1

Enhancing Source-Location Privacy in Sensor Network Routing

P. Kamat, Y. Zhang, W. Trappe and C. OzturkProceedings of the 25th IEEE Int. Conference on Distributed Computing Systems

Rutgers University

Matthew Sanderson

2

Presentation Outline Introduction to issue Panda vs Hunter Techniques for Stationary Sources

Routing Protocols Performance Comparison Improvement for privacy.

(Briefly) Mobile Sources Related/Future Work Conclusion Questions

3

The issue is privacy.

“Guarantee that information is observable or decipherable by only those who are intentionally meant to observe or decipher it.”

Two broad categories: content-oriented context-oriented

4

Content-oriented Security/Privacy

Security of the contents of messages.

Cryptographic methods.

5

Contextual Privacy

Deals with context in which the sensor application works.

In this case: location Not as thoroughly

researched. What this paper covers.

6

Source-location Privacy

Privacy of the node sending the initial message.

Two metrics: safety period – how long until the node is

discovered capture likelihood – how likely it will get discovered

7

Accomplishing source-location privacy

Look at popular routing techniques. Augment these techniques with a new approach. Energy consumption still important.

8

Panda-Hunter Game Model Scenario

Panda-Hunter Game: A sensor network has been

deployed to monitor a panda habitat.

Sensors send Panda_Here messages

Messages are forwarded to a data sink.

The hunter observes packets and traces his way back to the panda.

Privacy Goal: Increase the time needed for an adversary to track and capture the panda (safety period).

Data Sink

Sensor Node

Slide source: Wenyuan Xu

9

Additional Game Setup Issues

One panda – one source

Additional Goal: deliver messages to base station.

Concern: energy usage.

Data Sink

Sensor Node

10

The Hunter

Non-malicious – does not interfere with network

Device-rich – has devices to measure angle of arriving message

Resource-rich – move at any rate and unlimited power

Informed – knows how the network works

11

How the hunter gets each message.

Two primary routing techniques. Flooding Single-path

New approach: Phantom Routing.

12

Routing Techniques - Flooding

Flooding-based: source sends the message to all its neighbors, who in turn do the same.

If node has received it already, the node discards it.

Performance drawbacks, but easy implementation.

13

Probabilistic Flooding Like flooding, but with a

probability. When a node receives a

message, it randomly generates a number uniformly distributed between 0 and 1.

If # < forwarding probability, it sends, otherwise, it doesn't.

14

Single-Path Routing

Instead of sending out to all neighbors, single-path sends out to one or a small subset of neighbors.

Usually require extra hardware or a pre-configuration phase.

Data Sink

Sensor Node

15

How well do they work?

16

Performance Comparison cont.

17

Privacy of Routing Techniques

Problems with single-path and flooding Single-path reduces energy, but poor at protecting source-

location privacy. Flooding isn't any better, because the shortest-path is still

contained within the flood. Probabilistic flooding helps – higher safety period, but at the cost

of delivery ratio. There is room for improvement.

Maybe trick the hunter?

18

Routing with Fake Sources

Idea: inject fake messages to throw off hunter.

Multiple ways this can be done. Short-lived – similar to

probabilistic flooding.

19

Persistent Fake Source

Short-lived fake sources can only draw the hunter away momentarily.

A persistent fake source is more effective, but requires a global overview of network.

Source sends its hop count to sink – sink instigates a fake source at a node with the same hop count in the opposite direction.

Works best when fake source sends at higher rate than real source, but requires large energy budget.

20

Problem with Fake Sources: Perceptive Hunter

Recall the assumptions on our hunter – he's informed. Once he realizes the fake source, he knows which

direction to go for the real source.

We need a new approach.

21

Phantom Routing

Idea: entice hunter to phantom instead of source.

Has two phases: Random walk phase Flood/Single-path

phase

22

Types of Random Walk

Sector-based – requires knowledge of landmark nodes to send message away from source.

Hop-based – requires knowledge of the hop count from each node to the base station.

23

Phantom Routing Performance Can significantly improve

the safety period. Higher the hopcount,

higher the safety period. Also increases latency

(Random walk of 20: 30% increase = 4x privacy).

24

Possible Counter: Cautious Hunter

Since the phantom routing may leave the hunter stranded, after some time, the cautious hunter may go back.

No benefit – no progress made by hunter. Better to be patient.

25

Mobile Source Need to rethink entire

process again.

Depends on panda's movement pattern and velocity.

26

Panda Velocity

More profound on single-path routing, as subsequent route may have little overlap compared to flooding.

Panda's speed with single-path is protection enough.

Improves privacy of phantom routing.

27

Hunter's Range

Not so surprising, if the hunter's hearing range is increased, the hunter is more effective.

28

Related/Future Material

Entrapping Adversaries for Source Protection in Sensor Networks Yi Ouyang, Zhengyi Le, Guanling Chen, James Ford, Fillia Makedon – Dartmouth College

Preserving Source Location Privacy in Monitoring-based Wireless Sensor Networks

Yong Xi, Loren Schwiebert, Weisong Shi – Wayne State University

Location Privacy in Sensor Networks Against a Global Eavesdropper Kiran Mehta, Donggang Liu, Matthew Wright – University of Texas at Arlington

29

Conclusion

The panda-hunter game is somewhat contrived. Does a great job at visualizing concept.

Concept is simple and effective. Source-location privacy for sensor networks seems to be

a minor issue. I'm willing to admit I'm wrong here. Come up with some examples.

30

Questions?

?