On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein...
-
Upload
quentin-burns -
Category
Documents
-
view
217 -
download
4
Transcript of On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein...
![Page 1: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/1.jpg)
On Non-Cooperative Location Privacy: A Game-theoreticAnalysis
Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux
David C. Parkes
CCS 2009
![Page 2: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/2.jpg)
2
Pervasive Wireless Networks
Human sensors
Vehicular networks Mobile Social networks
Personal WiFi bubble
![Page 3: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/3.jpg)
3
Peer-to-Peer Communications
1
MessageIdentifier
2
WiFi/Bluetooth enabled
Signature || Certificate
![Page 4: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/4.jpg)
4
Location Privacy Problem
1
Passive adversary monitors identifiers used in peer-to-peer communications
10h00: Millenium Park11h00: Art Institute
13h00: Lunch
![Page 5: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/5.jpg)
5
Previous Work
• Pseudonymity is not enough for location privacy [1, 2]
• Removing pseudonyms is not enough either [3]
Spatio-Temporal correlation of traces
MessageIdentifier
[1] P. Golle and K. Partridge. On the Anonymity of Home/Work Location Pairs. Pervasive Computing, 2009[2] B. Hoh et al. Enhancing Security & Privacy in Traffic Monitoring Systems. Pervasive Computing, 2006[3] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. SECURECOMM, 2005
Pseudonym Message
![Page 6: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/6.jpg)
6
Location Privacy with Mix Zones
Mix zone
2121
xy?
Temporal decorrelation: Change pseudonym
[1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. Percom, 2004
Why should a node participate?
Spatial decorrelation: Remain silent
![Page 7: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/7.jpg)
Mix Zone Privacy Gain
7
( )
| 2 |1
( ) log ( )n t
i d b d bd
A T p p
t- t=T
1
2
x
y
B D
( )n t Number of nodes in mix zone
![Page 8: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/8.jpg)
Cost caused by Mix Zones
• Turn off transceiver
• Routing is difficult
• Load authenticated pseudonyms
8
+
+
=
![Page 9: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/9.jpg)
9
Problem
Tension between cost and benefit of mix zones
When should nodes change pseudonym?
![Page 10: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/10.jpg)
10
Method
• Game theory– Evaluate strategies– Predict evolution of security/privacy
• Example– Cryptography– Revocation– Privacymechanisms
Rational BehaviorSelfishoptimization
Security protocolsMulti-party computations
![Page 11: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/11.jpg)
11
Outline
1. User-centric Model
2. Pseudonym Change Game
3. Results
![Page 12: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/12.jpg)
Mix Zone Establishment
• In pre-determined regions [1]
• Dynamically [2]– Distributed protocol
12
[1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. PercomW, 2004[2] M. Li et al. Swing and Swap: User-centric approaches towards maximizing location privacy . WPES, 2006
![Page 13: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/13.jpg)
User-Centric Location Privacy Model
Privacy = Ai(T) – PrivacyLoss
13
2t1t
Privacy
Traceable
t
Ai(T1)Ai(T2)
![Page 14: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/14.jpg)
14
Pros/Cons of user-centric Model
• Pro– Control when/where to protect your privacy
• Con– Misaligned incentives
![Page 15: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/15.jpg)
15
Outline
1. User-centric Model
2. Pseudonym Change Game
3. Results
![Page 16: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/16.jpg)
1
2
Assumptions
Pseudonym Change game– Simultaneous decision
– Players want to maximize their payoff
– Consider privacy upperboundAi(T) = log2(n(t))
16
![Page 17: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/17.jpg)
• Strategy– Cooperate (C) : Change pseudonym– Defect (D): Do not change pseudonym
Game Model
• Players– Mobile nodes in transmission range– There is a game iif
17
( ) 1n t
![Page 18: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/18.jpg)
18
Pseudonym Change Game
t
C
D
C
t1 Silent period
3
1
2
![Page 19: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/19.jpg)
Payoff Function
19
If C & Not alone, thenui = Ai(T)- γ
If C & Alone, thenui = ui
-- γ
If D, thenui = ui
-
ui = privacy - cost
![Page 20: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/20.jpg)
Sequence of Pseudonym Change Games
20
5
6
E2
23
4E1
7
8
9
C3
1
E2E1
1t 2tE3
3tt
ui
Ai(T1)- γ
Ai(T2)- γ
γ
![Page 21: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/21.jpg)
21
Outline
1. User-centric Model
2. Pseudonym Change Game
3. Results
![Page 22: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/22.jpg)
C-GameComplete information
Each player knows the payoff of its opponents
22
![Page 23: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/23.jpg)
2-Player C-Game
23
Two pure-strategy Nash Equilibria (NE): (C,C)&(D,D)
One mixed-strategy NE
![Page 24: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/24.jpg)
Best Response Correspondence
24
2 pure-strategy NE
1 mixed-strategy NE
![Page 25: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/25.jpg)
n-Player C-Game
• All Defection is always a NE
• A NE with cooperation exists iif there is a group of k users with
25
2log ( ) ik u
TheoremThe static n-player pseudonym change C-game has at least 1 and at most 2 pure strategy Nash equilibria.
, i in the group of k nodes
![Page 26: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/26.jpg)
C-Game Results
Result 1: high coordination among nodes at NE
• Change pseudonyms only when necessary
• Otherwise defect
26
![Page 27: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/27.jpg)
I-GameIncomplete information
Players don’t know the payoff of their opponents
27
![Page 28: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/28.jpg)
Bayesian Game Theory
Define type of playerθi = ui-
28
)( if Predict action of opponents based on pdf over type
![Page 29: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/29.jpg)
29
Environment
Lowprivacy
High privacy
Middle privacy
![Page 30: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/30.jpg)
• A threshold determines players’ action
• Probability of cooperation is
Threshold Strategy
30
0( ) ( ) ( )
i
i i i i iF Pr f d
tC
Dθi
θi
~
![Page 31: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/31.jpg)
2-Player I-Game Bayesian NE
Find threshold θi* such that
Average utility of cooperation =
Average utility of defection
31
~
![Page 32: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/32.jpg)
32
Result 2: Large costincreasescooperationprobability.
![Page 33: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/33.jpg)
33
Result 3: Strategiesadapt to yourenvironment.
![Page 34: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/34.jpg)
34
Result 4: A large number of nodes n provides incentive not to cooperate
![Page 35: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/35.jpg)
Conclusion
Rational behavior in location privacy protocol– Propose a user-centric model of location privacy
– Introduce Pseudonym Change game
– Derive existence of equilibrium strategies
– Evaluate effect of non-cooperative behavior
Outcome: Protocol for distributed pseudonym changes among rational nodes
Future: Evaluate performance of protocol
35
![Page 36: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/36.jpg)
lca.epfl.ch/privacy
![Page 37: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/37.jpg)
37
BACKUP SLIDES
![Page 38: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/38.jpg)
Payoff Function
38
( ) ( , ) ( , )i i i i i i iu A T t T t T
If , then( ) ( ( ) 0)i C is C n s
:
( , , , ) : ( )i
i i i i i
T t
u t T C s A T
If , then( ) ( ( ) 0)i C is C n s
( , , , ) : max(0, )i i i iu t T C s u
If , then( )is D( , , , ) : max(0, )i i i iu t T D s u
where the payoff function at the time immediately prior to tthe strategy of the opponents of iis
(s )C in the number of cooperating nodes besides i
C
D
![Page 39: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/39.jpg)
Best Response Correspondence
39
2 pure-strategy NE
1 mixed-strategy NE
![Page 40: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/40.jpg)
Type
• Incomplete information =>imperfect information [1]
• Type captures the private information of players
• Assume type is distributed with probability
known to all players
• Each player can predict the behavior of its opponents with40
i i i iA
)( if
)( if
Bayesian Game Theory
[1] J. Harsanyi. Games with Incomplete Information Played by Bayesian Players . Management Science , 1967
![Page 41: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/41.jpg)
41
Result 3: Strategies adapt to environment.
![Page 42: On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649f495503460f94c6b7f5/html5/thumbnails/42.jpg)
42
PseudoGame Protocol