Location Cloaking for Location Safety Protection of Ad Hoc Networks Department of Computer Science Iowa State University Ames, Iowa, 50011 http://www.cs.iastate.edu/~yingcai
Outline What is location safety How to achieve location safety Stationary ad hoc networks Mobile ad hoc networks Performance evaluation Closely related work Conclusion
Why disclosing location information Location information adds a new dimension to ad hoc networking Location-based routing Leverage nodes’ location information in path discovery and packet forwarding Much more efficient and scalable than topology-based routing Location-oriented applications e.g., enemy detection in battlefield
Dilemma Disclosing location information presents a major threat to network safety Knowing the position of a node allows an adversary to locate and destroy it physically
Location Safety Protection Goal Allow nodes to reveal their location Yet make it practically infeasible for one to locate them based on such information
Location Safety Protection Goal Allow nodes to reveal their location Yet make it practically infeasible for one to locate them based on such information Observation An adversary can always comb through a whole region to locate all nodes inside it However, if the region is too large, the cost can be prohibitively high
Location Safety Protection Key Idea Instead of its exact position, a node can report it is inside some spatial region, called a cloaking box Reducing location resolution to achieve a desired level of safety protection
Location Safety Protection Key Idea Instead of its exact position, a node can report it is inside some spatial region, called a cloaking box Reducing location resolution to achieve a desired level of safety protection
Location Safety Protection Key Idea Instead of its exact position, a node can report it is inside some spatial region, called a cloaking box Reducing location resolution to achieve a desired level of safety protection Lower node density less attractive for the adversary to locate/destroy the nodes inside higher safety level
Safety Level Safety level of a cloaking box The ratio of the box’s area and the number of nodes inside
Safety Level Safety level of a cloaking box Safety level of a network The ratio of the box’s area and the number of nodes inside Safety level of a network A network is protected at a safety level θ, if the adversary cannot find any region whose safety level is less than θ based on nodes’ disclosed location
How to compute cloaking box For safety protection Each cloaking box must satisfy the safety level requirement
How to compute cloaking box For safety protection Each cloaking box must satisfy the safety level requirement A sequence of cloaking boxes must not be correlated to identify an area with a safety level less than θ Correlation attack
How to compute cloaking box For safety protection Each cloaking box must satisfy the safety level requirement A sequence of cloaking boxes must not be correlated to identify an area with a safety level less than θ For network performance Each cloaking box needs to be as small as possible Correlation attack
A Naïve approach A node broadcasts to query its nearby nodes’ location, and then identify the smallest region that meets the safety requirement Problems 1. Require nodes to report their exact location 2. Difficult to determine the query broadcast region The node actually reveals it is inside the broadcast region What if the safety level of the region is not enough?
Proposed Technique Basic idea Partition network domain recursively into a set of subdomains, each with a safety level at least θ Each node uses its containing subdomain as its cloaking box
Proposed Technique Basic idea Partition network domain recursively into a set of subdomains, each with a safety level at least θ Each node uses its containing subdomain as its cloaking box Challenges 1. Partitioning needs to be done in a fully distributed manner 2. No node shall reveal its exact position
Stationary Ad Hoc Networks Nodes are deployed in a domain D Area(D)/#Nodes is no less than θ Nodes start to do partitioning at time t0 Partitioning is done round by round Each round has a fixed time duration D
Partitioning Algorithm Each node sets its partition P to D Refine P round by round Broadcast a packet PLUS(NID, P) within P Collect the PLUS packets from nodes in P during a time period T Calculate the safety level S(P) If S(P)≥2θ Divide P into two equal halves Set P as the one containing the node’s current position Go to the next round of partitioning If S(P)<2θ Take P as its cloaking box Stop partitioning D
Partitioning Algorithm Each node sets its partition P to D Refine P round by round Broadcast a packet PLUS(NID, P) within P Collect the PLUS packets from nodes in P during a time period T Calculate the safety level S(P) If S(P)≥2θ Divide P into two equal halves Set P as the one containing the node’s current position Go to the next round of partitioning If S(P)<2θ Take P as its cloaking box Stop partitioning D
Partitioning Algorithm Each node sets its partition P to D Refine P round by round Broadcast a packet PLUS(NID, P) within P Collect the PLUS packets from nodes in P during a time period T Calculate the safety level S(P) If S(P)≥2θ Divide P into two equal halves Set P as the one containing the node’s current position Go to the next round of partitioning If S(P)<2θ Take P as its cloaking box Stop partitioning D
Partitioning Algorithm Each node sets its partition P to D Refine P round by round Broadcast a packet PLUS(NID, P) within P Collect the PLUS packets from nodes in P during a time period T Calculate the safety level S(P) If S(P)≥2θ Divide P into two equal halves Set P as the one containing the node’s current position Go to the next round of partitioning If S(P)<2θ Take P as its cloaking box Stop partitioning D
Partitioning Algorithm Each node sets its partition P to D Refine P round by round Broadcast a packet PLUS(NID, P) within P Collect the PLUS packets from nodes in P during a time period T Calculate the safety level S(P) If S(P)≥2θ Divide P into two equal halves Set P as the one containing the node’s current position Go to the next round of partitioning If S(P)<2θ Take P as its cloaking box Stop partitioning D
Is Partitioning Safe? A node reveals its location P when it broadcasts a PLUS packet in P It is guaranteed P’s safety level is no less than θ Recursive partitioning makes the correlation attack impossible Any two partitions P1 and P2 either do not overlap at all, or one contains the other completely Situation like never happens
Some Concerns A node may be compromised Inject multiple PLUS packets to enlarge cloaking boxes This attack can be prevented using authentication techniques Add a certificate field in PLUS packet Allow a node to verify the sender of a packet
Mobile ad hoc networks D Initialization Each node finds its cloaking box right after the deployment Adjust partitioning when necessary Each node monitors its movement against its current partition P If a node moves into a new partition P’ Broadcast a LEAVE packet in P Broadcast a JOIN packet in P’ D
Performance Study Performance metrics Simulate a mobile ad hoc network Cloaking area Communication overhead Simulate a mobile ad hoc network Nodes initiate partitioning right after deployment. (overhead Cinit) Nodes move following a random walk, and adjust partitioning when necessary (overhead Cupdate) Node distribution follows a Normal distribution Variance v is smaller, distribution is more skewed v = 0.5, 0.1, 0.05
Evaluation Results A more skewed distribution results in a larger cloaking area in average a smaller Cinit a larger Cupdate (most cases)
Related 1: Encryption Encrypt location information to make it intelligible only to certain node Problems The destination node may be compromised In some cases, location information cannot be encrypted
Related 2: Anonymous Routing Make routes untraceable to protect important nodes Problems Do not provide location safety protection A node can be destroyed whenever it is located, regardless of its importance
Related 3: Privacy-aware LBS Location disclosed in LBS may be correlated with restricted spaces for subject identification Service anonymity protection Location privacy protection Problems Assume some central server for location depersonalization Location privacy is different from location safety
Conclusion We define the concept of location safety protection We propose to reduce location resolution to achieve a desired level of safety protection We present a novel distributed technique for location cloaking
Thanks!