520 likes | 754 Views
Dissertation Proposal Securing Location Privacy in Vehicular Communication Systems and Applications. George Corser, PhD Candidate Oakland University May 1, 2014. Agenda. Background Problem Statement Related Work Preliminary Results Proposed Research. 1. Background. What is VANET?
E N D
Dissertation ProposalSecuring Location Privacy in Vehicular Communication Systems and Applications George Corser, PhD Candidate Oakland University May 1, 2014
Agenda • Background • Problem Statement • Related Work • Preliminary Results • Proposed Research
1. Background • What is VANET? • DSRC Protocol Stack(s) • Why VANET? • What is Privacy? • VANET Privacy Threat Model
What is VANET? Vehicular Ad-hoc Network Global Positioning System Roadside Unit V2V: Vehicle-to-vehicle V2V: Also called: V2I V2R: Image source: http://adrianlatorre.com/projects/pfc/img/vanet_full.jpg
DSRC Protocol Stack(s) Location Based Services • Two DSRC stacks • WSMP: WAVE Short Message Protocol • TCP/IP • DSRC: Dedicated Short Range Communications • WAVE: Wireless Access for Vehicular Environments Image source: Kenney, 2011
Why VANET? Major Applications • Safety • Application: Collision Avoidance • Est: Eliminate 82% of crashes of non-impaired drivers (US DOT) • Est: $299.5 billion for traffic crashes (AAA) • Traffic Management • Application: Congestion reduction • Est: $97.7 billion for congestion (AAA) • Infotainment (LBS) • Applications: Simple queries, Navigation • Application: Frequent precise location (FPL) queries
What is Privacy? • Definitions of privacy • Charles Fried (1984): “Privacy is not simply an absence of information about us in the minds of others, rather it is the control we have over information about ourselves.” • James Moor (1997): “I agree that it is highly desirable that we control information about ourselves. However, in a highly computerized culture this is simply impossible.” • IEEE 1609.2 (2013): “Anonymity—meaning the ability of private drivers to maintain a certain amount of privacy—is a core goal of the system.”
What is Privacy? • Types of privacy • Identity privacy: unlinkability with personally identifiable information (PII); often achieved with pseudonyms. • Location privacy: unlinkability of PII with a geographical position, and further, the unlinkability of one pseudonym with another by using location data. • Query privacy: unlinkability of PII, not only with location, but also with the particular type of request made or service used. • This research would focus on location privacy.
What is Privacy? • Desired properties of vehicle network privacy systems • Safety (Collision Avoidance) • Trust (Authentication) • Identity Privacy (Pseudonymity*) • Location Privacy (Untrackability) • Historical Privacy (Untraceability) • Conditional Privacy (Accountability) • Revocability • Trust Authority Decentralization • Anonymous LBS Access (LBS Pseudonymity) • Map Database Undeanonymizability • Context Awareness (Contextuality) • User Consent, Choice, Control * a.k.a. anonymous authentication, pseudonymous authentication
VANET Privacy Threat Model APP Layer MAC Layer LBS: Location Based Service, an internet application which uses geographical position as input (e.g. Google Navigation) RSU: Roadside unit, a wireless access point for vehicles to connect to wired network infrastructure
2. Problem Statement • VANET (MAC Layer) • Ultra low latency, for safety • Low overhead, for wireless efficiency • Conditional/revocable anonymity, for privacy • LBS (APP Layer) • Frequent precise location (FPL) service availability • Undeanonymizable* anonymous service access with privacy over wide geographical range • How to achieve vehicular location privacy? * protect from RSU/LBS collusion and map deanonymization
3. Related Work • Location Privacy Techniques • Location Privacy Theory • Dummy Events • Dummy Events v. Active Decoys • Location Privacy Metrics
Location Privacy Techniques • Group signature • Chaum, 1991, 1712 citations • Boneh,Boyen, Shacham, 2004, 1024 citations • Mix zones • Beresford, Stajano, 2003, 1068 citations • Cloaking, anonymous LBS • Gruteser, Greenwald, 2003, 1303 citations
Location Privacy Theory Group Signatures Mix Zones Cloaking Image source: Shokri (2010)
Dummy Events Source: Location Privacy in Pervasive Computing, Beresford & Stajano, 2003 Early abandonment Assumption: many concentrated vehicles require continuous privacy protection?
Dummy Events Recent resurgence, special applicability to vehicular settings Assumption: only a subset of users desire privacy?
Dummy Events v. Active Decoys • Dummy event: a message containing false data, sent in order to help conceal a genuine message. Dummy events and genuine messages are sent by the same genuine entity, and function analogously to aircraft flares. • Active decoy: a dummy event sent by an entity pretending to be the genuine one. Active decoys function analogously to fleeing and dispersing animals in a herd. The proposed research is designed to examine the tradeoffs between safety, efficiency and privacy using dummy event and active decoy methods.
Metrics* • Anonymity Set Size: |AS| • Entropy of |AS|: H( |AS| ) • Tracking Probability: Pt = Prob(|AS|=1) • Short-term Disclosure (SD) • Long-term Disclosure (LD) • Distance Deviation (dst) * See supplemental slides for equations
4. Preliminary Results • EPZ: Endpoint Protection Zone • PBD: Privacy by Decoy • RRVT: Random Rotation of Vehicle Trajectory
Endpoint Vulnerability LBS: Location Based Service (like Google Navigation) Motorists will use LBS applications (V2I) LBS administrators can cross-reference vehicle trajectoryendpoints with map databases to identify LBS user (privacy problem)
Cloaking Under FPL #1: Vehicle/roadway mobility is more predictable than mobile phone mobility. #2: What if no other active LBS users in vicinity? Under FPL, cloaking can be defeated by examining trajectory (series of snapshots)
EPZ • Endpoint Protection Zone (EPZ) “Corserian” mix zone provides “Snowden” privacy defense, and defends against map deanonymization. V: number of vehicles in region, R λ: ratio of LBS user vehicles to V A: area of R w, h: width, height of EPZ (endpoint protection zone) E{ | ASEPZ | } = λVwh/A
EPZ Simulation Set-up MMTS: Multi-agent Microscopic Traffic Simulator [16] • Realistic mobility models [15][16][17]: MMTS • Did not want to use grid-like models (e.g. Manhattan) because EPZ is square-shaped) • Counted vehicles originating in EPZ • Computed metrics • Metrics: |AS|, H(|AS|), Pt • Variables: LBS user percentage, λ, and EPZ size
Metric: |AS| The anonymity set, ASi, of target LBS user, i, is the collection of all LBS users, j, including i, within the set of all LBS userIDs, ID, whose trajectories, Tj, are indistinguishable from Ti
Metric: H(|AS|) If all trajectories equally likely to be the real one, then Hmax = - log2 (p(i,j)) Entropy expresses the level of uncertainty in the correlations between Ti and Tj It is the sum of the products of all probabilities and their logarithms, base 2.
Metric: Pt • Tracking probability, Pti, is defined as the chance that |ASi|=k=1 • If |AS|=1, then vehicle has no anonymity • This metric is important because average Pt tells what percentage of vehicles have some privacy, and what percentage have no privacy at all, not just how much privacy exists in the overall system
Performance Evaluation: |AS| 10% LBS users (λ=0.1) 20% LBS users (λ=0.2) Average anonymity set size, |AS| = k
Performance Evaluation: H(|AS|) 10% LBS users (λ=0.1) 20% LBS users (λ=0.2) Entropy of average anonymity set size, H(|AS|) = H(k)
Performance Evaluation: Pt 10% LBS users (λ=0.1) 20% LBS users (λ=0.2) Average tracking probability, Pt
RSU/LBS Collusion Vulnerability • Suppose a vehicle tried sending a request to an LBS using a false location.
PBD • Privacy by Decoy (PBD) Note: an active decoy is different from a dummy. PARROTS: Position Altered Requests Relayed Over Time and Space
PBD Simulation Setup • Grid: 3000 m x 3000 m (1.864 mi x 1.864 mi) • Mobility models, rural, urban and city • Sim. time 2000 seconds or 33.3 minutes. • EPZ: 600 m x 600 m (25 EPZs) to 300 m x 300 m (100 EPZs) • λ = LBS users; ρ = potential parrots; φ = pirates
PBD Results Before PBD (EPZ Only) After Theoretical Values of |AS| ρ: ratio of potential parrots to total vehicles φ: ratio of LBS users who desire privacy Individual login: E{ | ASEPZpi | } = 1 + ρ / φ λ Group login: E{ | ASEPZpg | } = (λ + ρ) wh/A
Pure Dummy Event Solution • Can a vehicle transmit dummy events without recruiting parrots?
RRVT • Random Rotation of Vehicular Trajectory Note: vehicles desiring privacy can produce accurate dummies using points from other vehicles which transmit precise locations. Left image source: You, Peng and Lee, 2007
Metric: SD • Short-term Disclosure (SD) m: time slices Di : set of true and dummy locations at time slot i SD: the probability of an eavesdropper successfully identifying a true trajectory given a set of true and dummy POSITIONS over a short period of time
Metric: LD • Long-term Disclosure (LD) More overlap means more privacy n total trajectories k trajectories that overlap n – k trajectories that do not overlap Tk is the number of possible trajectories amongst the overlapping trajectories SD: the probability of an eavesdropper successfully identifying a true trajectory given a set of true and dummy TRAJECTORIES over a longer period of time
Overlap Improves Privacy • 3 trajectories • 8 possible paths Image source: You, Peng and Lee, 2007
Metric: dst • Distance Deviation (dst) dsti : the distance deviation of user i PLji : the location of true user i at the jth time slot Ljdk : the location of the kth dummy at the jth time slot dist() express the distance between the true user location and the dummy location n dummies m time slots dst is the average of distance between trajectories of dummies and the true user
RRVT Simulation Setup Example real trajectory in red Example dummy trajectories in black • Sim. time: 20 time slots • Speed: ~3 squares/slot • Dummies: sets of 5 to 25 • Manhattan grid 50x50 • Trajectories constrained to roadways every 10 grid squares • Ran simulation nine times per dummy set • Data presented: median number of trajectory intersection overlaps
RRVT Results Improvement in LD when roadway mobility enforced LD SD For SD, LD: Lower is better
5. Proposed Research • Systematic Study • Anticipated Contributions • Timeline
Systematic Study • Measure the effectiveness of existing methods (See: Metrics supp. slides) • Create new methods* and compare tradeoffs, effectiveness with existing methods • Create new metrics, if necessary • Consider vehicular domain specific issues • Mobility/density (city, suburb, rural), location privacy metrics, mix zone choices, GPS precision, LBS query frequency (esp. FPL), RSU coverage area, LBS market penetration, MAC/APP layer collusion, map deanonymization, ... * Currently working on gas station mix zone
Anticipated Contributions • Combined MAC layer and APP layer privacy has not been studied in vehicular contexts. • Dummy event and active decoy methods have been ignored for many years. It is possible they may apply in vehicular applications because of the different network architecture. • Journal publication(s) detailing the discovered mathematical relationships (extending conference papers)
Supplemental Slides
Publications to Date • Alrajei, N., Corser, G., Fu, H., Zhu, Y. (2014, February). Energy Prediction Based Intrusion Detection In Wireless Sensor Networks. International Journal of Emerging Technology and Advanced Engineering (IJETAE), Volume 4, Issue 2. (Journal) • Oluoch, J., Corser, G., Fu, H., Zhu, Y. (2014, April). Simulation Evaluation of Existing Trust Models in Vehicular Ad Hoc Networks. In 2014 American Society For Engineering Education North Central Section Conference (ASEE NCS 2014). • Alnahash, N., Corser, G., Fu, H. (2014, April). Protecting Vehicle Privacy using Dummy Events. In 2014 American Society For Engineering Education North Central Section Conference (ASEE NCS 2014).
Location Privacy: Vehicular Methods and Techniques All techniques, except active decoy, impair APP-level continuous precise location (CPL) and frequent precise location (FPL) queries. Other problems: Anonymizing problems: PseudoID-to-pseudoID tracking, map deanonymization MAC layer cloaking/decoy problems: too slow for safety beacon, exposes duplicate beacons, complicates authentication/CRL/congestion