08-10-2012, 10:52 AM
Towards Event Source Unobservability with Minimum Network Traffic in Sensor Networks
Towards Event Source.pdf (Size: 303.93 KB / Downloads: 20)
ABSTRACT
Sensors deployed to monitor the surrounding environment
report such information as event type, location, and time
when a real event of interest is detected. An adversary may
identify the real event source through eavesdropping and
traffic analysis. Previous work has studied the source location
privacy problem under a local adversary model. In
this work, we aim to provide a stronger notion: event source
unobservability, which promises that a global adversary cannot
know whether a real event has ever occurred even if he
is capable of collecting and analyzing all the messages in
the network at all the time. Clearly, event source unobservability
is a desirable and critical security property for event
monitoring applications, but unfortunately it is also very
difficult and expensive to achieve for resource-constrained
sensor networks.
Our main idea is to introduce carefully chosen dummy
traffic to hide the real event sources in combination with
mechanisms to drop dummy messages to prevent explosion
of network traffic. To achieve the latter, we select some sensors
as proxies that proactively filter dummy messages on
their way to the base station. Since the problem of optimal
proxy placement is NP-hard, we employ local search
heuristics. We propose two schemes (i) Proxy-based Filtering
Scheme (PFS) and (ii) Tree-based Filtering Scheme
(TFS) to accurately locate proxies. Simulation results show
that our schemes not only quickly find nearly optimal proxy
placement, but also significantly reduce message overhead
and improve message delivery ratio. A prototype of our
scheme was implemented for TinyOS-based Mica2 motes.
INTRODUCTION
Sensor networks bear a promising future in many important
applications such as habitat monitoring, military
surveillance, and target tracking. However, sensor networks
are also confronted with many security threats such as node
compromise, routing disruption and false data injection, because
they normally operate in unattended, harsh or hostile
environment.
Among all these threats, privacy is of special interest to
us since it cannot be fully addressed by traditional security
mechanisms, such as encryption and authentication. Consider
a simple example of event reporting in a sensor network.
When a sensor detects an event, it sends a message
including event-related information to the base station. After
this, the location of the event source has actually been
leaked to the attacker (who may be passively monitoring
the network), no matter how strong the data encryption key
is. Furthermore, an attacker may find out more sensitive
information: whether, when and where a particular event
occurred, e.g., the appearing of an endangered animal in an
asset monitoring sensor network [14, 22]. This can help the
attacker in capturing the animal, an unfortunate occurrence.
SYSTEM MODEL AND DESIGN GOALS
Network Model
As in [26], our system assumes that a sensor network is
divided into cells (or grids) where each pair of nodes in neighboring
cells can communicate directly with each other. A
cell is the minimum unit for detecting events; a cell head coordinates
all the actions inside a cell. Each cell has a unique
integer id (in the range [1, n], where n is the total number
of cells) and every sensor node knows the cell in which it is
located through its GPS or an attack-resilient localization
scheme [21]. Also, we assume that a base station (BS) is located
at the center of the network and works as the network
controller to collect event data. An event report contains
such information as the id of the detecting cell, the event
type, and the detection time.
Attack Model
We assume that the adversary is external, passive and
global. By external, we mean that the adversary will not
compromise or control any sensors; by passive, we assume
that the attacker does not conduct active attacks such as
traffic injection, channel jamming and denial of service attack;
by global, we assume that the adversary can collect
and analyze all the communications in the network. Note
that such a global attacker does not necessarily mean the attacker’s
capability of detecting the occurrence of real events
in any places of the network by himself, because (1) real
event detection devices are often costly, whereas message
collection devices are inexpensive and off-the-shelf; (2) real
event detection devices such as animal-monitoring camera
normally do not have sizes as small as regular sensors, so
they are easy to be detected and destroyed. Although we do
not consider sensor node compromises in the attack model,
we will discuss this problem later in Section 5.3
Design Goals
Providing event source unobservability under the global
attack model is challenging. To prevent content-based analysis,
we may encrypt all the packets during their forwarding,
and also make all the packets in the network of the same
length. However, these techniques cannot defend against
rate monitoring and time correlation attacks.
To solve these traffic analysis attacks, we notice that there
exist trade-offs between various performance and security
metrics, such as privacy, delay, and communication cost. If
all packets in the network are real event packets and every
node reports and forwards a real event message immediately,
it will be easy for a global attacker to trace back to
the real source. Therefore, not only network-wide dummy
traffic [10] but also delays in event reporting and forwarding
have to be introduced at the nodes. Clearly, dummy
traffic will significantly increase the network traffic, which is
undesirable for sensor networks where communication overhead
dominates the entire energy expenditure. To guarantee
event source unobservability without causing the explosion
of network traffic, in this paper our goal is to minimize the
network traffic. Since it is hard to minimize the event report
delay simultaneously, the proposed schemes are best suitable
for applications in which a certain degree of delay could be
tolerated.
TREE-BASED FILTER SCHEME (TFS)
If the number of proxy nodes is large enough, further reduction
in the dummy traffic is possible by allowing messages
to be filtered at multiple proxies on their way from
source nodes to the BS. Note that in PFS, even though
a message may traverse through multiple proxies, it is filtered
only at the default proxy of the cell that this message
originates from. Building upon this core idea, we propose a
tree-based filtering scheme (TFS) in which the proxies in our
network are organized in the form of a tree rooted at the BS.
Proxies in TFS, thus, form a hierarchy with each proxy having
a parent node and possibly multiple child nodes. With
the resulting multi-level filtering, we expect lower network
traffic because more dummy messages will be dropped before
they reach the BS. The reduction in traffic due to TFS,
however, will come at the expense of increased latency of real
event delivery since each message may now incur bufferinginduced
delays at multiple proxies on its way to the BS.
This trade-off between traffic and latency is central to the
research issues involved in the design and efficacy of TFS.
System Parameters
Choosing appropriate values for the source traffic generation
rate and the buffering intervals is very important to
balance privacy, delay, and message overhead according to
the needs of our applications. We notice that under the
purpose of achieving event source unobservability, delay and
overhead are actually tightly related to each other. How to
choose parameters depends on the relative criticality of these
two requirements in our application.
The first parameter to be decided is the source traffic rate
(consisting of real and dummy messages) rsource. If the
dummy traffic rate is too high, it will unnecessarily cause
high message overhead; if it is too low, real event messages
will experience high transmission latency at the sources. It
is desirable to have this rate as close as possible to the average
real event message rate. We believe that in practice it
is not difficult to determine an appropriate rsource based on
historical information about event generation at the sources.
CONCLUSION
In this paper, we solve the optimal proxy placement problem
by using local search heuristics and propose a Proxybased
Filtering Scheme (PFS) and a Tree-based Filtering
Scheme (TFS), which are simple yet efficient event source
unobservability preserving solutions for sensor networks. The
two methods work together, so that we can maximally reduce
the network traffic while increasing the delivery ratio
without sacrificing privacy. Performance evaluation demonstrates
that our schemes can largely improve the system performance
compared with a baseline scheme.