Data aggregation is a key aspect of many distributed

applications, such as distributed sensing, performance

monitoring, and distributed diagnostics. In such settings, user

anonymity is a key concern of the participants. In the absence

of an assurance of anonymity, users may be reluctant to

contribute data such as their location or configuration settings

on their computer.

In this paper, we present the design, analysis, implementation,

and evaluation of Anonygator, an anonymity preserving

data aggregation service for large-scale distributed

applications. Anonygator uses anonymous routing to provide

user anonymity by disassociating messages from the hosts that

generated them. It prevents malicious users from uploading

disproportionate amounts of spurious data by using a lightweight

accounting scheme. Finally, Anonygator maintains

overall system scalability by employing a novel distributed

tree-based data aggregation procedure that is robust to

pollution attacks. All of these components are tuned by a

customization tool, with a view to achieve specific anonymity,

pollution resistance, and efficiency goals. To demonstrate the

usefulness of Anonygator, we have used it to prototype three

applications, one of which we have evaluated on PlanetLab.

The other two have been evaluated on a local testbed.

PDF file

Details