Privacy-aware routing in sensor networks
Introduction
Sensor networks will be prevalent in the near future for various applications, including object and event monitoring. A common communication paradigm for sensors is to obtain information about objects or events and send the data back to a base station (or sink) for further analysis. The wireless communication path from the object to the base station may jeopardize the safety of the object if an adversary, who is capable of detecting the message flow, traces back to the message source by moving along the reversed path. The object, e.g., an animal of an endangered species, or a vehicle of military aides, may have to be protected for safety reasons and the related location information should not be disclosed. This concern will become even more serious for future sensor network prevalence in pervasive computing applications, as the ubiquitous information collections doubtlessly encroaches on the privacy of the people involved.
This paper explores the location privacy problem in sensor networks. We aim to hide the location of the message source and make it more difficult for an adversary to trace messages back to the source location. We assume that a security infrastructure, such as secure communication, has already been built in. That is, no information carried in the message (e.g., packet head) will be disclosed, allowing the adversary to gain any knowledge about where the message comes from. The adversary observes the wireless communication within a certain detection range and traces toward the message source by moving, in each step, to the node that transmits the detected target information.
Many message routing protocols have been proposed for sensor networks [1], [2], [3], [4], [5]. None of them are designed for location privacy protection. Kamat et al. [6] proposed Phantom routing to solve a similar privacy issue. However, as we will show in Section 7.3, the random-walk-based Phantom routing has poor performance in defending against the adversary’s traceback, even if the adversary has very limited traffic monitoring ability. More recently, Metha et al. [7] and Shao et al. [8]propose source location protection schemes under a global traffic analyzer. The two approaches only partially solve the problem. The ConstRate and k-anonymity [7] schemes rely on global sensor stimulation and are very resource demanding. FitProbRate [8], however, sacrifices location privacy for short message delivery delay. As we will present in Section 8, our solution minimizes message delay while still achieving the perfect location privacy in the presence of a global attacker.
In this paper, we start the discussion from a simple model where there is only one source node and one adversary, and the adversary always starts the traceback from the sink location. As we will show in Sections 4.1 Performance bound for general routing schemes, 6.4 Multiple source objects, our theoretical model can also be applied for multiple adversaries and multiple data sources. The time for the adversary to trace back to the source is a natural metric for location privacy. Even if the adversary has limited monitoring power, the adversary can follow any random message path and thus trace back to the message source. We use average traceback time and the possible minimal traceback time it takes for an adversary to reach the source as two metrics for location privacy. Average traceback time signifies an expected performance for location privacy. The minimal traceback time, which shows the worst case scenario, assumes that the adversary has the best luck possible, taking the route with the shortest time to find the source.
We address the location privacy issue under a complete adversary model. When the adversary has limited detecting power, we design routing algorithms to maximize the traceback time. We formulate this problem as an optimization problem constrained by the energy budgets that are allowed for use in message routing. To gain more understanding about this issue, we have tried to look at the problem from different perspectives. First, we give an approximation of the performance bound in a generalized scenario as a guideline for network routing design. Our result indicates that the traceback time is proportional to the number of nodes involved in routing. Given a certain sensor density, the number of nodes participating in message routing indicates the degree of how dispersed in the message routes, which produces longer and more scrambled routing paths that delay the adversary’s traceback progress. Then, we show how to optimize the routing performance by considering several special cases in which fixed routes are given. The fixed routes are also categorized as routes that are well separated, without intersection in the middle and splicing routes. Although this seems quite restricted, many applications fit in these constraints. For example, an application may require the routes to be well separated so that the adversary has little chance to capture sufficient messages for message content decryption. In addition, many applications also dictate fixed routes to avoid certain dangerous areas where adversaries gather, or to force the routes to pass through certain points for various reasons such as information multicast or data aggregation.
When the adversary is more powerful, e.g., being capable of deploying a sensor network to monitor the traffic, we propose a random schedule scheme in which each node transmits at a certain time slot in a fixed period such that the adversary would not be able to profile the difference in communication patterns among all the nodes. Obviously, this scheme requires a large number of sensors to participate in the message transmission between the source and the sink, so that only a very small portion of these sensors (which are on the routing path) transmit the valid messages; others just send dummy messages. From the adversary’s point of view, the sensors in the whole area are flooding messages and no routing path can be inferred from the communication pattern. As radio communication consumes a significant amount of energy in sensors, our goal is to minimize the message transmission delay so as to keep this “flooding” period as short as possible. There are two ways to reduce the message transmission delay: either increase the data rate or use more routes between the source and the sink. Considering that the message rate at the forwarding nodes cannot be changed (otherwise the adversary would easily identify the message forwarding nodes and then the routing path), the problem of minimizing the message transmitting delay is equivalent in finding as many disjoint routing paths as possible so that more message packets can be routed in parallel. We give an approximation algorithm to find the optimal k disjoint routing paths to deliver the data messages.
To the best of our knowledge, this paper is the first to formulate the location privacy as an optimization problem. This paper aims to build a theoretical foundation for privacy-aware routing in sensor networks. Several papers have worked on different routing schemes for location privacy preservation, but little is known about the theoretical bounds for those schemes. We also show how to mathematically analyze the performance in terms of location privacy. This paper does not consider all schemes for preserving location privacy, but examines only routing protocols in which messages follow predefined routes.
Section snippets
Related work
Internet anonymity and privacy problems have received extensive attention [9], [10], [11], [12], [13], [14]. The location privacy discussed in this paper has two fundamental differences from prior work. First, Internet anonymity relies upon channel secrecy (e.g., secret keys) to protect logical location privacy, while location privacy in this paper addresses the issue of physical location privacy. For example, there is a strong connection between the message header and the identity of the
Network and adversary model
We consider a wireless sensor network consisting of sensor nodes that are uniformly and randomly scattered in a sensor field. Each node has the capabilities to collect data and route data to the sink in a multihop fashion. In this paper, we assume sensor nodes are evenly distributed in the sensor field and do not move after being deployed.
We consider two types of adversary models in this paper. First, we focus on the single-adversary model. It will be shown in the next section that the
Performance bound analysis
Given a sensor network, we are interested in finding the ultimate location privacy we can achieve. In this section, we first develop the performance bound under the assumption that the adversary has the same radio detection range as the sensors’ transmission range. Then, we relax the constraints of the adversary’s model and allow the adversary to trace back more than one hop each time. Finally, we present our simulation results from our discrete event-based simulations. The performance bound is
Average traceback time
We have given the approximate performance estimation for any routing scheme, but how to design a routing strategy to maximize the traceback time is still a question. In this section and the next section, we explore the optimal routing strategies under two different performance metrics: average traceback time and minimal traceback time. This section presents the optimal routing scheme that maximize the average traceback time. We assume the routes are well separated so that there is no
Max–min traceback time
In the previous section, we have seen that the average traceback time leads to an unreasonable solution and could not characterize the real scenario. Here we propose another more realistic performance metric for location privacy: minimal traceback time, which captures the worst case scenario. Routing schemes with good performance in terms of the average traceback time may perform poorly in the worst case. For example, consider the optimal routing scheme for average traceback time described in
Privacy-aware routing schemes
Inspired by the traceback time analysis for the routing strategies, we discuss two privacy-aware routing schemes in this section. The first routing scheme is called Random Parallel (RP) routing. The strategy is to randomly disperse the source messages into a number of pre-determined parallel routing paths, so that the adversary’s traceback progress is deterred due to the fact that the adversary can only perform traceback on a certain routing path. As discussed previously, the pre-determined
Adversary sensor network
In this section, we extend our discussion to an extreme adversary model. Instead of placing a certain number of monitoring subjects, the adversary is able to deploy a sensor network to monitor the activities of the sensors in any location in the network. The adversary network is not purposed to detect what our network is monitoring, but it is interested in what assignment our network is involved with and in particular the location of the object that is our network’s concern. In this scenario,
Conclusion
In this paper, we focus on the location privacy problem in sensor networks. We formulate the problem as an optimization problem in terms of the average traceback time and minimal traceback time for the adversary to reach the message source starting from the sink. We show that the traceback time is related to the number of sensor nodes involved in routing. We give routing strategies to maximize the average and minimal traceback time for a set of fixed routes. Based on it, we propose the WRS, a
Haodong Wang is currently a Ph.D. candidate at Computer Science Department in the College of William and Mary. He got his B.S. from Tsinghua University and M.S. from Penn State University. His research interests are sensor network applications, security and privacy, security schemes on resource constrained devices, and wireless networks.
References (36)
- C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: a scalable and robust communication paradigm for sensor...
- B. Karp, H. Kung, Greedy perimeter stateless routing, in: MOBICOM,...
- F. Ye, A. Chen, S. Lu, L. Zhang, A scalable solution to minimum cost forwarding in large sensor networks, in: Tenth...
- F. Ye, S. Lu, L. Zhang, Gradient broadcast: a robust, long-live large sensor network, in: Tech. Report, Computer...
- W. Heinzelman, A. Chandrakasan, H. Balakrishnan, Energy-efficient communication protocol for wireless microsensor...
- P. Kamat, Y. Zhang, W. Trappe, C. Ozturk, Enhancing source–location privacy in sensor network routing, in: ICDCS,...
- K. Metha, D. Liu, M. Wright, Location privacy in sensor networks against a global eavesdropper, in: ICNP, Beijing,...
- M. Shao, Y. Yang, S. Zhu, G. Cao, Towards statistically strong source anonymity for sensor networks, in: IEEE INFOCOM,...
- D. Chaum, Untraceable electronic mail, return addresses and digital pseudonyms, Communications of the ACM (CACM) 24(2)...
- D. Chaum, The dining cryptographers problem: unconditional sender and receipient untraceability 1(1) (1988)...
Cited by (82)
A survey on location privacy protection in Wireless Sensor Networks
2019, Journal of Network and Computer ApplicationsA decision theoretic framework for selecting source location privacy aware routing protocols in wireless sensor networks
2018, Future Generation Computer SystemsCitation Excerpt :Phantom routing and PSRS has received a lot of attention in literature. On the other hand, this class of solution is known to have weaknesses as demonstrated by [16–18], ascribing poor SLP performance to the directed random walk reusing the routing path and exposure of direction information. For other random walk algorithms, an improvement of the directed random walk was introduced in [19], with the introduction of the self-adjusting directed random walk (SADRW).
Staircase based differential privacy with branching mechanism for location privacy preservation in wireless sensor networks
2018, Computers and SecurityCitation Excerpt :This objective is achieved by making estimation of the location of the event insensitive to transmission of an individual node. There are two existing techniques for creation of virtual sources (Wang et al., 2009). The first one is to generate virtual sources after network deployment and subsequently activate them when they receive messages from the source.
A source location protection protocol based on dynamic routing in WSNs for the Social Internet of Things
2018, Future Generation Computer SystemsA novel source location privacy preservation technique to achieve enhanced privacy and network lifetime in WSNs
2018, Pervasive and Mobile ComputingCitation Excerpt :This is because the adversary’s backtracking time is smaller compared to that of the phantom single path routing technique (PSPR) [7] as the random walk is biased towards the base station. In the literature there are several other papers based on the random walk scheme [9,10,13] which suffer from similar problems. It may be noted that in all these techniques the level of source location privacy, usually measured in terms of safety period, increases as the distance between the source node and the base station (BS) increase.
Evolving privacy: From sensors to the Internet of Things
2017, Future Generation Computer Systems
Haodong Wang is currently a Ph.D. candidate at Computer Science Department in the College of William and Mary. He got his B.S. from Tsinghua University and M.S. from Penn State University. His research interests are sensor network applications, security and privacy, security schemes on resource constrained devices, and wireless networks.
Bo Sheng received his B.S. in Computer Science from Nanjing University, China. He is currently a graduate research assistant in Computer Science Department at College of William and Mary.
Qun Li is an assistant professor in the Department of Computer Science at College of William and Mary. He holds a Ph.D. degree in computer science from Dartmouth College. His research interests include wireless networks, sensor networks, RFID, and pervasive computing systems. He received the NSF Career award in 2008.