Decentalized Tust Management fo Ad-Hoc Pee-to-Pee Netwoks Thomas Repantis Vana Kalogeaki Depatment of Compute Science & Engineeing Univesity of Califonia, Riveside Riveside, CA 92521 {tep,vana}@cs.uc.edu ABSTRACT Moden mobile devices can fom ad-hoc netwoks to autonomously shae data and sevices. While such self-oganizing, pee-to-pee communities offe exciting collaboation oppotunities, deciding whethe to tust anothe pee can be challenging. In this wok we popose a decentalized tust management middlewae fo ad-hoc, pee-to-pee netwoks, based on eputation. Ou middlewae s potocols take advantage of the unstuctued natue of the netwok to ende malicious behavio, such as lying and colluding, isky. The eputation infomation of each pee is stoed in its neighbos and piggy-backed on its eplies. By simulating the behavio of netwoks both with and without a ating scheme we wee able to show that just a few dishonest pees can flood the netwok with false esults, wheeas this phenomenon is vitually eliminated when using ou middlewae. Categoies and Subject Desciptos C.2.4 [Compute-Communication Netwoks]: Distibuted Systems Geneal Tems Algoithms, Design, Secuity Keywods Tust, eputation, pee-to-pee netwoks, ad-hoc, unstuctued, decentalized. 1. INTRODUCTION The vision of pevasive o ubiquitous computing has been bought close by advances in the netwoking, pocessing and stoage capabilities of pesonal mobile devices such as laptops, cellphones, and PDAs [14]. Such devices can fom ad-hoc netwoks to autonomously shae data and sevices [13]. Self-oganizing, pee-to-pee netwoks, in which nodes act as Pemission to make digital o had copies of all o pat of this wok fo pesonal o classoom use is ganted without fee povided that copies ae not made o distibuted fo pofit o commecial advantage and that copies bea this notice and the full citation on the fist page. To copy othewise, to epublish, to post on seves o to edistibute to lists, equies pio specific pemission and/o a fee. MPAC 6, Novembe 27-Decembe 1, 26 Melboune, Austalia Copyight 26 ACM 1-59593-421-9/6/11...$5. both clients and seves, and without a cental coodinato, offe exciting oppotunities fo dynamic and cost-effective collaboation. Uses can fom localized communities to paticipate in wok-elated pojects, multi-playe games, social netwoks, o auctions. Howeve, in an unstuctued and decentalized topology seveal secuity issues aise. One of the most challenging poblems is to enable a pee to decide whethe to tust anothe pee, in the absence of a cental tust managing authoity [2]. Tust is impotant when shaing data o pocessing powe, and cucial fo e-commece applications such as auctioning. By saying that pee A puts a level of tust into pee B, we mean that A estimates the pobability of B acting in a way that will allow A to achieve a desied level of satisfaction. One way a pee A can estimate the level of tust to put into anothe pee B, is based on the eputation of pee B. The eputation of pee B is measued fom pevious inteactions of pee A with pee B, and also fom pevious inteactions of othe pees with pee B. One of the main difficulties in managing eputation-based tust in ad-hoc, pee-to-pee netwoks is that infomation about pee inteactions is spead acoss the netwok, and no single pee has a complete global view of the pees eputations. Futhemoe, malicious pees might tampe with eputation infomation while it is stoed locally o tansmitted, o even ty to defame othe pees. A middlewae solution to these challenges can facilitate secue pee inteopeability without use intevention. We have identified the following majo equiements fo a eputation-based tust management middlewae: i) To enable pees to identify tustwothy and untustwothy pees fo the paticula esouce and level of tust they equie. ii) To be light-weight, so that the potocol ovehead fo identifying the pees tust level is not hindeing thei actual inteaction. iii) To be esistant to collusions; peventing malicious pees fom foming cliques to boost thei eputation o to defame othe pees. iv) To be esistant to malicious attempts to tampe with the eputation infomation of pees, identifying such attacks. Distibuted tust management based on eputations has been the focus of seveal eseach effots. One of the main challenges, which is also the focus of this wok, is how to decide whee to stoe the eputation infomation. Stoing the eputation infomation in a distibuted manne and conducting polling to gathe it, as poposed in [3], geneates a lage amount of netwok taffic and delay. Stoing the eputation infomation in the pee this infomation efes to e-
quies complicated opeations to ensue that this pee will not tampe with its eputation [12]. On the othe hand, stoing the eputation infomation in just one pee is also isky, since that pee is contolling anothe pee s fate and may ty blackmailing o colluding with it. Anonymous stoing of eputation infomation [15] is complicated and equies boadcasting, which has unacceptable ovehead fo an unstuctued, pee-to-pee system. Stoing the same eputation infomation in a goup of pees, like [8] poposes fo stuctued, pee-to-pee netwoks, seems a easonable appoach, since it will allow the compaison and veification of the eputation infomation eceived by all o some of the pees of that goup. In this pape we popose a decentalized tust management middlewae fo unstuctued, ad-hoc, pee-to-pee netwoks, that is based on eputation. To achieve the afoementioned goals and ovecome the limitations of the existing schemes, we popose stoing the eputation infomation in a goup of pees that is not easily identifiable, so that collusions and blackmailing ae hindeed. Thus, in ou middlewae the eputation infomation of each pee is stoed in its neighbos and piggy-backed on its eplies to equests fo data o sevices. The novelty of ou middlewae lies in the fact that it elies on the lack of netwok stuctue to manage eputation infomation in a secue way. The lack of stuctue and the dynamic natue of the netwok ae usually egaded as obstacles in managing tust infomation in selfoganizing netwoks. Ou appoach utilizes these chaacteistics to build a self-oganizing, non-intusive tust management infastuctue esistant to tampeing and collusions. Ou expeiments show that a few dishonest pees can seiously theaten the opeation of an ad-hoc, pee-to-pee netwok, and that ou tust management middlewae can effectively pevent this fom happening. The est of the pape pogesses as follows: We discuss ou system model in section 2, and ou system s opeation in section 3. Section 4 descibes how epesentative attacks ae pevented, while section 5 elaboates on system algoithms. Section 6 pesents ou expeimental evaluation. Related wok is discussed in section 7, and section 8 concludes the pape and summaizes ou contibutions. 2. SYSTEM MODEL We assume a logical netwok of pees that povide data o sevices to each othe. We will use the tem object to collectively efe to both data and sevices. Each pee p i is identified by a public/pivate key pai, and maintains connections to othe pees. The netwok is unstuctued, decentalized and self-oganizing, meaning that pees make thei own decisions as to which pees to connect to o to quey fo objects. Each pee that offes an object o j to anothe pee eceives a ating j. A pee s eputation R i is defined as the sum of atings it has eceived so fa, R i = P j j. When a pee acts as a consume of an object, its goal is to identify the pee with the highest eputation, that is offeing the paticula object. Knowing the pee s eputation the consume can decide whethe to tust the povide, depending on the minimum tust level L j it equies fo this paticula type of object. Fo example, a pee might have diffeent equied tust levels fo diffeent types of tansactions, depending on thei cost. While the minimum tust levels ae set once by the use, discoveing the povides with the highest eputation R i and compaing R i to L j to decide whethe a pee can be tusted (if R i L j) ae the esponsibilities of the tust management middlewae. When a pee acts as a povide of an object, its goal is to have as many consumes as possible. This can esult in monetay gain, pivileges as a consume, o any othe benefit defined by an incentives policy, such as [17]. Since the way fo a povide to attact moe consumes is to have a eputation highe than thei tust level, evey povide s goal is to have as high a eputation as possible. Honest pees ty to boost thei eputation by offeing objects as pomised, to eceive good atings. Malicious pees ty to eithe incease thei eputation by tampeing with it, without actually having eceived the coesponding atings, o decease the eputation of othe pees, to incease thei own chances of being selected as povides. 3. SYSTEM OPERATION A pee p s seaches fo an object by sending quey messages to its immediate neighbos. These queies ae evaluated locally in each pee and in case a pee p offes a matching object, the positive eply (quey-hit) is etuned to p s. The queies ae popagated futhe, until thei numbe of hops to tavel (Time To Live TTL) expies. Similaly to Gnutella [4], evey quey is identified by a globally unique identifie (GUID), which we call the tansaction GUID TID. The TID is the same fo the quey message, and the possible quey-hit, and ating messages that ae poduced as a esult of this quey. It is defined as a andom numbe, geneated by the pee p s that poduced the quey, togethe with its public key. The quey-hits follow the same path as the queies to each p s. This is easily achieved by the pees caching the TID fom a quey they have outed and using the evese oute when outing the coesponding quey-hit, which has the same TID. Evey immediate neighbo of p, though which a queyhit of this pee tavels, is esponsible fo adding the eputation of p to the quey-hit message. Depending on the topology of the netwok, p has seveal immediate neighbos and all of them ae esponsible fo piggy-backing its eputation to its quey-hit messages. The pee p s that geneated the quey compaes all quey-hits oiginating fom the same pee p, to ensue that all epot the same eputation fo it. The eputation R of each pee is associated at p s with a confidence value C, which is equal to the numbe of pees that have epoted R. Honest pees ae encouaged though C to maintain multiple neighbos, which makes attacks iskie, due to the entopy intoduced by the unstuctued topology as we explain in the following sections. The necessity of having moe than one neighbo epoting the same eputation is futhe explained in section 4.1, while the impotance of the confidence value is explained in section 4.4. Figue 1 shows an example of a quey and quey-hit exchange. Let us assume that pee A (p s) ceates a quey with TTL = 3 that is popagated and eventually eaches F (p ), who having the object ceates a quey-hit. That eply follows the same path as the quey to each A. The neighbos of F, namely C and D add its eputation to the quey-hit, befoe popagating it futhe. In this topology two queyhits will be geneated, so that pee B will be able to veify that F s eputation on both of them is the same. This edundancy is newly intoduced, since nomally F would have just eplied once. Since F s neighbos do not know if they will be the only ones popagating the cuent quey-hit, they cannot isk tampeing with the eputation.
H G F C H H H+R D B H+R H+R A H G F C D B A J E J E I I K K Figue 1: uey and quey-hit example. Figue 2: Rating example. Afte an inteaction, p s ates the object it was povided. The ating message is signed by p s and popagated using the same flooding-based mechanism as the quey message. Howeve, the TTL of the ating message is lage than the TTL of the quey message by 1, so that the ating can each all the neighbos of the pee p that is being ated. Figue 2 shows an example of ating. Afte A uses the object povided by F, it ceates a ating message, with TTL = 3 + 1 = 4, that is popagated and eaches all of F s immediate neighbos (C, D, G, H, J), who update the eputation they stoe fo F. The ating message also eaches pees like B and E, that will not stoe the ating of F, since they ae not its neighbos and do not maintain its eputation. Each of p s neighbos stoes locally the quey-hit s TID when piggy-backing p s eputation on its quey-hit. The TID contains the public key of p s, that was contained in the quey. The public key is used to veify the signed ating poduced by p s if the tansaction takes place. Stoing the quey-hits TIDs enables each neighbo to keep tack of the quey-hits p has poduced. Once a ating is eceived, it also contains the TID of the oiginal quey and quey-hit. This enables the neighbos to associate the ating with the oiginal quey-hit. While a quey-hit may not always esult to a tansaction and a coesponding ating, a ating must always contain a TID seen by the neighbo in the past, as long as the ating s TTL has not expied. This enables the neighbos to detect collusions and is explained in section 4.4. The TIDs ae peiodically puged fom the neighbos, but ae stoed fo long enough time, to ensue that it will be possible fo the ating to be associated with the quey-hit, if the tansaction actually takes place. 4. ATTACKS We now pesent seveal attacks of malicious pees and show how ou middlewae pevents them, by stoing each pee s eputation in all of its immediate neighbos. 4.1 Tampeing Alte Reputation. A pee does not stoe its own eputation, thus it cannot tampe with it. A malicious pee howeve can change the eputation it stoes fo one of its neighbos. Yet, such an attempt is detected by the ecipient of the quey-hit (the geneato of the quey, p s), since multiple neighbos of p, depending on the topology, will epot p s eputation and all of them should epot the same value. In othe wods, a neighbo epoting bogus eputation might be evealed, since it may not be the only one answeing, due to the unstuctued topology. Fo example, in figue 1, A will make sue that the eputation of F epoted by both C and D is the same. The edundancy in eputation epots and the unknown topology also dete andom pees fom alteing eputations they popagate, since the alteations might be evealed. Alte Ratings. Similaly, tampeing with a pee s ating could be detected by that pee. Fo example, in figue 2, F could detect a change in its ating by D, by compaing it to the ating it eceived fom C fo the same quey-hit. Howeve, compaisons like this ae not needed, because atings ae signed by thei ceato p s. This way, the ecipients of the ating, namely the neighbos of the pee p that offeed the object, can veify that no pee on the way has alteed the ating in any way. They aleady have p s s public key, cached in the TID of the coesponding quey-hit. Signing the ating messages is needed not only to pevent alteations by andom pees on the way, but also to pevent alteations by the pee the ating efes to. Fo example, in figue 2, F is asked to popagate its own ating. Even though if a ating alteed by F was stoed in G, H, and J, pees C and D would still have the coect value and the discepancy would be noted in futue eputation epots, having digitally signed atings minimizes the isk of a successful alteation. 4.2 Blackmailing Pees stoe thei neighbos eputation and thei neighbos stoe theis. This balance of powe makes blackmailing infeasible. Futhemoe, if just one neighbo decides to epot bogus eputation, it is unning the isk of being identified as was descibed in section 4.1. 4.3 Multiple Ratings A malicious pee can ty to submit multiple positive o negative atings fo othes. Such an attack would be mounted by impesonating multiple atings coming fom the same o diffeent pees (public keys). In eithe case, since no queyhits with the same TIDs as the atings ae stoed in the neighbos, they can detect the discepancy. In othe wods, maximally one ating pe TID is stoed in evey neighbo. 4.4 Collusions Symmetic Boost. A collusion can take place in which two neighbos agee to boost each othe s eputation. This howeve would be evealed by the eplies of the est of the neighbos, fo both pees. Thus, to mutually boost each othe s eputation, all neighbos of each pee would have to coopeate and consequently all of thei neighbos, until the whole netwok was pat of the collusion. Fo example, in figue 1, if F and C decided to boost each othe s eputation,
D, G, H, and J (fo F), as well as B (fo C) would have to coopeate too, and consequently also I (fo H), K (fo J), E (fo D), and A (fo B). Incomplete Asymmetic Boost. An attack that would seem moe feasible would be fo a malicious pee to bibe some of its neighbos to boost its eputation, without howeve the attacke boosting thei eputation in etun. Obviously, the attacke would not popagate quey-hits though the neighbos that do not stoe the boosted eputation, othewise the discepancy in the epoting values would be noted in the ecipient of the quey-hits. This attack howeve is detected by the neighbos that ae not pat of the collusion, due to the fact that they ae compaing the TIDs of the atings they eceive, with the quey-hit TIDs they keep stoed. In moe detail, they would eceive atings with TIDs they have not popagated, and those atings would have a TTL that has not expied. Fo example, in figue 2 if D had been excluded fom popagating a quey-hit of F, it would detect the discepancy when eceiving the coesponding ating. On the contay, G, H, and J will not be alamed since the ating eaches them but its TTL expies. This means that they ae the TTL+1 hop of the ating. Theefoe the quey (that taveled though TTL hops) did not each them and they wee not supposed to popagate a coesponding quey-hit. B and E ae not alamed eithe, since they eceived a ating fo a pee that is not one of thei neighbos and they can safely ignoe it. Complete Asymmetic Boost. An even moe elaboate collusion involves a malicious pee bibing all of its neighbos to boost its eputation, without the attacke boosting thei eputation in etun. Since all pees paticipating in the potocol ae now malicious the attack cannot be detected. This attack howeve eveals the use of the confidence value C. The highe the numbe of pees that epot a eputation value R, the highe the numbe of pees the attacke would have to bibe. Thus, an attacke maintaining just a small numbe of bibed neighbos will only gain a eputation with a small confidence. The lack of stuctue is usually egaded as a majo hindance in managing tust infomation in unstuctued, peeto-pee systems. Ou appoach is novel, in that it utilizes exactly this chaacteistic to ceate an envionment that makes tampeing with eputation infomation cumbesome and isky. Highe eliability at a highe message ovehead can be achieved by stoing the eputation of each pee in neighbos moe than one hop away. 5. SYSTEM ALGORITHMS Even though the focus of this wok is on how to decide whee to stoe the eputation infomation, the algoithms fo selecting and fo ating the povide of an object ae also of inteest, as ae pee dynamics. The algoithm fo selecting the povide with the best eputation might weigh the atings, accoding to the pesonal opinion of the pee fo the ates, o accoding to the ates eputation as pees o even as ates. In addition to the eputation of a povide R i and the minimum tust level fo a paticula object acceptable by the consume, L j, we have intoduced one moe facto in the pee selection, namely the confidence C i in the epoted R i fo each povide. Cuently we let the consume set minimum confidence levels K j pe object, once. Consequently we let the middlewae select the povide with maximum R i, as long as R i L j and C i K j. Fo povides with equal R i s othe citeia, such as the netwok distance, can be utilized to beak the tie. The algoithm fo ating a povide might use a scale that allows compaison with the cuent ating aveage fo a povide. In that way, atings fa away fom the aveage might be noted, and the esponsibility of the ate might also be ated. Moeove, both the object povide and consume may ate each othe. Cuently we do not associate the eputation of a pee as a povide with any eputation it may have as a ate. Theefoe, to ate povides we use a simple binay ating scheme, to denote dissatisfaction (-1) o satisfaction (+1) with an object. This scheme allows the atings given by diffeent pees to be as compaable as possible, as it leaves little oom fo subjective intepetation. Futhemoe, it enables atings to be assigned automatically, since success o failue in the consumption of an object ae easie to be detemined than use satisfaction. Issues elated to pee dynamics ae also inteesting. We biefly discuss pee econnection hee and leave as futue wok a thoough investigation of highly dynamic netwoks, such as those fomed by mobile pees. When a pee entes the system it eceives the eputation of the pees it connects to fom thei neighbos. Its new neighbos eceive any existing eputation it has by its old neighbos which still stoe it togethe with its public key 1. Not all of the old neighbos need to be online at the same time fo the eputation to be etieved. These two types of updates ae achieved following potocols simila to the exchange of quey and quey-hit messages descibed ealie. If a pee is new in the netwok, its eputation is zeo and it is built as the pee engages in tansactions. By not giving any initial eputation to newcomes, we discouage pees with bad eputation to leave the system and eente unde a new identity, since building a eputation is a tedious pocess. Futhemoe, this paticula kind of attack, also known as the sybil attack, in which a malicious pee assumes multiple identities, has been the study of ecent eseach [19]. Ou middlewae, which povides the infastuctue to stoe eputation infomation petaining to an identity, can be combined with a solution such as [19] to pevent pees fom joining unde a new identity. 6. EXPERIMENTAL EVALUATION We conducted an evaluation of ou middlewae in netwoks of thousands of pees, implementing it on top of the Gnutella [4] unstuctued, pee-to-pee netwok, using the NeuoGid simulato [7]. We used 3 types of objects, distibuted unifomly (3 objects pe pee) acoss andomly connected pees. In each expeiment we an 1 andom seaches and aveaged ou esults fom 5 measuements. Apat fom the honest pees, that povide the objects they claim they have, we included a numbe of dishonest pees in the netwok. These malicious pees claim that they have evey object they ae asked fo, in othe wods eply with a bogus quey-hit to evey quey they eceive, without of couse being able to povide the eal equested object. We obseved the effect of that behavio on the opeation of the netwok, with and without using a ating scheme. When the ating scheme is used, we assume that the malicious pees can only cheat once, since then they ae discoveed 1 They will delete it once the pee econnects to anothe place, since its new neighbos will be esponsible fo stoing that infomation fom now on.
Aveage Numbe of False Matches 8 Aveage Pecision Aveage Numbe of False Matches 7 6 5 4 3 2 1 Aveage Pecision 1.8.6.4.2 2 4 6 8 1 Pecentage of Honest Nodes 2 4 6 8 1 Pecentage of Honest Nodes Figue 3: False matches to a seach, fo vaying pecentage of honest pees. Figue 4: Popotion of genuine matches, fo vaying pecentage of honest pees. Aveage Numbe of False Matches 16 Aveage Pecision Aveage Numbe of False Matches 14 12 1 8 6 4 2 Aveage Pecision 1.8.6.4.2 1 2 3 4 5 6 7 Numbe of Nodes 1 2 3 4 5 6 7 Numbe of Nodes Figue 5: False matches to a seach, fo vaying total numbe of pees. Figue 6: Popotion of genuine matches, fo vaying total numbe of pees. and eceive a bad ating that discouages othe pees to inteact with them. Vaiable pecentage of dishonest pees. Fo the fist expeiment, we kept the total numbe of pees to 1, and we vaied the numbe of honest pees in the netwok. Ou goal was to detemine to what extent the pecentage of dishonest pees affects the opeation of the netwok. Figue 3 shows the aveage numbe of false matches, i.e., bogus quey-hits. Without utilizing the ating scheme, this is quite high, even fo elatively small pecentages of dishonest pees. By using the ating scheme the numbe of false matches is vitually eliminated, even fo netwoks with many malicious pees. Figue 4 shows the aveage pecision, i.e., the aveage popotion of quey-hits that wee genuine (not bogus). When using the ating scheme, that popotion emains vey high. Supising ae the esults when not using any ating scheme. The pecision emains pactically close to zeo, even when 8% of the pees ae honest. If 1 out of 1 pees is dishonest, 9 out of 1 quey-hits ae bogus. This means that a few dishonest pees have the ability to flood the netwok with false matches, epesenting a eal theat to its opeation. Vaiable numbe of pees. It was inteesting to see if dishonest behavio is equally theatening fo lage-scale netwoks. Theefoe in the second expeiment we kept the pecentage of honest pees to 75%, and we vaied the total numbe of pees in the netwok. Figue 5 shows the aveage numbe of bogus quey-hits. Without using the ating scheme, the numbe of false matches gows vey fast fo lage netwoks. Again, the ating scheme pevents this behavio. Figue 6 shows the aveage popotion of genuine queyhits. Again by using the ating scheme this popotion emains high, even fo lage netwoks. Howeve, without a ating scheme, the dishonest pees pesent a theat even to lage-scale netwoks. Even though 3 out of 4 pees ae honest, the pecentage of genuine quey-hits emains close to zeo. We obseve that the dishonest pees ae able to flood even lage netwoks. 7. RELATED WORK Seveal pee-to-pee eputation systems have aleady been poposed, taking diffeent appoaches as to whee to stoe the eputation infomation. In RCetPX [12] a eputation cetificate is stoed in the pee that it efes to and is updated afte each tansaction. To avoid tampeing, the last ate always digitally signs the whole cetificate. Thus, the last ate needs to be online fo anothe pee to be able to veify the cetificate s coectness. Anothe complication aises fom the fact that a ate and a atee could collude to change all the atings of the atee. In P2PRep [3] a pollingbased potocol is poposed and implemented. Any pee that wants to quey the tust value of anothe pee, boadcasts a quey to the netwok, collects the eplies, and individually contacts the votes fo confimation. Apat fom the netwok taffic geneated and the delay of the pocess, this appoach counts only the eviews of pesent pees that can be eached. A simila appoach of voting, but on the eputation of objects instead of that of pees, is implemented in Cedence [18], while [16] focuses on identifying feedback that does not coespond to actual tansactions. TustMe [15] identifies anonymity as an impotant featue of tust-managing systems. The tust ating of each pee is placed at anothe andom pee, which eplies to all queies
fo the tust values it holds. One dawback of the potocol is that it elies on boadcasting, making it unacceptable fo lage-scale, unstuctued netwoks. EigenTust [8], a global vaiable egading a pee s eputation is stoed in a pee s mothe pees. The global vaiable is geneated by aggegating local vaiables in all pees, in an iteative pocess. The algoithm does not pevent mothe pees fom blackmailing a pee, no fom colluding against a pee. In NICE [9] coopeating pees fom a gaph, and a pee poviding a sevice is esponsible to pove its eliability to a pee that would like to use it, by finding a path in the gaph to that pee. Howeve duing this discovey pocess flooding is used and many ielevant pees may be contacted. Moeove, since the pee poviding a sevice is gatheing its eputation infomation, it may omit bad atings. In [1] a tust managing system on top of the P-Gid pee-to-pee system is descibed. Complaints about pees ae stoed in a vitual binay seach tee. Howeve no measues ae taken against pees stoing complaints about themselves, o against malicious pees, which might tampe with atings while they tansmit them. Simila to EigenTust, P-Gid equies a netwok stuctue to be maintained, fo the eputation infomation to be stoed and etieved. Challenges elated to the mobility of nodes have also been the focus of ecent eseach effots, identifying the mobility pattens of nodes [11], thei location [5], time, context [1], and cuent envionmental conditions [6] as othe impotant factos elated to tust. 8. CONCLUSIONS We have poposed a decentalized tust management middlewae based on eputation, fo ad-hoc, pee-to-pee netwoks. We have shown how andom topologies that may be ceated make malicious behavio like lying and colluding isky. Moeove, all pees ae equally poweful, contolling the fates of thei neighbos, while thei fates ae contolled by thei neighbos. The unstuctued natue of ad-hoc, pee-to-pee netwoks is usually egaded as an obstacle in ensuing tust. Ou middlewae elies on exactly this chaacteistic to achieve this goal and to avoid elying on a cental authoity. We have tied to keep ou middlewae s potocol simple and easy to build on top of infastuctues aleady available fo the exchange of messages, to minimize its ovehead. The communication ovehead of polling-based potocols is avoided and the only exta messages intoduced ae those caying a new ating. Futhemoe, the atings of pees that have left the system ae still pesent. Ou futue wok includes investigating the effects of mobility and elaboating on the pee selection and ating algoithms. 9. ACKNOWLEDGMENTS We wish to thank Chinya V. Ravishanka and Dimitios Gunopulos fo thei helpful advice duing the initial phase of this wok. This eseach has been suppoted by NSF Awads 33481 and 627191. 1. REFERENCES [1] K. Abee and Z. Despotovic. Managing tust in a pee-2-pee infomation system. In Intenational Confeence on Infomation and Knowledge Management, CIKM, 21. [2] V. Cahill et al. Using tust fo secue collaboation in uncetain envionments. IEEE Pevasive Computing, 2:52 61, 23. [3] F. Conelli, E. Damiani, S. D. C. di Vimecati, S. Paaboschi, and P. Samaati. Choosing eputable sevents in a P2P netwok. In Intenational Wold Wide Web Confeence, WWW, 22. [4] Gnutella Potocol Development. http://fc-gnutella.soucefoge.net/, 23. [5] T. Hoozov, N. Naasimhan, and V. Vasudevan. Using location fo pesonalized POI ecommendations in mobile envionments. In Intenational Symposium on Applications on Intenet, SAINT, 26. [6] M. Huebsche and J. McCann. A leaning model fo tustwothiness of context-awaeness sevices. In 2nd Intenational Wokshop on Pevasive Computing and Communication Secuity, PeSec, 25. [7] S. Joseph. An extendible open souce P2P simulato. P2P Jounal, pages 1 15, Novembe 23. [8] S. D. Kamva, M. T. Schlosse, and H. Gacia-Molina. The eigentust algoithm fo eputation management in P2P netwoks. In Intenational Wold Wide Web Confeence, WWW, 23. [9] S. Lee, R.Shewood, and B.Bhattachajee. Coopeative pee goups in NICE. In IEEE INFOCOM, 23. [1] J. Liu and V. Issany. Enhanced eputation mechanism fo mobile ad hoc netwoks. In Intenational Confeence on Tust Management, itust, 24. [11] L. Mcnamaa, C. Mascolo, and L. Capa. Tust and mobility awae sevice povision fo pevasive computing. In 1st Intenational Wokshop on Requiements and Solutions fo Pevasive Softwae Infastuctues, RSPSI, 26. [12] B. Ooi, C. Liau, and K. Tau. Managing tust in pee-to-pee systems using eputation-based techniques. In Intenational Confeence on Web Age Infomation Management, WAIM, 23. [13] T. Repantis and V. Kalogeaki. Data dissemination in mobile pee-to-pee netwoks. In Intenational Confeence on Mobile Data Management, MDM, 25. [14] M. Roman et al. Amiddlewae infastuctue fo active spaces. IEEE Pevasive Computing, 1:74 83, 22. [15] A. Singh and L. Liu. TustMe: Anonymous management of tust elationships in decentalized P2P systems. In Intenational Confeence on Pee-to-Pee Computing, P2P, 23. [16] M. Sivatsa, L. Xiong, and L. Liu. TustGuad: Counteing vulneabilities in eputation management fo decentalized ovelay netwoks. In Intenational Wold Wide Web Confeence, WWW, 25. [17]. Sun and H. Gacia-Molina. SLIC: A selfish link-based incentive mechanism fo unstuctued pee-to-pee netwoks. In Intenational Confeence on Distibuted Computing Systems, ICDCS, 24. [18] K. Walsh and E. Sie. Expeience with an object eputation system fo pee-to-pee fileshaing. In Netwoked Systems Design and Implementation, NSDI, 26. [19] H. Yu, M. Kaminsky, P. Gibbons, and A. Flaxman. SybilGuad: Defending against sybil attacks via social netwoks. In ACM SIGCOMM, 26.