21-12-2012, 04:55 PM
PROTECTING LOCATION PRIVACY IN SENSOR NETWORKS AGAINST A GLOBAL EAVESDROPPER
1PROTECTING LOCATION.pdf (Size: 801.71 KB / Downloads: 112)
ABSTRACT
While many protocols for sensor network security provide condentiality for
the content of messages, contextual information usually remains exposed. Such contextual
information can be exploited by an adversary to derive sensitive information
such as the locations of monitored objects and data sinks in the eld. Attacks on
these components can signicantly undermine network applications. The existing
techniques defend the leakage of location information only from an adversary who
sees only local network trac. However, a stronger adversary, the global eavesdrop-
per, is realistic and can defeat all existing techniques. This paper rst formalizes
the location privacy issues in sensor networks under this strong adversary model and
computes a lower bound on the communication overhead needed for achieving a certain
level of location privacy. The paper then proposes two techniques to provide
location privacy for monitored objects (source location privacy): periodic collection
and source simulation, and two techniques to provide location privacy for data sinks
(destination location privacy): destination simulation and backbone
ooding. These
techniques provide trade-os between privacy, communication cost, and latency
Introduction
A wireless sensor network (WSN) typically comprises a large number of cheap,
small, and resource-constrained sensors that are self-organized as an ad-hoc network
to interact with and study the physical world [1]. Sensor networks can be used in
applications where it is dicult or infeasible to set up wired networks. Examples
include wildlife habitat monitoring, military surveillance, and target tracking.
Applications like military surveillance and target tracking provide incentives to
adversaries to eavesdrop on network trac to obtain valuable intelligence. Abuse of
such information can cause monetary losses or endanger human lives. To protect such
information, considerable eort in sensor network security has focused on providing
classic security services such as condentiality, authentication, integrity, and availability.
Though these are critical security requirements in many applications, they are by
no means sucient. The communication patterns of sensors can by themselves reveal
a great deal of contextual information, which can disclose the location information of
critical components in a sensor network. For example, in the Panda-Hunter case [2],
a sensor network is deployed to track endangered giant pandas in a bamboo forest.
Each panda has an electronic tag that emits a signal that can be detected by the
sensors in the network. (A sensor that detects this signal is called as a source sensor.)
The source sensor then forwards the location of pandas to a data sink (destination)
with help of intermediate sensors.
BACKGROUND
Existing Approaches
In this section, we describe previously-proposed algorithms for source location
privacy and destination location privacy.
Source Location Privacy
Prior work in protecting location privacy to monitored objects sought to increase
safety period, which is dened as the number of messages initiated by the current
source sensor before a monitored object is traced [2].
The
ooding technique [4] requires a source node to send out each packet through
numerous paths to a destination to make it dicult for an adversary to trace the
source. However, the problem is that the destination will still receive packets from
the shortest path rst. The adversary can thus quickly trace the source node using
backtracking. This method consumes a signicant amount of energy without providing
much privacy in return.
Kamat et al. describes two techniques for location privacy. First, they propose
fake packet generation technique [2] in which a destination creates fake sources whenever
a sender noties the destination that it has real data to send. These fake senders
are away from the real source and approximately at the same distance from the destination
as the real sender. Both real and fake senders start generating packets at the
same time. This scheme provides decent privacy against a local eavesdropper.
Network and Adversary Model
Although prior research has attempted to solve location privacy problems for
sensor networks, prior attacker models are not strong enough to model a well-funded,
motivated adversary. In this section, we describe the network and adversary models
that we study in this paper.
Network Model
Sensor networks are a relatively recent innovation. There are number of dierent
types of sensor nodes that have been and continue to be developed [11]. These
range from very small, inexpensive, and resource-poor sensors such as SmartDust up
to PDA-equivalent sensors with ample power and processing capabilities such as Stargate.
Applications for networks of these devices include many forms of monitoring,
such as environmental and structural monitoring or military and security surveillance.
In this paper, we consider a homogeneous network model. In the homogeneous
network model, all sensors have roughly the same capabilities, power sources, and expected
lifetimes. This is a common network architecture for many applications today
and will likely continue to be popular moving forward. It has been well studied and
provides relatively straightforward analysis in research as well as simple deployment
and maintenance in the eld.
Adversary Model
For the kinds of wireless sensor networks that we envision, we expect highlymotivated
and well-funded attackers whose objective is to learn sensitive information
such as the locations of monitored objects and destinations.
The objects monitored by the network may be critical. Any damage to such objects
can cause monetary losses or issues in critical military applications. Destinations
are also critical components of sensor networks. In most applications, destinations act
as gateways between the multi-hop network of sensor nodes and the wired network
or a repository where this information is analyzed. Unlike failure of some sensors,
failure of destinations can create permanent damage to sensor network applications.
Compromise of a destination will allow an adversary to gather all the information
because in most applications data won't be encrypted after it is received by a destination.
In some military applications, an adversary could locate destinations and
make the critical sensor network non-functional by destroying them. It is thus highly
critical to protect the location information of monitored objects and destinations to
keep the sensor network functional and useful.
Privacy Evaluation Model
In this section, we describe our privacy evaluation model with which we quantify
the location privacy of critical components in sensor network applications. In this
model, the adversary deploys an attack network to monitor the sensor activities in
the target network. We consider an adversary who can monitor transmissions of all
the sensors in the network with help of his own sensor network. Each sensor i is an
observation point and a tuple (i; t; e) is available to the adversary through observing
each of its packet e at the time t. We assume that all the transmissions are encrypted
and hence the actual useful information available to the adversary is (i; t). We assume
that the network starts functioning at time t = 0.