1

Privacy in Sensor Nets

Wade Trappe Yanyong ZhangRutgers, The State University of New Jersey

www.winlab.rutgers.edu

2

Talk OverviewBrief Update on the Security Group… and then… PARIS…MotivationSet the Stage

Privacy, Pandas, and Paris

Project Framework:Who?When?What?How?

Team Approach:Theory and SystemsTestbed Validation: ORBIT and Pandas-in-PARIS

3

WINLAB’s Security and Computing InitiativesWINLAB has a growing initiative in wireless network security and mobile/pervasive computingCurrently the Security Group consists of

3 Faculty Members:Wade Trappe (University of Maryland): Wireless Security, Multimedia Security, Physical/MAC Layer Security, Multicast, Coding and CryptographyYanyong Zhang (Penn. State University): Distributed Computing, Sensor Networking, Pervasive Computing, Fault Tolerant Computing Architectures, Wireless SecurityMarco Gruteser (University of Colorado): Ubiquitous Computing, Secure SoftwareEngineering, Privacy in Location Services

14 Students (W. Xu, Q. Li, P. Kamat, Z. Li, Y. Zhang, T. Wood, S. Chao, A. Chincholi, B. Xue, S. Raj, K. Ma, S. Swami, B. Hoh, K. Ramchandran) Collaboration: Princeton (H. Kobayashi), Columbia (H. Schulzrinne), Bell Labs (S. Paul), IBM Watson, UMD (KJR Liu, M. Wu), Rutgers CS (B. Nath), UColorado (Grunwald), URI (Y. Sun), UBC (Z. Wang), U. Texas (IAT)Funding:

NSF: ORBIT (joint with Princeton, Columbia, Bell Labs, IBM, Thomson), PARISAir Force: Multimedia Fingerprinting (joint with UMD) (complete)NICT Japan: Secure Future Wireless Networks (B3G)

4

NSF-NETS (NOSS) PARIS: Privacy Augmented Relaying of Information from Sensors

5

Motivation“The things most people want to know about are usually none of their business.” – George Bernard ShawSensor network security and privacy

Market expected to grow to $10B by 2010Sensors will become part of our social fabricInformation will be everywhere… for the taking!

Privacy is tough to define, and tougher to defend!

Hacker

Vs.

Thug

6

Privacy Issues in Sensor NetworksContent-Oriented Security and Privacy:

Issues that arise because an adversary can observe and manipulate the exact content in a sensor message.Best addressed through cryptography and network security.

Context-Oriented Privacy:Issues that arise because an adversary observes the context surrounding creation and transmission of a sensor message.Examples:

Source-Location Privacy: The physical location of communication participants may be sensitive.Temporal Privacy: Temporal information corresponding to the creation of message might be sensitive.Traffic Privacy: The size and amount of messages originating from a sensor may be sensitive.

Example: In sensor networks, Source-Location Privacy focuses on protecting the monitored asset from traceback.

7

Panda-Hunter Game ModelWe consider a generic asset monitoring sensor network applicationPanda-Hunter Game:

A sensor network has been deployed to monitor a panda habitat.Sensors send Panda_Heremessages, forwarded to sink.The hunter observes packets and learns information about the panda.

Privacy Goal: Make it difficult for Hunter to gain knowledge about panda’s behavior.Example: Source-Location Privacy

Increase the time needed for an adversary to track and capture the panda.Longer safety periods mean more privacy!

Data Sink

Sensor Node

Game Over!

8

Approach to Sensor Context Privacy

Who should I communicate with? This question addresses source-location privacy and entails carefully designed routing solutions.

When should I communicate? Here we focus on temporal privacy by introducing suitable modifications to the routing layer and MAC layer.

What should I communicate? For this issue we address privacy breaches resulting from traffic analysis by modifying the underlying application’s outgoing data format.

How should I communicate? Here we examine modifications to the physical layer and the underlying topology which obfuscate the source’s location.

9

Who? Routing Strategies for PrivacySensor networks route data via multi-hops to sink.Contextual Privacy Issue: An adversary may trace his way back to source’s location.Example: Flooding is a popular technique for delivering sensor data

Involves each node forwarding a packet it receivesAlthough many simultaneous paths to the sink, flooding does not increase the safety period!

Explanation:Flooding contains the shortest path.Hunter will always follow shortest path to the panda.

Need to change who you route to:Introduce randomization into routing

Data Sink

Sensor Node

10

Formal modelAsset monitoring network is a 6 tuple : (N, S, A, R, H, M)

N = network of sensor nodesS = Sink to which all messages are routed toA = The asset being monitoredR = The routing strategy used by sensorsH = The hunter or adversary whose movements are goverened by a set of rules M.

Safety periodNumber of new messages initiated by the source node(s) monitoring the asset before the adversary catches up (if at all)

Likelihood of captureThe likelihood that the adversary will trace the asset successfully in a given period of time.

Adversary characteristicsNon interferingDevice richResource richInformed (Kerckhoff’s principle)

11

Simulation setupDiscrete event simulator written in c++10,000 nodes in a 6000 x 6000 (m2) grid

Uniform random distribution.

Tx radius of nodes is 100 m. and listening radius of adversary also 100 m.

Both these parameters are variable in the simulator

Avg. node degree is 8well connected networkless than 1% have less than 3 neighbors.

Energy consumption for Rx and TxSingle asset and single adversary

12

The Patient Adversary

13

Baseline Routing TechniquesShortest Path routing

Single path Criteria: Minimum number of hops or highest gradientMinimum amount of network energy expendedMinimum message delivery latency100% message delivery guaranteeWorst safety period !!

Baseline floodingEach node forwards the received sensor packet once to all its neighbors.Very high energy consuion and msg overhead.

Probabilistic floodingEach node forwards a received sensor packet with probability Pforward to all its neighbors, the first time it receives it.Small Pforward means reduced energy consumptionSmall Pforward also means lower network reachability, lower message delivery ratio and higher delivery latency.There is a fundamental tradeoff here

14

Performance of Baseline routing techniques

0 10 20 30 40 50 60 70 800

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Source-sink distance in hops

Del

iver

y ra

tio Pfwd=1.0Pfwd=0.9Pfwd=0.7Pfwd=0.5shortest-path

0 10 20 30 40 50 60 70 800

2000

4000

6000

8000

10000

12000

Source-sink distance in hops

Num

ber o

f Tx

per d

eliv

ered

msg

Pfwd=1.0Pfwd=0.9Pfwd=0.7shortest-path

Message Delivery Ratio

Message overhead

15

Performance of Baseline routing techniques

0 10 20 30 40 50 60 70 800

10

20

30

40

50

60

70

80

90

Source-sink distance in hops

Ave

rage

mes

sage

late

ncy

Pfwd

=1.0P

fwd=0.9

Pfwd

=0.7shortest-path

0 10 20 30 40 50 60 70 800

20

40

60

80

100

120

140

Source-sink distance in hops

Safe

ty p

erio

dPfwd=1.0Pfwd=0.9Pfwd=0.7shortest-path

Avg. Msg Latency

Safety Period

16

Routing with fake sourcesA second source can inject fake messages into the network to draw the adversary away from the real source. Sink can decrypt the messages and ignore the fake ones.The location of the fake source and the rate at which it floods the fake messages is very important.

17

Phantom routing

The source message is sent out on a directed random walk for “h” hops before being flooded or sent down to shortest path.

Combines the best of flooding and shortest path strategies but without any of the problems.

18

When? Traffic Strategies for PrivacySensor networks may store, aggregate and forward data.

Contextual Privacy Issue: An adversary may infer time-of-creation context by observing and correlating traffic.

Time delay translates into source-location ambiguity Need to change when you send/route/forward.

Delay at the sourceRandom delay in routing

19

What? Traffic Shaping Strategies for PrivacySensor networks may report different types of dataContextual Privacy Issue: An adversary may correlate packet size and traffic with the type of dataExample: Pandas and FoxesNeed to change what you sendTraffic Shaping for Sensor Networks:

Uniform Message SizeRandomized Message SizePrivacy-Preserving Source Coding

Fox Here!

Panda Here!

20

How? Physical/Topology Strategies for PrivacySensor communication infrastructure is simpleContextual Privacy Issue:Simplicity of design facilitates many contextual privacy attacks Need to change how you communicatePhysical Layer Defense: Power control

Localization ambiguityNetwork Topology Defense: Hierarchies and jump-points

Network Mixing

Distance

Pow

er R

ecei

ved

d1 d2

Transmit Power Uncertainty

Location Uncertainty

21

Team Approach“Paris isn’t for changing planes, its for changing your outlook!”- Audrey HepburnSystems meets Theory Approach:

Theory:Information Theory: Huffman-codingPhysical Layer Techniques

Systems:Practical Implementation Issues: Observations learned from system

Validation is keyExperiments will be conducted on NSF ORBIT Wireless TestbedHook-up iMotes and Mica Motes to ORBIT… Pandas-In-PARIS

Systems Theory