230 likes | 352 Views
CSC 774 Advanced Network Security. Enhancing Source-Location Privacy in Sensor Network Routing (ICDCS ’05) Brian Rogers Nov. 21, 2005. Introduction and Motivation. Major challenge to deployment of sensor networks is privacy Two types of privacy Content-oriented privacy (e.g. packet data)
E N D
CSC 774 Advanced Network Security Enhancing Source-Location Privacy in Sensor Network Routing (ICDCS ’05) Brian Rogers Nov. 21, 2005
Introduction and Motivation • Major challenge to deployment of sensor networks is privacy • Two types of privacy • Content-oriented privacy (e.g. packet data) • Contextual privacy (e.g. source location of packet) • Important use of future sensor network applications is asset monitoring • Source-location privacy is critical
Example Scenario source sink
Outline • Panda-Hunter Game • Formal & Simulation Models • Baseline Routing • Routing with Fake Sources • Phantom Routing • Privacy for Mobile Sources • Conclusions & Future Work
Panda-Hunter Game • Once panda is detected, source periodically sends data to sink through multi-hop routing • Assume single panda, source, and sink • Attacker: • Non-malicious • Device-Rich • Resource-Rich • Informed • Privacy cautious routing technique prevents hunter from locating source
Formal Model • Asset monitoring network: sixtuple (N, S, A, R, H, M) • N = set of sensor nodes • S = network sink • A = asset being monitored • R = routing policy of sensors to protect asset • H = hunter with movement rules M to capture asset • Two privacy metrics for a routing strategy R • Φ = safety period of an R given M • L = capture likelihood of R given M • Network performance • Energy Consumption (# messages sent) • Delivery Quality (avg. msg. latency, delivery ratio)
Simulation Model • N = 10,000 nodes • Panda appears at random location, and closest sensor periodically sends packets to the sink • Simulation ends if hunter gets close to panda (i.e. within Δ hops) or hunter fails to catch panda within a threshold time
Baseline Routing Techniques • Two most popular routing techniques for sensor networks • Flood-based Routing • Source node forwards packets to all neighbors • When a neighbor receives a packet, if it has not already seen this packet, it forwards the packet to all its neighbors with probability Pforward • Single-path (Shortest-path) Routing • Initial configuration phase sets up lists at sensor nodes so each node knows which neighbor is on the shortest path to the sink
Patient Adversary Model • Hunter starts at sink • When hunter hears a message, it moves to the message’s immediate sender • Process repeats until hunter reaches source
Routing with Fake Sources • Flooding and single-path routing have poor source-privacy: • Add fake sources to inject fake packets • Lead hunter away from real source • Two Issues • How to choose the fake source? • How often to inject fake packets?
Routing with Fake Sources (3) • Fake sources still not enough • Smarter Adversary can detect zigzag pattern • Pick one of the two directions and follow to the source • If this is not the real source, backtrack to reach the other source • Fake messaging increases energy cost for little increase in source-location privacy
Phantom Routing • Problem with baseline and fake messaging techniques: • Sources provide a fixed route so adversary can trace each route • Goal of phantom routing: • Direct hunter away from source to phantom source • Two Phases • Random walk: direct msg. to phantom source • Flooding/single-path routing: direct msg. to sink
Phantom Routing (3) • Random Walk Phase • Source-location privacy depends on phantom source being far from real source after hwalk hops • True Random Walk • Not good: Message tends to hover around real source • Proof in paper using central limit theorem • Directed Random Walk • Sector-based: Each node knows east/west • Hop-based: Each node knows toward/away from source • Pick one direction randomly and each node during random walk sends the msg. to another node in that direction
Phantom Routing (5) • New adversary: Cautious Adversary Model • Since hunter may be stranded far from true source and not hear any messages for some time • If no message heard for some time interval, backtrack one step and wait again • Results worse for cautious adversary, so it is better for hunter to be patient and wait for messages to arrive
Privacy for Mobile Sources • How does source location privacy change if asset is mobile (e.g. panda walks around) • Tests using a simple movement pattern: • α: governs direction • δ: stay time at each location • d: distance of each movement • T: reporting interval
Privacy for Mobile Sources • Impact of panda’s velocity
Privacy for Mobile Sources • Impact of hunter’s hearing range
Conclusions & Future Work • Conclusions • Flooding and single-path routing have poor source location privacy • Phantom routing can be used with either routing protocol to greatly enhance privacy at a small cost of communication overhead • Future Work • Authors: Investigate stronger adversarial models and multiple asset tracking scenarios • Multiple hunters: Could they collude to find panda faster • Multiple sinks: Sensors transmit to randomly chosen sink