Detecting Sybil Attacks in Cloud Computing Environments Based on Fail-Stop Signature

Due to the loosely coupled property of cloud computing environments, no node has complete knowledge of the system. For this reason, detecting a Sybil attack in cloud computing environments is a non-trivial task. In such a dynamic system, the use of algorithms based on tree or ring structures for collecting the global state of the system has unfortunate downsides, that is, the structure should be re-constructed in the presence of node joining and leaving. In this paper, we propose an unstructured Sybil attack detection algorithm in cloud computing environments. Our proposed algorithm uses one-to-one communication primitives rather than broadcast primitives and, therefore, the message complexity can be reduced. In our algorithmic design, attacker nodes forging multiple identities are effectively detected by normal nodes with the fail-stop signature scheme. We show that, regardless of the number of attacker nodes, our Sybil attack detection algorithm is able to reach consensus.


Introduction
A Sybil attack [1] is a well-known attack in peer-to-peer (P2P) systems.To subvert the P2P systems, an attacker node generates non-existent pseudonymous identities and colludes with other attacker nodes to hinder or delay the objectives of normal nodes.It has been proven that large-scale Sybil attacks can be easily carried out in distributed hash tables (DHTs) of the peer-to-peer file sharing protocol (BitTorrent) [2,3] and several solutions to the Sybil attacks in various environments have been studied [4][5][6][7][8][9].
In dynamic computing systems such as cloud computing, detecting Sybil attacks is a non-trivial task because the network topology is not fully connected due to the loosely coupled property.For instance, in cloud computing environments, virtualized resources (virtual machines) are provided over the Internet on demand [10][11][12].As the use of cloud computing is expanding rapidly, security protection and threats mitigating mechanisms for healthcare, privacy-preserving, and intrusion detection has been proposed [13][14][15][16][17][18][19].However, the existing research work for detecting a Sybil attack is heavily based on routing tables, and the message complexity of the work is sub-optimal.
In this paper, we propose an efficient algorithm for detecting Sybil attacks in cloud computing environments.Unlike the previous work, our algorithm does not rely on broadcast primitives and, therefore, the message complexity can be reduced from O(n 2 ) to O(n), where n is the number of nodes in the system.To deal with attacker nodes, we use a randomized approach, where each node maintains small membership information, called local view, instead of full membership information, and each local view can be constructed by sampling random nodes in the system.To effectively detect a Sybil attack, we use the fail-stop signature scheme [20].The objective of employing the fail-stop signature scheme is to remove attacker nodes' information in the local view.How to detect attacker nodes in the system and how to realize such local view maintenance using the fail-stop signature scheme is at the core of our algorithmic design.
The remainder of the paper is organized as follows.In Section 2, we describe preliminaries and related work including our system model and problem definition.The two-phase algorithm for detecting Sybil nodes in loosely-coupled networks are presented in Section 3. Section 4 presents the performance evaluation with realistic scenarios and a formal proof of the proposed Sybil attack detection algorithm.Finally, Section 5 concludes the paper.

Sybil Attack
In a Sybil attack, a malicious or a Sybil node counterfeits a large number of identities to subvert the reputation system of a peer-to-peer (P2P) network.When the Sybil attack is successfully launched, the Sybil nodes are able to gain the control of the network because a number of logical nodes in an overlay network are controlled by Sybil nodes.The Sybil attack has been a thread to network security in many forms, and a small number of Sybil nodes can compromise the network by making benign nodes isolated in membership management [21].
The Sybil attack can be formulated as follows [22].The set of participants in the network is denoted as N = {node 1 , node 2 , node 3 , . . ., node n }, and the set of users in the network is denoted as U = {user 1 , user 2 , user 3 , . . ., user m }, where n ≥ m.The set of logical nodes controlled by a user u i is denoted by N i .It follows N i N j , where ∀ i, j: i = j and N 1 N 2 . . .N m = N.Then, the Sybil attack is characterized by user i as |N i | > c, where c is a certain threshold.
Figure 1 depicts the Sybil nodes and the Sybil attack.In the bottom layer, there are physical or logical nodes.When a node is provisioned as a virtual machine in cloud computing environments, the node can be regarded as a logical node.In the top layer, there is an overlay network.The Sybil node in the bottom layer has multiple identities and, therefore, it can have more control capabilities of the network even the number of Sybil nodes is small.
In Figure 1, there are four normal nodes and one Sybil node in the bottom layer.However, in the top layer, there are three Sybil nodes because the Sybil node has multiple identities in the overlay network.In this circumstance, the Sybil node can gain the control of the network.For instance, the Sybil node spreads the wrong commands to sleep forever, sends malicious programs to perform a distributed denial of service (DDOS) attack, or informs erroneous results of computation to hinder the normal nodes.

Related Work
There are three broad categories of Sybil threats [23] (i.e., routing attacks, storage and retrieval attacks, and miscellaneous attacks) and four categories for their countermeasures [24] (i.e., use of diverse routing schemes, limitation on the number of peers, verification of some types of requirements, and periodical refresh of the routing tables or of the IDs).The first category of Sybil threats can have various forms including polluted lookup routing with forged identities, incorrect routing update operations for routing tables, and partition into a non-existent network.The second type of threats can be represented by denying notifications for delivered data or pretending to have resources that are not actually owned by providing fake resources or data.The third one is comprised of different malicious attitudes and attributes that cannot be classified in the two categories; that is, exhibiting inconsistent behavior, overload of target nodes, frequent churning, or flooding unsolicited messages to the network.In [25], the authors proposed a diversity routing ID lookup and trust profile technique for a distributed hash table (DHT).To avoid incorrect routing for finding nodes or values, they use a redundancy-based zig-zag routing mechanism.In [26], the authors proposed a secure routing primitives by providing failure tests for high probability of message delivery with two routing tables: one for exploiting network proximity and the other for exploiting a constraint on closeness.For trust management of P2P systems, a scalable overlay network creation technique has been proposed based on a reputation model [27].
SybilGuard [4] uses a randomized routing algorithm with a predefined number of hops and performs identity verification based on routing information.Since SybilGuard relies on the predefined parameter, it is essential to choose the proper value of the parameter.Newsome et al. [28] designed countermeasures for various types of Sybil threats in sensor networks.For incorrect routing update operations, they employ periodic identity legitimacy checks for neighbor nodes, and provide randomized key-sets to each node in order to test coinciding keys in sets of different nodes in the network.
Rowaihy et al. [29] proposed a signature-based scheme with hierarchical structures based on bootstrap graphs.Borisov [30] incorporated computational puzzles with locally-generated challenges.The approach uses a combining function to generate certificates that can be used to prove that each nodeʹs challenge was delivered.Steiner et al. [31] explored DHT traffics by analyzing false ID creations and proposed a double-key encryption scheme for new IP addresses by a central agent.Several important issues need to be addressed in this literature are: (i) no single point of failure; (ii) efficient solution in terms of the number of messages; (iii) effective reduction of Sybil nodes in the network; and (iv) no false errors (false positives or false negatives).In this paper, we propose a Sybil attack detection scheme that resolves the above issues.More specifically, our approach does not rely on a centralized authority and is efficient in terms of the number of messages since it uses one-to-one message communication rather than broadcast primitives.To effectively diminish Sybil nodes in the network, we employ the fail-stop signature scheme and, therefore, false errors can be eliminated for detecting Sybil nodes.

System Model
We assume that the cloud computing infrastructure that consists of a collection of n nodes, node1, node2, node3, •••, noden, and each node is functionally equal to another node.To achieve a common goal, individual nodes process arbitrary programs.Each node has no global information of the system and In [25], the authors proposed a diversity routing ID lookup and trust profile technique for a distributed hash table (DHT).To avoid incorrect routing for finding nodes or values, they use a redundancy-based zig-zag routing mechanism.In [26], the authors proposed a secure routing primitives by providing failure tests for high probability of message delivery with two routing tables: one for exploiting network proximity and the other for exploiting a constraint on closeness.For trust management of P2P systems, a scalable overlay network creation technique has been proposed based on a reputation model [27].
SybilGuard [4] uses a randomized routing algorithm with a predefined number of hops and performs identity verification based on routing information.Since SybilGuard relies on the predefined parameter, it is essential to choose the proper value of the parameter.Newsome et al. [28] designed countermeasures for various types of Sybil threats in sensor networks.For incorrect routing update operations, they employ periodic identity legitimacy checks for neighbor nodes, and provide randomized key-sets to each node in order to test coinciding keys in sets of different nodes in the network.
Rowaihy et al. [29] proposed a signature-based scheme with hierarchical structures based on bootstrap graphs.Borisov [30] incorporated computational puzzles with locally-generated challenges.The approach uses a combining function to generate certificates that can be used to prove that each node's challenge was delivered.Steiner et al. [31] explored DHT traffics by analyzing false ID creations and proposed a double-key encryption scheme for new IP addresses by a central agent.Several important issues need to be addressed in this literature are: (i) no single point of failure; (ii) efficient solution in terms of the number of messages; (iii) effective reduction of Sybil nodes in the network; and (iv) no false errors (false positives or false negatives).In this paper, we propose a Sybil attack detection scheme that resolves the above issues.More specifically, our approach does not rely on a centralized authority and is efficient in terms of the number of messages since it uses one-to-one message communication rather than broadcast primitives.To effectively diminish Sybil nodes in the network, we employ the fail-stop signature scheme and, therefore, false errors can be eliminated for detecting Sybil nodes.

System Model
We assume that the cloud computing infrastructure that consists of a collection of n nodes, node 1 , node 2 , node 3 , •••, node n , and each node is functionally equal to another node.To achieve a common goal, individual nodes process arbitrary programs.Each node has no global information of the system and the nodes communicate solely by passing messages.Message sending and receiving are done in an asynchronous way and all decisions are made by local information.Messages are delivered reliably with finite and arbitrary time delay.For message exchange, each node maintains partial neighbor information in local view and constructing local view can be done by the peer sampling service [32].The attacker nodes have unlimited computational power to produce the same signature and match the public key of other nodes based on the fail-stop signature scheme [12].

Problem Definition
We consider a cloud computing environment in which the network topology is not fully connected due to the loosely-coupled property.Since it is almost impossible for each node to have the full membership information of the dynamic network, individual nodes maintain a small membership information called local view.Under this assumption, message propagation or aggregation can be done with a round based one-to-one communication mechanism.At each round, a node selects f (fanout) neighbors and communicates with the neighbors in push, pull, or push-pull mode.This type of communication patterns is also known as gossip.Among nodes, a Sybil node produces multiple identities to control the network with unlimited computational resources.The problem is to detect Sybil nodes and defend the Sybil attack in the cloud computing environment satisfying the following properties.

•
Safety: If a normal node (node i ) encounters a Sybil node (node j ) performing the Sybil attack by generating multiple identities, node i can determine whether node j is a Sybil node of the network or not.

•
Liveness: If a Sybil node (node j ) starts the Sybil attack, normal nodes eventually detect node j as a Sybil node.
The informal definitions of safety and liveness in distributed algorithms are nothing bad happening and something good eventually happening, respectively.More specifically, the safety property in our algorithm is to make sure that if a normal node (node i ) tests a Sybil node (node j ), node i always confirms that node j is, indeed, a Sybil node.Likewise, the liveness property in our algorithm is to make sure that when a Sybil node (node j ) exists in the network, node j is detected by normal nodes eventually.The safety property is reducible to the proof of the fail-stop signature scheme [33] and the liveness property is reducible to the proof of the gossip protocol [34].

The Proposed Sybil Attack Detection Algorithm
This section describes how to detect Sybil nodes and defend the Sybil attack under loosely-coupled networks.We employ the fail-stop signature scheme, where a signer who has a secret key produces a signature and many other keys can be used to produce the same signature matching the public key.Therefore, there is a high probability that the key computed or guessed by Sybil nodes will be different from the one held by normal nodes.How to apply the fail-stop signature to the loosely-coupled network for detecting Sybil nodes and defending the Sybil attack is at the core of our approach.
Basically, there are two threads for message exchange between nodes: active thread and passive thread [32].Algorithm 1 shows pseudocode of active thread for the basic communication protocol.At each round, each node selects one of neighbors from its local view randomly, and then sends its own node information to the target in push mode.In pull mode, a node tries to receive a target's node information, in turn, it updates the local information accordingly.The push-pull mode is considered as a combination of the push mode and the pull mode of the communication protocol.
At passive thread side, it waits for messages from other nodes for communication.When a node sends a message to a target node, the passive thread of the target node is triggered.As shown in Algorithm 2, it receives the target node's information in push mode and updates with its own local information, then it sends the local information to the target in pull mode.Note that the fanout parameter is set to 1 for simplicity in Algorithms 1 and 2. The summary of the fail-stop signature scheme, where signers enjoy unconditional unforgeability and verifiers bear the risk of forged signatures, is as follows [20]: A trusted third party (TTP) chooses a prime modulus p satisfying p -1 = 2q, where q is a prime number, g ∈ Z p , and r ∈ Z * q , then it computes R = g r and sends (p, q, g, R) to a node, while r is kept secret by the TTP.A node chooses x = (a 1 , a 2 , b 1 , b 2 ) ∈ Z q and computes R ≡ g r (mod p), A ≡ g a1 R a2 (mod p), and B ≡ g b1 R b2 (mod p).
Next, the node sends K = (g, p, R, A, B) to the registry while x is kept secret by itself.For signing message m, a node produce s = SG x (m) = (β 1 , β 2 ), where β 1 ≡ a 1 + mb 1 (mod q) and β 2 ≡ a 2 + mb 2 (mod q).For verification of signature s' = (β 1 ', β 2 '), message m', and public key K, it checks whether V K (m', s') = (AB m' ≡ g β1' R β2' (mod p)).For forged signature s' = (β 1 ', β 2 ') on message m, it computes , where s = (β 1 , β 2 ) is the original signature for m.Algorithm 3 shows our two-phase Sybil node detection algorithm integrated with the fail-stop signature scheme.Two data structures are used for checking Sybil nodes, that is, sybilNodes[] for the first phase and conflictCheck[] for the second phase.In each round, node i performs the checkSybil() function to check whether node target exists in sybilNodes[].If this first checking procedure is passed, it proceeds to the second checking procedure.Otherwise, it does not perform local information update operations with the Sybil node.The checkConflict() function is performed for the second phase to detect Sybil nodes.In the checkConflict() function, it checks whether there is conflict information with node target 's identity.
This conflict verification procedure is performed to reduce unnecessary signature verification operations.Without the conflict verification, it will always perform the signature verification procedure provided that node target is not in sybilNodes[].After the conflict verification procedure, the verifySignature() function based on the fail-stop signature scheme is performed.If the node target 's message is forged, node i will not perform message exchange operations with node target and the Sybil node's information is stored in sybilNodes[].Thereby, whenever the same Sybil node is encountered, the Sybil node is filtered in the first phase with sybilNodes[].
For computational complexity of the proposed algorithm, a node should perform the discrete logarithm computation for the fail-stop signature scheme.However, this discrete logarithm computation is executed only when messages are forged.In other words, when no Sybil nodes exist and no Sybil attack is launched, the computation will not be performed according to the specification of the proposed algorithm.Hence, the computational complexity is proportional to the number of Sybil nodes activating the attack in the network.Furthermore, as Sybil nodes are detected, the computation that needs to compute decreases.
The fail-stop signature scheme is integrated to Algorithm 3 as follows: Before sending a message, each node signs the message producing s = SG x (m) = (β 1 , β 2 ).To verify the signature, a node checks V K (m', s') = (AB m' ≡ g β1' R β2' (mod p)) (Line 31).The message signing and signature verification procedures are omitted in Algorithm 3 for simplicity.

Proof and Performance Evaluation of the Algorithm
In this section, we formally prove the proposed Sybil attack detection algorithm in terms of safety and liveness.Then, we present experimental results that demonstrate the performance of our two-phase Sybil nodes detection algorithm based on the fail-stop signature scheme described in Algorithm 3.

Proof of the Algorithm
We prove the proposed Sybil attack detection algorithm based on the fail-stop signature by showing the satisfaction of the safety and liveness properties.For message complexity, refer to [35], which formally proved that the message complexity of one-to-one communication used in our algorithm is O(n).
Theorem 1.The proposed Sybil attack detection algorithm based on the fail-stop signature satisfies the safety property.
Proof of Theorem 1.The proof is by contradiction.Suppose node i is a normal node and node j is a Sybil node in the network.Since node j is a Sybil node, node j will pretend it is another node by generating a forged identity.Suppose node k is a normal node and node j tries to forge node k 's identity.If node i finds node j imposing node k 's identity, node i performs the specification of Algorithm 3 and will be informed about node k 's information.Since node j is checked by either the checkSybil() function or the checkConflict() function, node i knows node j is a Sybil node.If node j is checked by the checkSybil() function, the signature of node j is already verified confirming that node j is a Sybil node.If node j is checked by the checkConflict() function, the verifySignature() function is performed inside the checkConflict() function.Then, the information of node j is stored in sybilNodes[].Once this procedure is performed, node j is regarded as a Sybil node by the checkSybil() function without performing a signature verifying computation.Either way, the verification step based on the fail-stop signature scheme is performed.More precisely, for forged signature s' = (β 1 ', β 2 ') on message m, it computes , where s = (β 1 , β 2 ) is the original signature for m.Since the fail-stop signature scheme is based on the discrete logarithm problem, it is impossible for node j to deny the challenge (non-repudiation).This is a contradiction.Therefore, the proposed Sybil attack detection algorithm based on the fail-stop signature satisfies the safety property.
Theorem 2. The proposed Sybil attack detection algorithm based on the fail-stop signature satisfies the liveness property.

Proof of Theorem 2. The proof is by induction.
Basis: There is one Sybil node in the network.Let node j be the Sybil node in the network.Since there is one Sybil node in the network, node j should generate a very large number of identities to control network.In this case, there is a high probability to be detected by normal nodes and the Sybil node's information will be propagated rapidly.If node j tries to generate only one forged identity (i.e., node k 's identity), there are two cases.One is that node j is detected by node k .The other case is that node j is detected by another normal node.Once node k encounters node j , node j is regarded as a Sybil node.In the latter case, node j is detected when another normal node called node l encounters node j by performing Algorithm 3. Therefore, the proposed Sybil attack detection algorithm based on the fail-stop signature satisfies the liveness property when there is one Sybil node in the network.

Induction step (1):
There are k Sybil nodes in the network.Let node i be a normal node in the network.Suppose that node i detects one of k Sybil nodes in the network based on the basis step.Then, the number of Sybil nodes that remain undetected is k − 1.Likewise, another Sybil node will be detected as the communication round goes on and, therefore, the number of detected Sybil nodes will increase.After launching the Sybil attack, the Sybil node is detected because of the non-repudiation property of the fail-stop signature scheme.If a Sybil node does not launch the Sybil attack, it will act as a normal node.However, because of the definition of a Sybil node, a Sybil node eventually will launch the Sybil attack.Therefore, the proposed Sybil attack detection algorithm based on the fail-stop signature satisfies the liveness property when there are k Sybil nodes in the network.

Induction step (2):
There are k + 1 Sybil nodes in the network.Let node k+1 be the (k + 1)-th Sybil node in the network.Since k Sybil nodes are detected based on induction step (1), there is one Sybil node that remains undetected in the network.In this case, the situation is same as the basis case.Since the basis step is proved, it also proves the induction step (2).Therefore, the proposed Sybil attack detection algorithm based on the fail-stop signature satisfies the liveness property.

Experimental Results
Table 1 shows experimental parameters used in our evaluation.We assume that numerous nodes exist in the network and the communication mode is the push-pull mode.Rather than maintaining the full membership information, each node stores 20 neighbors' information at maximum with the peer sampling service and, therefore, the complexity of the overlay network is greatly simplified.We vary percentages of Sybil nodes from 0.1 to 0.4.The percentages of Sybil nodes are not configured to higher than 0.5 since we require at least n/2 + 1 normal nodes for consensus [10].We show the effectiveness of our Sybil nodes detection algorithm under this constrained circumstance.
A Sybil node is eager to spread malicious or incorrect information to normal nodes by selecting one or more neighbors from its local view.In this regard, the selected target node from the Sybil node can be either a normal node or a Sybil node.When the Sybil node selects a normal node, the attack can proceed.Figure 2 shows the number of Sybil nodes encountered by normal nodes.Note that the numbers of the graphs are averaged over the number of normal nodes in the network.Obviously, as the number of rounds increases, the number of Sybil nodes encountered by normal nodes increases.For higher than the 90th percentile of cumulative distribution function (CDF), the proposed algorithm require at least four rounds and five rounds when percentages of Sybil nodes are less than or equal to 0.2 and greater than or equal to 0.3, respectively.To reach the 100th percentile of CDF, more rounds are required as the percentage of Sybil nodes increases.detection algorithm based on the fail-stop signature satisfies the liveness property when there are k Sybil nodes in the network.

Induction step (2):
There are k + 1 Sybil nodes in the network.Let nodek+1 be the (k + 1)-th Sybil node in the network.Since k Sybil nodes are detected based on induction step (1), there is one Sybil node that remains undetected in the network.In this case, the situation is same as the basis case.Since the basis step is proved, it also proves the induction step (2).Therefore, the proposed Sybil attack detection algorithm based on the fail-stop signature satisfies the liveness property.☐

Experimental Results
Table 1 shows experimental parameters used in our evaluation.We assume that numerous nodes exist in the network and the communication mode is the push-pull mode.Rather than maintaining the full membership information, each node stores 20 neighbors' information at maximum with the peer sampling service and, therefore, the complexity of the overlay network is greatly simplified.We vary percentages of Sybil nodes from 0.1 to 0.4.The percentages of Sybil nodes are not configured to higher than 0.5 since we require at least n/2 + 1 normal nodes for consensus [10].We show the effectiveness of our Sybil nodes detection algorithm under this constrained circumstance.
A Sybil node is eager to spread malicious or incorrect information to normal nodes by selecting one or more neighbors from its local view.In this regard, the selected target node from the Sybil node can be either a normal node or a Sybil node.When the Sybil node selects a normal node, the attack can proceed.Figure 2 shows the number of Sybil nodes encountered by normal nodes.Note that the numbers of the graphs are averaged over the number of normal nodes in the network.Obviously, as the number of rounds increases, the number of Sybil nodes encountered by normal nodes increases.For higher than the 90th percentile of cumulative distribution function (CDF), the proposed algorithm require at least four rounds and five rounds when percentages of Sybil nodes are less than or equal to 0.2 and greater than or equal to 0.3, respectively.To reach the 100th percentile of CDF, more rounds are required as the percentage of Sybil nodes increases.Figure 3 shows the standard deviation for the number of Sybil nodes encountered by normal nodes.At early stages, the standard deviation is relatively high regardless of the percentages of Sybil nodes.However, as the number of rounds goes on, the standard deviation approaches to 0. The peak value of the standard deviation appears at round 1 since there is a great deal of uncertainty for a node to encounter a Sybil node.
Figure 4 shows the number of active Sybil nodes in the network.With our proposed Sybil nodes detection algorithm based on the fail-stop signature scheme, the number of active Sybil nodes logarithmically decreases.This signifies that our algorithm is effective in terms of reducing the number of Sybil nodes in the network.Moreover, because our algorithm does not rely on broadcast primitives, the message complexity is also greatly reduced.Figure 3 shows the standard deviation for the number of Sybil nodes encountered by normal nodes.At early stages, the standard deviation is relatively high regardless of the percentages of Sybil nodes.However, as the number of rounds goes on, the standard deviation approaches to 0. The peak value of the standard deviation appears at round 1 since there is a great deal of uncertainty for a node to encounter a Sybil node.
Figure 4 shows the number of active Sybil nodes in the network.With our proposed Sybil nodes detection algorithm based on the fail-stop signature scheme, the number of active Sybil nodes logarithmically decreases.This signifies that our algorithm is effective in terms of reducing the number of Sybil nodes in the network.Moreover, because our algorithm does not rely on broadcast primitives, the message complexity is also greatly reduced.Figure 3 shows the standard deviation for the number of Sybil nodes encountered by normal nodes.At early stages, the standard deviation is relatively high regardless of the percentages of Sybil nodes.However, as the number of rounds goes on, the standard deviation approaches to 0. The peak value of the standard deviation appears at round 1 since there is a great deal of uncertainty for a node to encounter a Sybil node.
Figure 4 shows the number of active Sybil nodes in the network.With our proposed Sybil nodes detection algorithm based on the fail-stop signature scheme, the number of active Sybil nodes logarithmically decreases.This signifies that our algorithm is effective in terms of reducing the number of Sybil nodes in the network.Moreover, because our algorithm does not rely on broadcast primitives, the message complexity is also greatly reduced.

Conclusions
In this paper, we proposed a Sybil attack detection algorithm in cloud computing environments based on the fail-stop signature scheme.Despite the attacker nodes that have unlimited computational power and can generate forged signatures for messages, our algorithm is able to detect the attacker nodes effectively in dynamic environments.Therefore, normal nodes in the system can reach consensus regardless of the number of attacker nodes by removing attacker nodes' information in local view.Since the proposed algorithm does not rely on broadcast primitives, the message complexity of our algorithm is O(n).Future work includes the optimization of the proposed algorithm for efficiency in terms of the required rounds and uniformity of neighbor information in the local view for normal nodes.

Conclusions
In this paper, we proposed a Sybil attack detection algorithm in cloud computing environments based on the fail-stop signature scheme.Despite the attacker nodes that have unlimited computational power and can generate forged signatures for messages, our algorithm is able to detect the attacker nodes effectively in dynamic environments.Therefore, normal nodes in the system can reach consensus regardless of the number of attacker nodes by removing attacker nodes' information in local view.Since the proposed algorithm does not rely on broadcast primitives, the message complexity of our algorithm is O(n).Future work includes the optimization of the proposed algorithm for efficiency in terms of the required rounds and uniformity of neighbor information in the local view for normal nodes.

Figure 1 .
Figure 1.Illustration of Sybil nodes and the Sybil attack.

Figure 1 .
Figure 1.Illustration of Sybil nodes and the Sybil attack.

Table 1 .
Experimental parameters and their values.

Table 1 .
Experimental parameters and their values.