Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Privacy in Sensor Nets
Wade Trappe Yanyong ZhangRutgers, The State University of New Jersey
www.winlab.rutgers.edu
2
Talk OverviewBrief Update on the Security Group… and then… PARIS…MotivationSet the Stage
Privacy, Pandas, and Paris
Project Framework:Who?When?What?How?
Team Approach:Theory and SystemsTestbed Validation: ORBIT and Pandas-in-PARIS
3
WINLAB’s Security and Computing InitiativesWINLAB has a growing initiative in wireless network security and mobile/pervasive computingCurrently the Security Group consists of
3 Faculty Members:Wade Trappe (University of Maryland): Wireless Security, Multimedia Security, Physical/MAC Layer Security, Multicast, Coding and CryptographyYanyong Zhang (Penn. State University): Distributed Computing, Sensor Networking, Pervasive Computing, Fault Tolerant Computing Architectures, Wireless SecurityMarco Gruteser (University of Colorado): Ubiquitous Computing, Secure SoftwareEngineering, Privacy in Location Services
14 Students (W. Xu, Q. Li, P. Kamat, Z. Li, Y. Zhang, T. Wood, S. Chao, A. Chincholi, B. Xue, S. Raj, K. Ma, S. Swami, B. Hoh, K. Ramchandran) Collaboration: Princeton (H. Kobayashi), Columbia (H. Schulzrinne), Bell Labs (S. Paul), IBM Watson, UMD (KJR Liu, M. Wu), Rutgers CS (B. Nath), UColorado (Grunwald), URI (Y. Sun), UBC (Z. Wang), U. Texas (IAT)Funding:
NSF: ORBIT (joint with Princeton, Columbia, Bell Labs, IBM, Thomson), PARISAir Force: Multimedia Fingerprinting (joint with UMD) (complete)NICT Japan: Secure Future Wireless Networks (B3G)
4
NSF-NETS (NOSS) PARIS: Privacy Augmented Relaying of Information from Sensors
5
Motivation“The things most people want to know about are usually none of their business.” – George Bernard ShawSensor network security and privacy
Market expected to grow to $10B by 2010Sensors will become part of our social fabricInformation will be everywhere… for the taking!
Privacy is tough to define, and tougher to defend!
Hacker
Vs.
Thug
6
Privacy Issues in Sensor NetworksContent-Oriented Security and Privacy:
Issues that arise because an adversary can observe and manipulate the exact content in a sensor message.Best addressed through cryptography and network security.
Context-Oriented Privacy:Issues that arise because an adversary observes the context surrounding creation and transmission of a sensor message.Examples:
Source-Location Privacy: The physical location of communication participants may be sensitive.Temporal Privacy: Temporal information corresponding to the creation of message might be sensitive.Traffic Privacy: The size and amount of messages originating from a sensor may be sensitive.
Example: In sensor networks, Source-Location Privacy focuses on protecting the monitored asset from traceback.
7
Panda-Hunter Game ModelWe consider a generic asset monitoring sensor network applicationPanda-Hunter Game:
A sensor network has been deployed to monitor a panda habitat.Sensors send Panda_Heremessages, forwarded to sink.The hunter observes packets and learns information about the panda.
Privacy Goal: Make it difficult for Hunter to gain knowledge about panda’s behavior.Example: Source-Location Privacy
Increase the time needed for an adversary to track and capture the panda.Longer safety periods mean more privacy!
Data Sink
Sensor Node
Game Over!
8
Approach to Sensor Context Privacy
Who should I communicate with? This question addresses source-location privacy and entails carefully designed routing solutions.
When should I communicate? Here we focus on temporal privacy by introducing suitable modifications to the routing layer and MAC layer.
What should I communicate? For this issue we address privacy breaches resulting from traffic analysis by modifying the underlying application’s outgoing data format.
How should I communicate? Here we examine modifications to the physical layer and the underlying topology which obfuscate the source’s location.
9
Who? Routing Strategies for PrivacySensor networks route data via multi-hops to sink.Contextual Privacy Issue: An adversary may trace his way back to source’s location.Example: Flooding is a popular technique for delivering sensor data
Involves each node forwarding a packet it receivesAlthough many simultaneous paths to the sink, flooding does not increase the safety period!
Explanation:Flooding contains the shortest path.Hunter will always follow shortest path to the panda.
Need to change who you route to:Introduce randomization into routing
Data Sink
Sensor Node
10
Formal modelAsset monitoring network is a 6 tuple : (N, S, A, R, H, M)
N = network of sensor nodesS = Sink to which all messages are routed toA = The asset being monitoredR = The routing strategy used by sensorsH = The hunter or adversary whose movements are goverened by a set of rules M.
Safety periodNumber of new messages initiated by the source node(s) monitoring the asset before the adversary catches up (if at all)
Likelihood of captureThe likelihood that the adversary will trace the asset successfully in a given period of time.
Adversary characteristicsNon interferingDevice richResource richInformed (Kerckhoff’s principle)
11
Simulation setupDiscrete event simulator written in c++10,000 nodes in a 6000 x 6000 (m2) grid
Uniform random distribution.
Tx radius of nodes is 100 m. and listening radius of adversary also 100 m.
Both these parameters are variable in the simulator
Avg. node degree is 8well connected networkless than 1% have less than 3 neighbors.
Energy consumption for Rx and TxSingle asset and single adversary
12
The Patient Adversary
13
Baseline Routing TechniquesShortest Path routing
Single path Criteria: Minimum number of hops or highest gradientMinimum amount of network energy expendedMinimum message delivery latency100% message delivery guaranteeWorst safety period !!
Baseline floodingEach node forwards the received sensor packet once to all its neighbors.Very high energy consuion and msg overhead.
Probabilistic floodingEach node forwards a received sensor packet with probability Pforward to all its neighbors, the first time it receives it.Small Pforward means reduced energy consumptionSmall Pforward also means lower network reachability, lower message delivery ratio and higher delivery latency.There is a fundamental tradeoff here
14
Performance of Baseline routing techniques
0 10 20 30 40 50 60 70 800
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Source-sink distance in hops
Del
iver
y ra
tio Pfwd=1.0Pfwd=0.9Pfwd=0.7Pfwd=0.5shortest-path
0 10 20 30 40 50 60 70 800
2000
4000
6000
8000
10000
12000
Source-sink distance in hops
Num
ber o
f Tx
per d
eliv
ered
msg
Pfwd=1.0Pfwd=0.9Pfwd=0.7shortest-path
Message Delivery Ratio
Message overhead
15
Performance of Baseline routing techniques
0 10 20 30 40 50 60 70 800
10
20
30
40
50
60
70
80
90
Source-sink distance in hops
Ave
rage
mes
sage
late
ncy
Pfwd
=1.0P
fwd=0.9
Pfwd
=0.7shortest-path
0 10 20 30 40 50 60 70 800
20
40
60
80
100
120
140
Source-sink distance in hops
Safe
ty p
erio
dPfwd=1.0Pfwd=0.9Pfwd=0.7shortest-path
Avg. Msg Latency
Safety Period
16
Routing with fake sourcesA second source can inject fake messages into the network to draw the adversary away from the real source. Sink can decrypt the messages and ignore the fake ones.The location of the fake source and the rate at which it floods the fake messages is very important.
17
Phantom routing
The source message is sent out on a directed random walk for “h” hops before being flooded or sent down to shortest path.
Combines the best of flooding and shortest path strategies but without any of the problems.
18
When? Traffic Strategies for PrivacySensor networks may store, aggregate and forward data.
Contextual Privacy Issue: An adversary may infer time-of-creation context by observing and correlating traffic.
Time delay translates into source-location ambiguity Need to change when you send/route/forward.
Delay at the sourceRandom delay in routing
19
What? Traffic Shaping Strategies for PrivacySensor networks may report different types of dataContextual Privacy Issue: An adversary may correlate packet size and traffic with the type of dataExample: Pandas and FoxesNeed to change what you sendTraffic Shaping for Sensor Networks:
Uniform Message SizeRandomized Message SizePrivacy-Preserving Source Coding
Fox Here!
Panda Here!
20
How? Physical/Topology Strategies for PrivacySensor communication infrastructure is simpleContextual Privacy Issue:Simplicity of design facilitates many contextual privacy attacks Need to change how you communicatePhysical Layer Defense: Power control
Localization ambiguityNetwork Topology Defense: Hierarchies and jump-points
Network Mixing
Distance
Pow
er R
ecei
ved
d1 d2
Transmit Power Uncertainty
Location Uncertainty
21
Team Approach“Paris isn’t for changing planes, its for changing your outlook!”- Audrey HepburnSystems meets Theory Approach:
Theory:Information Theory: Huffman-codingPhysical Layer Techniques
Systems:Practical Implementation Issues: Observations learned from system
Validation is keyExperiments will be conducted on NSF ORBIT Wireless TestbedHook-up iMotes and Mica Motes to ORBIT… Pandas-In-PARIS
Systems Theory