05-05-2012, 04:03 PM
Achieving Network Level Privacy in Wireless Sensor Networks
sensors-10-01447.pdf (Size: 477.49 KB / Downloads: 23)
Introduction
With the spreading application of Wireless Sensor Networks (WSNs) in various sensitive areas such
as health-care, military, habitat monitoring, etc, the need to ensure security and privacy is becoming
imperatively important. For example, in battlefield application scenario, “the location of a soldier should
not be exposed if he initiates broadcast query” [1]. In the meantime, query must be transferred to the
destination in an encrypted manner via only trusted en-route nodes. Similarly, in habitat monitoring
application scenarios, such as Great Duck Island [2] or Save-the-panda application [3] where large
numbers of sensor nodes are deployed to observe the vast habitat of ducks and pandas, an adversary
can try to capture the panda or duck by back-tracing the routing path until it reaches the source sensor
nodes. Therefore, in order to prevent the adversary from back-tracing, the route, location and data privacy
mechanisms must be enforced. With respect to these application scenarios, network level privacy has
often been categorized into four categories:
1. Sender node identity privacy: no intermediate node can get any information about who is sending
the packets except the source, its immediate neighbors and the destination,
2. Sender node location privacy: no intermediate node can have any information about the location
(in terms of physical distance or number of hops) about the sender node except the source, its
immediate neighbors and the destination,
3. Route privacy: no node can predict the information about the complete path (from source to
destination). Also, a mobile adversary gets no clue to trace back the source node either from
the contents and/or directional information of the captured packet(s), and
4. Data packet privacy: no node can see the information inside in a payload of the data packet except
the source and the destination.
Existing privacy schemes such as [1, 3–7], that have specifically been proposed for WSNs only
provide partial network level privacy. Providing a full network level privacy is a critical and challenging
issue due to the constraints imposed by the sensor nodes (e.g., energy, memory and computation
power), sensor network (e.g., mobility and topology) and QoS issues (e.g., packet reach-ability and
trustworthiness). Thus, an energy-efficient privacy solution is needed to address these issues.
In order to achieve this goal, we incorporate basic design features from related research fields such
as geographic routing and cryptographic systems. To our knowledge, we propose the first full network
level privacy solution for WSNs. Our contribution lies in following features.
• A new Identity, Route and Location (IRL) privacy algorithm is proposed that ensures the
anonymity of source node’s identity and location. It also assures that the packets will reach their
destination by passing through only trusted intermediate nodes.
• A new reliable Identity, Route and Location (r-IRL) privacy algorithm is proposed, which is the
extension of our proposed IRL algorithm. This algorithm has the ability to forward packets from
multiple secure paths to increase the packet reach-ability.
Sensors 2010, 10 1449
• A new data privacy mechanism is proposed, which is unique in the sense that it provides data
secrecy and packet authentication in the presence of identity anonymity.
Our solutions collectively provide protection against various privacy disclosure attacks such as
eavesdropping and hop-by-hop trace-back attacks. Also, our solutions are lightweight, hence consume
modest memory and energy.
The rest of this paper is organized as follows: Section 2. contains related work, Section 3. articulates
the network model, assumptions and adversary model. Section 4. describes the proposed privacy
schemes, Section 5. consists of analysis and evaluation, and Section 6. concludes the paper.
RelatedWork
Privacy Schemes
A number of a privacy schemes such as [1, 3–7] have been proposed for WSNs that are
discussed below.
C. Ozturk et al. [3] proposed a phantom routing scheme for WSNs, which helps to prevent the location
of a source from the attacker. In this scheme, each message reaches the destination in two phases: 1) a
walking phase, in which the message is unicasted in a random fashion within first hwalk hops, 2) after
that, the message is flooded using the baseline flooding technique. The major advantage of their scheme
is the source location privacy protection, which improves as the network size and intensity increase
because of high path diversity. But on the other hand, if the network size increases, the flooding phase
will consume more energy. This scheme does not provide identity privacy. Also, it is unable to provide
data secrecy in the presence of identity privacy.
P. Kamat et al. [4] proposed a phantom single-path routing scheme that works in a similar fashion as
the original phantom routing scheme [3]. The major difference between these two schemes is that after
the walking phase, a packet will be forwarded to the destination via a single path routing strategy such
as the shortest path routing mechanism. This scheme consumes less energy and requires slightly higher
memory as compared to first one. This scheme also does not provide identity privacy. Also, it is unable
to provide data secrecy in the presence of identity privacy.
S. Misra and G. Xue [5] proposed two schemes: Simple Anonymity Scheme (SAS) and Cryptographic
Anonymity Scheme (CAS) for establishing anonymity in clustered WSNs. The SAS scheme use
dynamic pseudonyms instead of true identity during communications. Each sensor node needs to store a
given range of pseudonyms that are non-contiguous. Therefore, the SAS scheme is not memory efficient.
On the other hand, the CAS scheme uses keyed hash functions to generate pseudonyms. This scheme
is memory efficient as compare to the SAS but it requires more computation power. The authors do
not propose any routing scheme. Sender node may always send packets to the destination via shortest
path. In that case, for an adversary who is capable of performing hop-by-hop trace back (with the help
of direction information) can find out the location of the source node.
Y. Xi et al. [1] proposed a Greedy RandomWalk (GROW) scheme to protect the location of the source
node. This scheme works in two phases. In a first phase, the sink node will set up a path through random
walk with a node as a receptor. Then the source node will forward the packets towards the receptor in
a random walk manner. Once the packet reaches at the receptor, it will forward the packet to the sink
Sensors 2010, 10 1450
node through the pre-established path. Here receptor is acting a central point between the sink and the
source node for every communication session. A criterion of selecting a trustworthy receptor is essential,
however not defined in the author’s work.
Y. Ouyang et al. [7] proposed a Cyclic Entrapment Method (CEM) to minimize the chance of an
adversary in finding out the location of the source node. In the CEM, when the message is sent by the
source node to the base station, it will activate the predefined loop(s) along the path. An activation node
will generate the fake message and forwarded it towards the loop, and original message is forwarded
to the base station via specific routing protocol such as shortest path. Energy consumption in the CEM
scheme is mainly dependent on the number of existing loops in the path and their size.
Geographic Routing Schemes
Our proposed privacy solutions incorporate the basic design features from geographic routing
schemes [6, 8–10] that are discussed below.
M. Zorzi and R. R. Rao [8, 9] proposed Geographic Random Forwarding (GeRaF) scheme for ad
hoc and sensor networks. This scheme is based on broadcast transmission and the sender only requires
the position of its own and the destination. All active neighborhood nodes who receive the packet will
go through the contention phase. Once the contention phase is complete, the winner (the node that is
closest to the destination) will relay the packet using the same mechanism. This process will repeat until
the destination becomes one-hop away. The authors assumed that all nodes in the neighborhood do not
remain active all the time. Due to the dynamics of the sleep modes, different sets of potential relays will
be available. However, mostly the potential route is close to the same or shortest route, which makes
easier for an adversary to trace back to the sender.
A. Capone et al. [10] proposed Simple Forwarding over Trajectory (SiFT) scheme. This scheme is
based on broadcast transmission and does not maintain neighborhood positions and states. Each node
who receives the packet will make the decision of forwarding that packet based only on its own position,
the position of a transmitter and the trajectory. The difference between the GeRaF [8, 9] and the SiFT
scheme is that, the GeRaF does not use trajectories but the position of the destination. If nodes are static
then similar to the GeRaF the potential route is close to the same or shortest route, which makes it easier
for an adversary to trace back to the sender.
A. D. Wood et al. [6] have proposed a configurable secure routing protocol family called Secure
Implicit Geographic Forwarding (SIGF) for WSNs. The SIGF is based on the Implicit Geographic
Forwarding (IGF) protocol [11], in which a packet is forwarded to the node that lies within the region of
60◦ sextant, centered on the direct line from the sender to the destination. The SIGF protocol provides
some aspects of networks privacy such as data, route and location privacy, but it does not provide
identity privacy. Another limitation of the SIGF protocol is that, when there is no trusted node within
a forwarding area (assuming 60◦ sextant), it will forward the packet to an un-trusted node. So, the
reliability of the path is affected.
Table 1 compares the proposed privacy preserving schemes. It clearly shows that none of the schemes
currently provide full network level privacy.