1

Enhancing Source-Location Privacy in Enhancing Source-Location Privacy in Sensor Network RoutingSensor Network Routing

P. Kamat, Y. Zhang, W. Trappe and C. OzturkP. Kamat, Y. Zhang, W. Trappe and C. OzturkProceedings of the 25th IEEE Int. Conference on Distributed Computing SystemsProceedings of the 25th IEEE Int. Conference on Distributed Computing Systems

Rutgers UniversityRutgers University

Matthew SandersonMatthew Sanderson

2

Presentation OutlinePresentation Outline Introduction to issueIntroduction to issue Panda vs HunterPanda vs Hunter Techniques for Stationary SourcesTechniques for Stationary Sources

Routing ProtocolsRouting Protocols Performance ComparisonPerformance Comparison Improvement for privacy.Improvement for privacy.

(Briefly) Mobile Sources(Briefly) Mobile Sources Related/Future WorkRelated/Future Work ConclusionConclusion QuestionsQuestions

3

The issue is privacy.The issue is privacy.

““Guarantee that information is observable or decipherable Guarantee that information is observable or decipherable by only those who are intentionally meant to observe or by only those who are intentionally meant to observe or decipher it.”decipher it.”

Two broad categories:Two broad categories: content-orientedcontent-oriented context-orientedcontext-oriented

4

Content-oriented Security/PrivacyContent-oriented Security/Privacy

Security of the contents of Security of the contents of messages.messages.

Cryptographic methods.Cryptographic methods.

5

Contextual PrivacyContextual Privacy

Deals with context in Deals with context in which the sensor which the sensor application works.application works.

In this case: locationIn this case: location Not as thoroughly Not as thoroughly

researched.researched. What this paper covers.What this paper covers.

6

Source-location PrivacySource-location Privacy

Privacy of the node sending the initial message.Privacy of the node sending the initial message.

Two metrics:Two metrics: safety period – how long until the node is safety period – how long until the node is

discovereddiscovered capture likelihood – how likely it will get discoveredcapture likelihood – how likely it will get discovered

7

Accomplishing source-location privacyAccomplishing source-location privacy

Look at popular routing techniques. Look at popular routing techniques. Augment these techniques with a new approach.Augment these techniques with a new approach. Energy consumption still important.Energy consumption still important.

8

Panda-Hunter Game Model ScenarioPanda-Hunter Game Model Scenario

Panda-Hunter Game:Panda-Hunter Game: A sensor network has been A sensor network has been

deployed to monitor a panda deployed to monitor a panda habitat.habitat.

Sensors send Panda_Here Sensors send Panda_Here messagesmessages

Messages are forwarded to a data Messages are forwarded to a data sink.sink.

The hunter observes packets and The hunter observes packets and traces his way back to the panda.traces his way back to the panda.

Privacy Goal: Increase the time Privacy Goal: Increase the time needed for an adversary to track needed for an adversary to track and capture the panda (safety and capture the panda (safety period).period).

Data Sink

Sensor Node

Slide source: Wenyuan Xu

9

Additional Game Setup IssuesAdditional Game Setup Issues

One panda – one sourceOne panda – one source

Additional Goal: deliver Additional Goal: deliver messages to base station.messages to base station.

Concern: energy usage.Concern: energy usage.

Data Sink

Sensor Node

10

The HunterThe Hunter

Non-malicious – does not Non-malicious – does not interfere with networkinterfere with network

Device-rich – has devices to Device-rich – has devices to measure angle of arriving measure angle of arriving messagemessage

Resource-rich – move at any Resource-rich – move at any rate and unlimited powerrate and unlimited power

Informed – knows how the Informed – knows how the network worksnetwork works

11

How the hunter gets each message.How the hunter gets each message.

Two primary routing Two primary routing techniques.techniques. FloodingFlooding Single-pathSingle-path

New approach: Phantom New approach: Phantom Routing.Routing.

12

Routing Techniques - FloodingRouting Techniques - Flooding

Flooding-based: source Flooding-based: source sends the message to all sends the message to all its neighbors, who in turn its neighbors, who in turn do the same.do the same.

If node has received it If node has received it already, the node discards already, the node discards it.it.

Performance drawbacks, Performance drawbacks, but easy implementation.but easy implementation.

13

Probabilistic FloodingProbabilistic Flooding Like flooding, but with a Like flooding, but with a

probability.probability. When a node receives a When a node receives a

message, it randomly message, it randomly generates a number generates a number uniformly distributed uniformly distributed between 0 and 1.between 0 and 1.

If # < forwarding If # < forwarding probability, it sends, probability, it sends, otherwise, it doesn't.otherwise, it doesn't.

14

Single-Path RoutingSingle-Path Routing

Instead of sending out to all Instead of sending out to all neighbors, single-path sends neighbors, single-path sends out to one or a small subset out to one or a small subset of neighbors.of neighbors.

Usually require extra Usually require extra hardware or a pre-hardware or a pre-configuration phase.configuration phase.

Data Sink

Sensor Node

15

How well do they work?How well do they work?

16

Performance Comparison cont.Performance Comparison cont.

17

Privacy of Routing TechniquesPrivacy of Routing Techniques

Problems with single-path and floodingProblems with single-path and flooding Single-path reduces energy, but poor at protecting source-Single-path reduces energy, but poor at protecting source-

location privacy.location privacy. Flooding isn't any better, because the shortest-path is still Flooding isn't any better, because the shortest-path is still

contained within the flood.contained within the flood. Probabilistic flooding helps – higher safety period, but at the cost Probabilistic flooding helps – higher safety period, but at the cost

of delivery ratio.of delivery ratio. There is room for improvement.There is room for improvement.

Maybe trick the hunter?Maybe trick the hunter?

18

Routing with Fake SourcesRouting with Fake Sources

Idea: inject fake messages Idea: inject fake messages to throw off hunter.to throw off hunter.

Multiple ways this can be Multiple ways this can be done.done. Short-lived – similar to Short-lived – similar to

probabilistic flooding.probabilistic flooding.

19

Persistent Fake SourcePersistent Fake Source

Short-lived fake sources can only draw the hunter away Short-lived fake sources can only draw the hunter away momentarily.momentarily.

A persistent fake source is more effective, but requires a A persistent fake source is more effective, but requires a global overview of network.global overview of network.

Source sends its hop count to sink – sink instigates a fake Source sends its hop count to sink – sink instigates a fake source at a node with the same hop count in the opposite source at a node with the same hop count in the opposite direction.direction.

Works best when fake source sends at higher rate than Works best when fake source sends at higher rate than real source, but requires large energy budget.real source, but requires large energy budget.

20

Problem with Fake Sources: Perceptive HunterProblem with Fake Sources: Perceptive Hunter

Recall the assumptions on our hunter – he's informed.Recall the assumptions on our hunter – he's informed. Once he realizes the fake source, he knows which Once he realizes the fake source, he knows which

direction to go for the real source.direction to go for the real source.

We need a new approach.We need a new approach.

21

Phantom RoutingPhantom Routing

Idea: entice hunter to Idea: entice hunter to phantom instead of phantom instead of source.source.

Has two phases:Has two phases: Random walk phaseRandom walk phase Flood/Single-path Flood/Single-path

phasephase

22

Types of Random WalkTypes of Random Walk

Sector-based – requires Sector-based – requires knowledge of landmark knowledge of landmark nodes to send message nodes to send message away from source.away from source.

Hop-based – requires Hop-based – requires knowledge of the hop knowledge of the hop count from each node to count from each node to the base station.the base station.

23

Phantom Routing PerformancePhantom Routing Performance Can significantly improve Can significantly improve

the safety period.the safety period. Higher the hopcount, Higher the hopcount,

higher the safety period.higher the safety period. Also increases latency Also increases latency

(Random walk of 20: 30% (Random walk of 20: 30% increase = 4x privacy)increase = 4x privacy)..

24

Possible Counter: Cautious HunterPossible Counter: Cautious Hunter

Since the phantom routing may leave the hunter stranded, Since the phantom routing may leave the hunter stranded, after some time, the cautious hunter may go back.after some time, the cautious hunter may go back.

No benefit – no progress made by hunter.No benefit – no progress made by hunter. Better to be patient.Better to be patient.

25

Mobile SourceMobile Source Need to rethink entire Need to rethink entire

process again.process again.

Depends on panda's Depends on panda's movement pattern and movement pattern and velocity.velocity.

26

Panda VelocityPanda Velocity

More profound on single-path routing, as subsequent More profound on single-path routing, as subsequent route may have little overlap compared to flooding.route may have little overlap compared to flooding.

Panda's speed with single-path is protection enough.Panda's speed with single-path is protection enough.

Improves privacy of phantom routing.Improves privacy of phantom routing.

27

Hunter's RangeHunter's Range

Not so surprising, if the Not so surprising, if the hunter's hearing range is hunter's hearing range is increased, the hunter is increased, the hunter is more effective.more effective.

28

Related/Future MaterialRelated/Future Material

Entrapping Adversaries for Source Protection in Sensor NetworksEntrapping Adversaries for Source Protection in Sensor Networks Yi Ouyang, Zhengyi Le, Guanling Chen, James Ford, Fillia Makedon – Dartmouth CollegeYi Ouyang, Zhengyi Le, Guanling Chen, James Ford, Fillia Makedon – Dartmouth College

Preserving Source Location Privacy in Monitoring-based Wireless Sensor Preserving Source Location Privacy in Monitoring-based Wireless Sensor NetworksNetworks

Yong Xi, Loren Schwiebert, Weisong Shi – Wayne State UniversityYong Xi, Loren Schwiebert, Weisong Shi – Wayne State University

Location Privacy in Sensor Networks Against a Global EavesdropperLocation Privacy in Sensor Networks Against a Global Eavesdropper Kiran Mehta, Donggang Liu, Matthew Wright – University of Texas at ArlingtonKiran Mehta, Donggang Liu, Matthew Wright – University of Texas at Arlington

29

ConclusionConclusion

The panda-hunter game is somewhat contrived.The panda-hunter game is somewhat contrived. Does a great job at visualizing concept.Does a great job at visualizing concept.

Concept is simple and effective.Concept is simple and effective. Source-location privacy for sensor networks seems to be Source-location privacy for sensor networks seems to be

a minor issue.a minor issue. I'm willing to admit I'm wrong here.I'm willing to admit I'm wrong here. Come up with some examples.Come up with some examples.

30

Questions?Questions?

??