Learning Sybil Resistance (Work-In-Progress) Part.3

Sybil Attack is a common problem in different organization, digital public infrastructures like Gitcoin and Twitter need data science DAOs in order to balance requirements of public oversight and privacy preservation!

A Sybil attack is a fraudulent online identity where one person creates multiple identities in order to masquerade as another user or group of users. This type of attack is most commonly seen with reputation services like the popular ones on LinkedIn and other social media sites (Twitter, Facebook, Instagram, Snapchat, and more). In this article, we’ll be looking at some of the common types of Sybil attacks and how to prevent them. If you’d like more information on data science DAOs and their applications, check out this great resource from Blockscience.
Operationalizing the GitcoinDAO Anti-Sybil Process | by BlockScience | BlockScience | Medium

Let’s get started!

Sybil Attack, life being a Bot

One of the most concrete Sybil Attack examples happening right now is on Twitter, people are creating fake followers, fake influence behavior, bots, bots, bots, and even more bots. Even though this attack has been known for many years, it’s still a very common method of falsifying data. In the blockchain industry, the Sybil attack is commonly applied to mining, forging identities, or other activities where a malicious actor tries to earn more money or to forge the data without being detected.

A Sybil attack with Reputation Scores

A Sybil attack with reputation scores can be tricky to detect, but it’s also one of the easiest to defend against. In this scenario, one person establishes multiple identities and then gives each one of those identities a very high reputation score. On social networks, this type of attack is commonly done with sock puppets (multiple accounts controlled by one person). On reputation networks, this type of attack can be used to misdirect attention or to gain access to resources that would otherwise be out of reach. For example, if you’re building a decentralized organization and your reputation score is being used to determine who gets paid what, a Sybil attack with reputation scores could be troublesome.

A Sybil Attack with Fake Accounts

In this type of attack, one person creates multiple accounts and uses those accounts to vote or participate in a system that’s susceptible to voting fraud. This type of attack is most commonly seen in online voting systems, and governance, where a person creates a large number of fake accounts in order to win an election or to change the outcome of an existing election. For example, if you’re building a decentralized voting system, you’ll want to ensure that you have a way to identify fake accounts and to remove them from the system. You can do this by requiring each account to provide a proof of identity.

A Sybil Attack with Bogus Reviews

This type of attack involves one person creating many accounts and then writing positive reviews for one or more products or services with those accounts. This type of attack is commonly used on websites like Amazon and Yelp, but it could also be applied to decentralized marketplaces. For example, if you’re building a decentralized marketplace, you’ll want to make sure that your system is able to recognize bogus reviews. This will help to keep your marketplace fair and trustworthy.

Using Trusted Identities to Fight Back

If you’re building a decentralized application, you might be able to use trusted identities to fight back against a Sybil attack. This might sound strange, but it’s actually a very effective way to defend against fraud. In this scenario, you allow users to choose a trusted identity, and then you use that trusted identity to authenticate each user’s account. The trusted identity is what actually confirms the user’s account, not the account’s reputation or another piece of data. Now, we know that one person can’t provide two different trusted identities. This means that in order for an attacker to create multiple identities, they need to provide two different trusted identities. This adds an extra layer of difficulty, which makes it more difficult for an attacker to get around your system.

Just-in-Time Authentication for Real-time Apps/dApps

If you’re building a real-time application or a decentralized app (dApp), you’ll want to make sure to use just-in-time authentication. In this scenario, you authenticate the user just before they perform an action that changes the state of the app. For example, if the user wants to post a message on your decentralized social media platform, you’ll want to authenticate them just before they submit the message. For real-time applications, it’s extremely important to authenticate the user just before they perform an action that changes the state of the app. If you authenticate the user at sign-up, an attacker could log in, create posts, and then delete the account.

Conclusion

Practically though, we need to account for both privacy and public accountability. Modern digital public infrastructure needs a new public accountability model! For example, there is a Vermont personal information protection company that has used data for the human data owners’ interests. One thing about this approach is that we think it would allow to “discriminate” (act against the interest of) bots but not people. In our opinion. Lots of room for organizational/public service innovation in the FDD…

The Sybil Resistance

8 Likes

@mzargham @danlessa @DisruptionJoe @ZER8

3 Likes

Thank you very much for posting this educational series Armand! I am more aware of the complexities of the anti-sybil challenge now. I appreciate you breaking things down into easy to understand terms. We should add a link to the Knowledge Base featuring your 3 part piece.

1 Like

Thanks @David_Dyor, I’ll be working on Part No.4 during the week-end and should post it on Sunday.