Computer Science

CSC 774 Advanced Network Security

Enhancing Source-Location Privacy in Sensor Network Routing (ICDCS 05)

Brian Rogers Nov. 21, 2005
1

Introduction and Motivation

Major challenge to deployment of sensor networks is privacy Two types of privacy
Content-oriented privacy (e.g. packet data) Contextual privacy (e.g. source location of packet)

Important use of future sensor network applications is asset monitoring

Source-location privacy is critical

Computer Science

Example Scenario

source

sink

Computer Science

Outline
Panda-Hunter Game Formal & Simulation Models Baseline Routing Routing with Fake Sources Phantom Routing Privacy for Mobile Sources Conclusions & Future Work

Computer Science

Panda-Hunter Game
Once panda is detected, source periodically sends data to sink through multi-hop routing Assume single panda, source, and sink Attacker:
Non-malicious Device-Rich Resource-Rich Informed

Privacy cautious routing technique prevents hunter from locating source

Computer Science
5

Formal Model
Asset monitoring network: sixtuple (N, S, A, R, H, M)
N = set of sensor nodes S = network sink A = asset being monitored R = routing policy of sensors to protect asset H = hunter with movement rules M to capture asset

Two privacy metrics for a routing strategy R

= safety period of an R given M L = capture likelihood of R given M

Network performance
Energy Consumption (# messages sent) Delivery Quality (avg. msg. latency, delivery ratio)
Computer Science

Simulation Model
N = 10,000 nodes Panda appears at random location, and closest sensor periodically sends packets to the sink Simulation ends if hunter gets close to panda (i.e. within hops) or hunter fails to catch panda within a threshold time

Computer Science

Baseline Routing Techniques

Two most popular routing techniques for sensor networks
Flood-based Routing
Source node forwards packets to all neighbors When a neighbor receives a packet, if it has not already seen this packet, it forwards the packet to all its neighbors with probability Pforward

Single-path (Shortest-path) Routing

Initial configuration phase sets up lists at sensor nodes so each node knows which neighbor is on the shortest path to the sink
Computer Science
8

Patient Adversary Model

Hunter starts at sink When hunter hears a message, it moves to the messages immediate sender Process repeats until hunter reaches source

Computer Science

Baseline Routing Performance

Computer Science

10

Baseline Routing Performance (2)

Computer Science

11

Routing with Fake Sources

Flooding and single-path routing have poor source-privacy:
Add fake sources to inject fake packets Lead hunter away from real source

Two Issues
How to choose the fake source? How often to inject fake packets?

Computer Science

12

Routing with Fake Sources (2)

Computer Science

13

Routing with Fake Sources (3)

Fake sources still not enough Smarter Adversary can detect zigzag pattern Pick one of the two directions and follow to the source If this is not the real source, backtrack to reach the other source Fake messaging increases energy cost for little increase in source-location privacy
Computer Science
14

Phantom Routing
Problem with baseline and fake messaging techniques:
Sources provide a fixed route so adversary can trace each route

Goal of phantom routing:

Direct hunter away from source to phantom source

Two Phases
Random walk: direct msg. to phantom source Flooding/single-path routing: direct msg. to sink
Computer Science
15

Phantom Routing (2)

Computer Science

16

Phantom Routing (3)

Random Walk Phase
Source-location privacy depends on phantom source being far from real source after hwalk hops

True Random Walk

Not good: Message tends to hover around real source Proof in paper using central limit theorem

Directed Random Walk

Sector-based: Each node knows east/west Hop-based: Each node knows toward/away from source Pick one direction randomly and each node during random walk sends the msg. to another node in that direction
Computer Science
17

Phantom Routing (4)

Computer Science

18

Phantom Routing (5)

New adversary: Cautious Adversary Model
Since hunter may be stranded far from true source and not hear any messages for some time If no message heard for some time interval, backtrack one step and wait again

Results worse for cautious adversary, so it is better for hunter to be patient and wait for messages to arrive

Computer Science

19

Privacy for Mobile Sources

How does source location privacy change if asset is mobile (e.g. panda walks around) Tests using a simple movement pattern:

: : d: T:

governs direction stay time at each location distance of each movement reporting interval
Computer Science
20

Privacy for Mobile Sources

Impact of pandas velocity

Computer Science

21

Privacy for Mobile Sources

Impact of hunters hearing range

Computer Science

22

Conclusions & Future Work

Conclusions
Flooding and single-path routing have poor source location privacy Phantom routing can be used with either routing protocol to greatly enhance privacy at a small cost of communication overhead

Future Work
Authors: Investigate stronger adversarial models and multiple asset tracking scenarios Multiple hunters: Could they collude to find panda faster Multiple sinks: Sensors transmit to randomly chosen sink
Computer Science
23