Quantifying unlinkability in multi-hop wireless networks
Introduction
Rather than relying on fixed infrastructure like Internet routers or cell towers to relay traffic, in a multi-hop wireless network devices relay traffic for each other in a peer-to-peer fashion. Lack of infrastructure not only makes multi-hop wireless networks easier to deploy, it also increases privacy. For instance, devices can avoid communication over infrastructure that may be monitored [1], [2], and users can better control the distribution of their data by ensuring that any collected data is stored locally.
Consider then a multi-hop wireless network in which devices act as anonymizing routers. Even if devices anonymize their link transmissions an adversary may still be able to infer important information by observing the traffic patterns in the network, such as which pairs of devices are communicating. This is problematic since in many multi-hop wireless networks, different devices have different roles (e.g., sources vs. sinks in a sensor network) and some devices are more critical to network functionality (e.g., a military commander) than others. If an adversary can identify such devices it can prevent important information from reaching its destination.
Given this network scenario, our goal is to quantify what impacts how well an adversary can infer unlinkability [3], that is, the probability that different pairs of devices are communicating (see Section 2.1), given the anonymized link transmissions. We assume that the devices in the multi-hop wireless networks we consider do not mix (i.e., reorder) traffic, unlike a mix network [4]. Instead, we hypothesize that traffic mixing is still possible due to the use of multi-hop routing and broadcast transmissions (see Fig. 1 and Section 2.2). The amount of traffic mixing that is possible should depend on the flows present, the network connectivity, the link dynamics, and the routing strategy. It is these network characteristics whose influence on traffic mixing and thus unlinkability that we investigate in this work.
To quantify unlinkability, we assume a global adversary that passively eavesdrops on the anonymized packet transmissions on each link. The adversary uses these transmissions to compute a probability distribution over the possible communicating pairs of devices. We formulate the adversary as a Kalman filter to compute this distribution and derive an unlinkability metric. We then introduce the idea of anonymization efficiency to quantify the efficiency of unlinkable communication in different network scenarios.
In simulation, we confirm that traffic mixing does occur even when devices themselves do not mix traffic. We show that (i) for unicast links, as network connectivity increases unlinkability decreases, while for broadcast links, as connectivity increases unlinkability increases, (ii) link dynamics tend to increase unlinkability with unicast links but decrease unlinkability with broadcast links, (iii) well-connected topologies, particularly with broadcast links, achieve the same level of unlinkability with fewer transmissions per packet delivered, (iv) a lattice topology has consistently good unlinkability in different scenarios, and (v) heterogeneous traffic gives higher unlinkability and better anonymization efficiency than uniform traffic, even when the average rate of traffic is the same.
The rest of this paper is structured as follows. In Section 2, we explain how traffic mixing can happen in multi-hop wireless networks. In Section 3 we review related work. In Section 4, we describe our Kalman filter adversary. In Section 5, we show how we use our Kalman filter adversary to derive an unlinkability metric and propose the idea of anonymization efficiency. In Section 6, we evaluate our unlinkability metric in simulation. Finally, in Section 7, we summarize our contributions.
Section snippets
Computing unlinkability
In this work, we focus on multi-hop wireless networks in which devices act as anonymizing routers. To anonymize transmissions, devices re-encrypt [5] packets at the network layer, and set link layer addresses in such a way as to hide the intended next hop of a packet yet still allow this hop to process the packet. We assume devices do not mix traffic, but, as we shall see in Section 2.2 and quantify in this paper, traffic mixing can still happen.
In the anonymity literature, the adversary’s goal
Related work
Existing unlinkability metrics [13], [14], [15], [16], [17], [18] are not suitable for our work, as they do not give a straightforward way to compute unlinkability for arbitrary network scenarios or consider multi-hop routing or link dynamics. Other works have designed protocols for unlinkable [19], [20], [21], [22] and anonymous [18], [23], [24], [25], [26] communication for multi-hop wireless networks, but do not give us a way to compute unlinkability. This motivates our derivation of a new
Kalman filters for flow inference
We now overview how we use a Kalman filter [39], [40] to obtain the flow distribution. Computing the flow distribution is generally a computationally intensive task. The primary reason why we use a Kalman filter to model our states and observations with continuous rather than discrete random variables (like in a hidden Markov model) is to make our computations more efficient. Our goal, however, is not to propose Kalman filters as a real-time adversary for flow inference, but instead make
Quantifying unlinkability
Regardless of the adversary model, computing unlinkability for a given network scenario is computationally hard, given the large space of possibilities and limited adversary information. Consequently, some kind of probabilistic model is necessary. Here, we describe a new metric based on our Kalman filter adversary.
Evaluation
Our simulations are done in R and run using the MIT SuperCloud and Lincoln Laboratory Supercomputing Center [41]. We use the FKF (Fast Kalman Filter) package [42] as our Kalman filter implementation. We next describe our simulation set-up and then overview our simulation results.
Conclusions
In this work, we have quantified the unlinkability achievable when traffic mixing is due to multi-hop routing and broadcast transmissions, rather than mixing at individual devices. To do this, we formulated a Kalman filter adversary who passively observes all packet transmissions that occur in a multi-hop wireless network in which devices also act as anonymizing routers. The adversary uses these transmissions to compute a probability distribution over the possible flows present in the network.
CRediT authorship contribution statement
Victoria Ursula Manfredi: Conceptualization, Methodology, Software, Validation, Writing – original draft, Writing – editing. Cameron Donnay Hill: Conceptualization, Methodology, Writing – original draft.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
The authors are grateful to Danny Krizanc for many helpful discussions, and thank Amir Herzberg and Bing Wang for helpful feedback on the paper. The authors also thank the anonymous reviewers for their helpful comments. The authors acknowledge the MIT SuperCloud and Lincoln Laboratory Supercomputing Center for providing HPC and consultation resources that have contributed to the research results reported within this paper.
References (42)
Quantification of anonymity for mobile ad hoc networks
Electron. Notes Theor. Comput. Sci.
(2009)Firechat Messaging App
(2019)HOPR Messaging App
(2020)- et al.
Terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, internet draft (expired)
(2010) Untraceable electronic mail, return addresses, and digital pseudonyms
Commun. ACM
(1981)- et al.
Universal re-encryption for mixnets
- et al.
Synchronous batching: From cascades to free routes
- et al.
Timing attacks in low-latency mix systems
- et al.
Correlation-based traffic analysis attacks on anonymity networks
IEEE Trans. Parallel Distrib. Syst.
(2009) Network tomography: Estimating source-destination traffic intensities from link data
J. Amer. Statist. Assoc.
(1996)
Traffic matrix estimation: Existing techniques and new directions
Traffic matrix tracking using kalman filters
ACM SIGMETRICS Perform. Eval. Rev.
Lectures on spectral graph theory
Measuring relationship anonymity in mix networks
Unlinkability measure for IEEE 802.11 based MANETs
IEEE Trans. Wireless Commun.
Secure anonymous routing for MANETs using distributed dynamic random path selection
Cryptographic defense against traffic analysis
Buses for anonymous message delivery.
J. Cryptol.
Source destination obfuscation in wireless ad hoc networks
Secur. Commun. Netw.
Cited by (1)
Editorial of ACM MSWiM 2020 Special Issue
2022, Computer Communications