Elsevier

Computer Communications

Volume 181, 1 January 2022, Pages 32-44
Computer Communications

Quantifying unlinkability in multi-hop wireless networks

https://doi.org/10.1016/j.comcom.2021.09.022Get rights and content

Abstract

Consider a multi-hop wireless network in which devices act as anonymizing routers. Even if devices anonymize their link transmissions, an adversary may still be able to infer key information by observing the traffic patterns in the network. In this work, we quantify how well an adversary can infer unlinkability, that is, the probability that different pairs of devices are communicating, from anonymized link transmissions. We first propose a metric to compute unlinkability using a Kalman-filter based adversary. Using this metric, we then evaluate how different network characteristics impact unlinkability. We assume that devices do not reorder packets to mix traffic and thereby increase unlinkability. Instead, we show that traffic mixing is still possible due to the use of multi-hop routing and broadcast transmissions, with the amount of mixing dependent on the network characteristics. In simulation, we find that (i) for unicast links, as network connectivity increases unlinkability decreases, while for broadcast links, as connectivity increases unlinkability increases, (ii) link dynamics tend to increase unlinkability with unicast links but decrease unlinkability with broadcast links, (iii) well-connected topologies, particularly with broadcast links, achieve the same level of unlinkability with fewer transmissions per packet delivered, (iv) a lattice topology has consistently good unlinkability in different scenarios, and (v) heterogeneous network traffic gives higher unlinkability and better anonymization efficiency than uniform traffic, even when the average rate of traffic is the same.

Introduction

Rather than relying on fixed infrastructure like Internet routers or cell towers to relay traffic, in a multi-hop wireless network devices relay traffic for each other in a peer-to-peer fashion. Lack of infrastructure not only makes multi-hop wireless networks easier to deploy, it also increases privacy. For instance, devices can avoid communication over infrastructure that may be monitored [1], [2], and users can better control the distribution of their data by ensuring that any collected data is stored locally.

Consider then a multi-hop wireless network in which devices act as anonymizing routers. Even if devices anonymize their link transmissions an adversary may still be able to infer important information by observing the traffic patterns in the network, such as which pairs of devices are communicating. This is problematic since in many multi-hop wireless networks, different devices have different roles (e.g., sources vs. sinks in a sensor network) and some devices are more critical to network functionality (e.g., a military commander) than others. If an adversary can identify such devices it can prevent important information from reaching its destination.

Given this network scenario, our goal is to quantify what impacts how well an adversary can infer unlinkability [3], that is, the probability that different pairs of devices are communicating (see Section 2.1), given the anonymized link transmissions. We assume that the devices in the multi-hop wireless networks we consider do not mix (i.e., reorder) traffic, unlike a mix network [4]. Instead, we hypothesize that traffic mixing is still possible due to the use of multi-hop routing and broadcast transmissions (see Fig. 1 and Section 2.2). The amount of traffic mixing that is possible should depend on the flows present, the network connectivity, the link dynamics, and the routing strategy. It is these network characteristics whose influence on traffic mixing and thus unlinkability that we investigate in this work.

To quantify unlinkability, we assume a global adversary that passively eavesdrops on the anonymized packet transmissions on each link. The adversary uses these transmissions to compute a probability distribution over the possible communicating pairs of devices. We formulate the adversary as a Kalman filter to compute this distribution and derive an unlinkability metric. We then introduce the idea of anonymization efficiency to quantify the efficiency of unlinkable communication in different network scenarios.

In simulation, we confirm that traffic mixing does occur even when devices themselves do not mix traffic. We show that (i) for unicast links, as network connectivity increases unlinkability decreases, while for broadcast links, as connectivity increases unlinkability increases, (ii) link dynamics tend to increase unlinkability with unicast links but decrease unlinkability with broadcast links, (iii) well-connected topologies, particularly with broadcast links, achieve the same level of unlinkability with fewer transmissions per packet delivered, (iv) a lattice topology has consistently good unlinkability in different scenarios, and (v) heterogeneous traffic gives higher unlinkability and better anonymization efficiency than uniform traffic, even when the average rate of traffic is the same.

The rest of this paper is structured as follows. In Section 2, we explain how traffic mixing can happen in multi-hop wireless networks. In Section 3 we review related work. In Section 4, we describe our Kalman filter adversary. In Section 5, we show how we use our Kalman filter adversary to derive an unlinkability metric and propose the idea of anonymization efficiency. In Section 6, we evaluate our unlinkability metric in simulation. Finally, in Section 7, we summarize our contributions.

Section snippets

Computing unlinkability

In this work, we focus on multi-hop wireless networks in which devices act as anonymizing routers. To anonymize transmissions, devices re-encrypt [5] packets at the network layer, and set link layer addresses in such a way as to hide the intended next hop of a packet yet still allow this hop to process the packet. We assume devices do not mix traffic, but, as we shall see in Section 2.2 and quantify in this paper, traffic mixing can still happen.

In the anonymity literature, the adversary’s goal

Related work

Existing unlinkability metrics [13], [14], [15], [16], [17], [18] are not suitable for our work, as they do not give a straightforward way to compute unlinkability for arbitrary network scenarios or consider multi-hop routing or link dynamics. Other works have designed protocols for unlinkable [19], [20], [21], [22] and anonymous [18], [23], [24], [25], [26] communication for multi-hop wireless networks, but do not give us a way to compute unlinkability. This motivates our derivation of a new

Kalman filters for flow inference

We now overview how we use a Kalman filter [39], [40] to obtain the flow distribution. Computing the flow distribution is generally a computationally intensive task. The primary reason why we use a Kalman filter to model our states and observations with continuous rather than discrete random variables (like in a hidden Markov model) is to make our computations more efficient. Our goal, however, is not to propose Kalman filters as a real-time adversary for flow inference, but instead make

Quantifying unlinkability

Regardless of the adversary model, computing unlinkability for a given network scenario is computationally hard, given the large space of possibilities and limited adversary information. Consequently, some kind of probabilistic model is necessary. Here, we describe a new metric based on our Kalman filter adversary.

Evaluation

Our simulations are done in R and run using the MIT SuperCloud and Lincoln Laboratory Supercomputing Center [41]. We use the FKF (Fast Kalman Filter) package [42] as our Kalman filter implementation. We next describe our simulation set-up and then overview our simulation results.

Conclusions

In this work, we have quantified the unlinkability achievable when traffic mixing is due to multi-hop routing and broadcast transmissions, rather than mixing at individual devices. To do this, we formulated a Kalman filter adversary who passively observes all packet transmissions that occur in a multi-hop wireless network in which devices also act as anonymizing routers. The adversary uses these transmissions to compute a probability distribution over the possible flows present in the network.

CRediT authorship contribution statement

Victoria Ursula Manfredi: Conceptualization, Methodology, Software, Validation, Writing – original draft, Writing – editing. Cameron Donnay Hill: Conceptualization, Methodology, Writing – original draft.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

The authors are grateful to Danny Krizanc for many helpful discussions, and thank Amir Herzberg and Bing Wang for helpful feedback on the paper. The authors also thank the anonymous reviewers for their helpful comments. The authors acknowledge the MIT SuperCloud and Lincoln Laboratory Supercomputing Center for providing HPC and consultation resources that have contributed to the research results reported within this paper.

References (42)

  • MoeM.E.G.

    Quantification of anonymity for mobile ad hoc networks

    Electron. Notes Theor. Comput. Sci.

    (2009)

  • Firechat Messaging App

    (2019)

  • HOPR Messaging App

    (2020)
  • PfitzmannA. et al.

    Terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, internet draft (expired)

    (2010)
  • ChaumD.L.

    Untraceable electronic mail, return addresses, and digital pseudonyms

    Commun. ACM

    (1981)
  • GolleP. et al.

    Universal re-encryption for mixnets

  • DingledineR. et al.

    Synchronous batching: From cascades to free routes

  • LevineB.N. et al.

    Timing attacks in low-latency mix systems

  • ZhuY. et al.

    Correlation-based traffic analysis attacks on anonymity networks

    IEEE Trans. Parallel Distrib. Syst.

    (2009)
  • VardiY.

    Network tomography: Estimating source-destination traffic intensities from link data

    J. Amer. Statist. Assoc.

    (1996)
  • MedinaA. et al.

    Traffic matrix estimation: Existing techniques and new directions

  • SouleA. et al.

    Traffic matrix tracking using kalman filters

    ACM SIGMETRICS Perform. Eval. Rev.

    (2005)
  • ChungF.R.

    Lectures on spectral graph theory

    (1996)
  • S. Köpsell, S. Steinbrecher, Modeling unlinkability, in: Proceedings of the Third Workshop on Privacy Enhancing...
  • ShmatikovV. et al.

    Measuring relationship anonymity in mix networks

  • L. Fischer, S. Katzenbeisser, C. Eckert, Measuring unlinkability revisited, in: ACM Workshop on Privacy in the...
  • HuangD.

    Unlinkability measure for IEEE 802.11 based MANETs

    IEEE Trans. Wireless Commun.

    (2008)
  • MohantyV. et al.

    Secure anonymous routing for MANETs using distributed dynamic random path selection

  • RackoffC. et al.

    Cryptographic defense against traffic analysis

  • BeimelA. et al.

    Buses for anonymous message delivery.

    J. Cryptol.

    (2003)
  • HayajnehT. et al.

    Source destination obfuscation in wireless ad hoc networks

    Secur. Commun. Netw.

    (2011)

    • Cited by (1)

    View full text
    © 2021 Elsevier B.V. All rights reserved.