Brian

Computer Science









CSC 774 Advanced Network Security





Enhancing Source-Location Privacy in Sensor

Network Routing (ICDCS ’05)



Brian Rogers

Nov. 21, 2005

1

Introduction and Motivation

• Major challenge to deployment of sensor

networks is privacy

• Two types of privacy

– Content-oriented privacy (e.g. packet data)

– Contextual privacy (e.g. source location of packet)

• Important use of future sensor network

applications is asset monitoring

– Source-location privacy is critical





Computer Science 2

Example Scenario









source





sink









Computer Science 3

Outline

• Panda-Hunter Game

• Formal & Simulation Models

• Baseline Routing

• Routing with Fake Sources

• Phantom Routing

• Privacy for Mobile Sources

• Conclusions & Future Work





Computer Science 4

Panda-Hunter Game

• Once panda is detected, source periodically

sends data to sink through multi-hop routing

• Assume single panda, source, and sink

• Attacker:

– Non-malicious

– Device-Rich

– Resource-Rich

– Informed

• Privacy cautious routing technique prevents

hunter from locating source

Computer Science 5

Formal Model

• Asset monitoring network: sixtuple (N, S, A, R, H, M)

– N = set of sensor nodes

– S = network sink

– A = asset being monitored

– R = routing policy of sensors to protect asset

– H = hunter with movement rules M to capture asset

• Two privacy metrics for a routing strategy R

– Φ = safety period of an R given M

– L = capture likelihood of R given M

• Network performance

– Energy Consumption (# messages sent)

– Delivery Quality (avg. msg. latency, delivery ratio)





Computer Science 6

Simulation Model

• N = 10,000 nodes

• Panda appears at random location, and closest

sensor periodically sends packets to the sink

• Simulation ends if hunter gets close to panda

(i.e. within Δ hops) or hunter fails to catch

panda within a threshold time









Computer Science 7

Baseline Routing Techniques

• Two most popular routing techniques for

sensor networks

– Flood-based Routing

• Source node forwards packets to all neighbors

• When a neighbor receives a packet, if it has not already

seen this packet, it forwards the packet to all its

neighbors with probability Pforward

– Single-path (Shortest-path) Routing

• Initial configuration phase sets up lists at sensor nodes

so each node knows which neighbor is on the shortest

path to the sink



Computer Science 8

Patient Adversary Model

• Hunter starts at sink

• When hunter hears a message, it moves to the

message’s immediate sender

• Process repeats until hunter reaches source









Computer Science 9

Baseline Routing Performance









Computer Science 10

Baseline Routing Performance (2)









Computer Science 11

Routing with Fake Sources

• Flooding and single-path routing have poor

source-privacy:

– Add fake sources to inject fake packets

– Lead hunter away from real source

• Two Issues

– How to choose the fake source?

– How often to inject fake packets?









Computer Science 12

Routing with Fake Sources (2)









Computer Science 13

Routing with Fake Sources (3)

• Fake sources still not enough

• Smarter Adversary can detect zigzag pattern

• Pick one of the two directions and follow to

the source

• If this is not the real source, backtrack to reach

the other source

• Fake messaging increases energy cost for little

increase in source-location privacy



Computer Science 14

Phantom Routing

• Problem with baseline and fake messaging

techniques:

– Sources provide a fixed route so adversary can

trace each route

• Goal of phantom routing:

– Direct hunter away from source to phantom source

• Two Phases

– Random walk: direct msg. to phantom source

– Flooding/single-path routing: direct msg. to sink



Computer Science 15

Phantom Routing (2)









Computer Science 16

Phantom Routing (3)

• Random Walk Phase

– Source-location privacy depends on phantom source being

far from real source after hwalk hops

• True Random Walk

– Not good: Message tends to hover around real source

– Proof in paper using central limit theorem

• Directed Random Walk

– Sector-based: Each node knows east/west

– Hop-based: Each node knows toward/away from source

– Pick one direction randomly and each node during random

walk sends the msg. to another node in that direction



Computer Science 17

Phantom Routing (4)









Computer Science 18

Phantom Routing (5)

• New adversary: Cautious Adversary Model

– Since hunter may be stranded far from true source

and not hear any messages for some time

– If no message heard for some time interval,

backtrack one step and wait again

• Results worse for cautious adversary, so it is

better for hunter to be patient and wait for

messages to arrive





Computer Science 19

Privacy for Mobile Sources

• How does source location privacy change if asset is

mobile (e.g. panda walks around)

• Tests using a simple movement pattern:









• α: governs direction

• δ: stay time at each location

• d: distance of each movement

• T: reporting interval



Computer Science 20

Privacy for Mobile Sources

• Impact of panda’s velocity









Computer Science 21

Privacy for Mobile Sources

• Impact of hunter’s hearing range









Computer Science 22

Conclusions & Future Work

• Conclusions

– Flooding and single-path routing have poor source location

privacy

– Phantom routing can be used with either routing protocol to

greatly enhance privacy at a small cost of communication

overhead

• Future Work

– Authors: Investigate stronger adversarial models and

multiple asset tracking scenarios

– Multiple hunters: Could they collude to find panda faster

– Multiple sinks: Sensors transmit to randomly chosen sink



Computer Science 23