The Forgiving Tree: A Self-Healing Distributed Data Structure

The Forgiving Tree: A Self-Healing Distributed Data Structure Tom Hayes∗ Navin Rustagi † Jared Saia † Amitabh Trehan † Abstract We consider the problem of self-healing in peer-to-peer networks that are under repeated attack by an omniscient adversary. We assume that the following process continues for up to n rounds where n is the total number of nodes initially in the network: the adversary deletes an arbitrary node from the network, then the network responds by quickly adding a small number of new edges. We present a distributed data structure that ensures two key properties. First, the diameter of the network is never more than O(log ∆) times its original diameter, where ∆is the maximum degree of the network initially. We note that for many peer-to-peer systems, ∆is polylogarithmic, so the diameter increase would be a O(log log n) multiplicative factor. Second, the degree of any node never increases by more than 3 over its original degree. Our data structure is fully distributed, has O(1) latency per round and requires each node to send and receive O(1) messages per round. The data structure requires an initial setup phase that has latency equal to the diameter of the original network, and requires, with high probability, each node v to send O(log n) messages along every edge incident to v. Our approach is orthogonal and complementary to traditional topology-based approaches to defending against attack. 1 Introduction Many modern networks are reconfigurable, in the sense that the topology of the network can be changed by the nodes in the network. For example, peer-to-peer, wireless and mobile networks are reconfigurable. More generally, many social networks, such as a company’s organizational chart; infrastructure networks, such as an airline’s transportation network; and biological networks, such as the human brain, are also reconfigurable. Unfortunately, our mathematical and algorithmic tools have not developed to the point that we are able to fully understand and exploit the flexibility of reconfigurable networks. For example, on August 15, 2007 the Skype network crashed for about 48 hours, disrupting service to approximately 200 million users due to what the company described as failures in their “self-healing mechanisms” [2, 6, 12, 14, 18, 20]. We believe that this outage is indicative of a much broader problem. Modern reconfigurable networks have a complexity unprecedented in the history of engineering: we are approaching scales of billions of components. Such systems are less akin to a traditional engineering enterprise such as a bridge, and more akin to a living organism in terms of complexity. A bridge must be designed so that key components never fail, since there is no way for the bridge to automatically recover from system failure. In contrast, a living organism can not be designed so that no component ever fails: there are simply too many components. For example, skin can be cut and still heal. Designing skin that can heal is much more practical than designing skin that is completely impervious to attack. Unfortunately, current algorithms ensure robustness in computer networks through hardening individ- ual components or, at best, adding lots of redundant components. Such an approach is increasingly unscalable. In this paper, we focus on a new, responsive approach for maintaining robust reconfigurable networks. Our approach is responsive in the sense that it responds to an attack (or component failure) by changing ∗Toyota Technological Institute, Chicago, IL 60637; email: hayest@tti-c.org †Department of Computer Science, University of New Mexico, Albuquerque, NM 87131-1386; email: { navin, saia, amitabh}@cs.unm.edu. This research was partially supported by NSF CAREER Award 0644058, NSF CCR-0313160, and an AFOSR MURI grant. arXiv:0802.3267v1 [cs.DC] 22 Feb 2008 the topology of the network. Our approach works irrespective of the initial state of the network, and is thus orthogonal and complementary to traditional non-responsive techniques. There are many desirable invariants to maintain in the face of an attack. Here we focus only on the simplest and most fundamental invariants: ensuring the diameter of the network and the degrees of all nodes do not increase by much. Our Model: We now describe our model of attack and network response. We assume that the network is initially a connected graph over n nodes. An adversary repeatedly attacks the network. This adversary knows the network topology and our algorithms, and it has the ability to delete arbitrary nodes from the network. However, we assume the adversary is constrained in that in any time step it can only delete a single node from the network. We further assume that after the adversary deletes some node x from the network, that the neighbors of x become aware of this deletion and that the network has a small amount of time to react by adding and deleting some edges. This adversarial model captures what can happen when a worm or software error

…(Full text truncated)…

This content is AI-processed based on ArXiv data.