µ, if µ > LT, then k = k + 1,go to step 1; otherwise the algorithm is end. 5 Performance Evaluation This section compares load distribution and load balancing overhead between targeted interval verifiable ID generation of SLBA and typical virtual ID generation, and evaluates the convergence rate and load balancing security of security-aware load transfer algorithm. Basic parameters are listed in TABLE I. Table 1: Basic experiment parameters Parameters Description Value N Node number 2 14 Load C Rate of DHT put/get/remove operations (times per second per node) The mean of system capacity [100,5000] C Node s capacity [0.5 C, 2 C] V The number of virtual servers per capacity in network initialization log N, 2log N, 4log N A. Targeted interval verifiable ID generation To evaluate the effect of load balancing, we compare the load distribution and load balancing overhead between targeted interval verifiable ID generation of SLBA and typical virtual ID generation in Chord context. Our solution adopts a novel algorithm to generate virtual ID, while virtual node IDs are generated randomly. ID manipulating solution can distribute load evenly as the other two solutions, and it is not practical because of the overhead issue. So ID manipulating solution is not compared here. 1) Load distribution Fig.1 shows the maximum and minimum LB. Fig.2 shows the empirical CDF (Cumulative Distribution Function) of LB. As shown, LBs are much closer to zero and maximum LB is reduced a lot when using targeted interval verifiable ID generation, which means that our ID generation can increase system capacity a lot. With the increase of V, the load balancing effects of all two ID solutions are becoming better. 2) Load balancing overhead Virtual server solution has to increase DHT nodes number a lot, which results in increasing routing and maintenance overhead. These overhead is proportional to the number of virtual servers, so they are evaluated with the average of virtual server number per capacity.

2758 W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 Fig. 3 shows the average of virtual server number per capacity. The value of targeted interval verifiable ID generation is about 40% of typical virtual ID generation s. So, compared with typical virtual ID, our ID solution balancing overhead has reduced by 60%. Fig. 1: The maximum and minimum LB Fig. 2: The empirical CDF of LB Fig. 3: The average of virtual server number per capacity B. Security-aware load transfer algorithm This section compares convergence rate and load balancing security among security-aware load transfer algorithm (SALT-algorithm), O2O-algorithm [7] (One-to-One) and M2M-algorithm [7] (Many-to-Many). SALT and O2O are full distributed model, while M2M is semi-centralized semidistributed model, all are the typical virtual server solutions. Parameters are listed in TABLE II. For meeting the stringent load balancing requirement, all solutions have to adjust the load through transferring virtual servers, which results in increasing candidate node discovery overhead and data migration overhead a lot. Furthermore, reassign loads among nodes without considering safety factor, resulting in the transfer contents insecurity. Consequently, we will evaluate convergence rate, data migration overhead and security factor increment. Here, convergence rate is evaluated with detect hops for candidate node discovery per heavy nodes.

W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 2759 Table 2: Balancing algorithm parameters Parameters Description Value µ Node utilization rate [0,1] rep the quantified reputation [1,5] TTL Maximal survival time of ants log2n α, β Relative importance factor of pheromone or heuristic [0,1] dnum Directory nodes number in M2M log2n Fig. 4: The convergence rate of load balancing Fig. 5: Security factor increment of load transfer As shown in Fig.4, Fig.5, experimental results as follows: The mean of the detection hops per heavy nodes for SALT, O2O and M2M algorithms are distributed in [15,20], [25,45], [110,150] range respectively, indicating that SALT algorithm can make the search for light-load nodes more targeted. It is because that ant-based technology is a non-direct collaboration way, which can avoid blind search services, so, it can improve the convergence rate. Security factor increment per data migration of our SALT algorithm is larger than the other two algorithms obviously. It is because that, in SALT, candidate nodes discovery introduces safety factor, which makes a compromise between load balancing effect and load balancing security. 6 Conclusion and Further Work This paper has analyzed the security vulnerabilities of the typical DHT load balancing mechanism, and proposed a security load balancing algorithm called SLBA for DHT. SLBA includes

2760 W. Mi et al. /Journal of Computational Information Systems 8: 7 (2012) 2751 2760 targeted interval verifiable ID generation mode and security-aware load transfer algorithm, which can facilitate good performance and do not dilute security. Performance evaluation shows that, compared to the classical algorithms, the load balancing effect of SLBA is significant, the convergence rate and load balancing security are significantly raised. In this paper, we roughly analyze the security vulnerabilities of the typical DHT load balancing mechanisms. However, it should to expound the influence of load balancing or overhead because of the introduction of security mechanisms. We are also implementing SLBA and will test its performance in the future. References [1] J. Byers, J. Considine, Simple load balancing for distributed hash tables, LNCS, 2003, pp. 80-87. [2] P. Godfrey and I. Stoica, Heterogeneity and load balance in distributed hash tables, INFOCOM 2005, 2005, vol. 1, pp. 595-606. [3] D. Karger, M. Ruhl, Simple efficient load balancing algorithms for peer-to-peer systems, Theory of Computing System, 2006, vol. 39, pp. 787-804. [4] S. Ratnasamy, P. Francis, A scalable content-addressable network, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, 2001, pp. 161-172. [5] I. Stoica, R. Morris, Chord: A scalable peer-to-peer lookup service for Internet applications, Proc. of the 2001 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications, 2001, pp. 149-160. [6] F. Dabek, M. F. Kaashoek, Wide-Area Cooperative storage with CFS, ACM SIGOPS Operating Systems Review, 2001, vol. 35, no. 5, pp. 202-215. [7] A. R. Karthik, K. Lakshminarayanan, Load balancing in structured P2P systems, LNCS, 2003, pp. 68-79. [8] B. Godfrey, K. Lakshminarayanan, Load balancing in dynamic structured P2P systems, INFO- COM 2004, 2004, vol. 4, pp. 2253-2262. [9] Zhu Y, Hu Y, Efficient, proximity-aware load balancing for DHT based P2P systems, IEEE Trans. on Parallel and Distributed Systems, 2005, vol. 6, no. 4, pp. 349-361. [10] J. Ledlie, M. Seltzer, Distributed, secure load balancing with skew, heterogeneity and churn, INFOCOM, 2005, vol. 2, pp. 1419-1430. [11] J. Douceur, The Sybil Attack, Peer-to-Peer Systems, Springer, 2002, pp. 251-260. [12] Davide Cerri, Alessandro Ghiono, ID Mapping Attacks in P2P Networks, IEEE Globecom, 2005, vol. 3, pp. 6. [13] E. Sit, R. Morris. Security considerations for peer-to-peer distribution hash tables, Future Directions in Distributed Computing, Springer-Verlag, pp. 103-107, 2003. [14] Jochem van Vroonhoven, Peer to Peer Security, 4th Twente Student Conference on IT, Enschede, 2006. [15] F. Bustamante and Y. Qiao, Friendships that last: Peer lifespan and its role in P2P protocols, Eighth International Workshop on Web Content Caching and Distribution, Hawthorne, NY, October 2003. [16] M. Dorigo. and M. Birattari, T. Stutzle, Ant colony optimization, Computational Intelligence Magazine, IEEE, 2006, vol. 1, pp. 28-39.