Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides.

Published byShanon Stafford Modified over 9 years ago

Similar presentations

Presentation on theme: "Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides."— Presentation transcript:

1 Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection” The Lives of Others, 2006

2 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 2/37 Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy 8.3 Privacy preserving routing in ad-hoc networks

3 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 3/37 Privacy related notions  Anonymity: hiding who performed a given action  Untraceability: making difficult for an adversary to identify that a given set of actions were performed by the same subject  Unlinkability: generalization of the two former notions: hiding information about the relationships between any item  Unobservability: hiding of the items themselves (e.g., hide the fact that a message was sent)  Pseudonymity: making use of a pseudonym instead of the real identity 8.1 Important privacy related notions

4 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 4/37 Privacy metrics (1/3) The adversary tries to de-anonymize an observed action  Anonymity set: set of subjects that might have performed the action –Is a good measure only if all the members of the set are equally likely to have performed the observed action  Entropy-based measure of anonymity: 8.1 Important privacy related notions

5 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 5/37 Privacy metrics (2/3) The adversary tries to link elements  Entropy-based measure for unlinkability: 8.1 Important privacy related notions

6 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 6/37 Privacy metrics (3/3) 8.1 Important privacy related notions How focused is the estimate on a value? Entropy How accurate is the estimate? Confidence intervals How close is the estimate to the true value? Expected error

7 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 7/37 Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy 8.3 Privacy preserving routing in ad hoc networks

8 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 8/37 Location privacy 8.2 Location privacy in vehicular networks The contextual information attached to a trace tells much about our habits, interests, activities, and relationships A location trace is not only a set of positions on a map

9 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 9/37 A first example: Vehicular networks 8.2 Location privacy in vehicular networks

10 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 10/37 Vehicle Communication (VC)  VC promises safer roads,  … more efficient driving, Warning: Accident at (x,y) Warning: Accident at (x,y) ! ! TOC RSU Traffic Update: Congestion at (x,y) ! Congestion Warning: At (x,y), use alt. route 8.2 Location privacy in vehicular networks

11 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 11/37 Vehicle Communication (VC)  … more fun, MP3-Download Text message: We'll stop at next roadhouse  … and easier maintenance. Software Update Malfunction Notification: Arriving in 10 minutes, need ignition plug RSU Car Manuf. 8.2 Location privacy in vehicular networks

12 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 12/37 Security and Privacy  More fun, but for whom? Position Beacon  … and a lot more … Your new ignition-control-software RSU Location Tracking 8.2 Location privacy in vehicular networks

13 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 13/37 The location privacy problem and a solution  vehicles continuously broadcast heart beat messages, containing their ID, position, speed, etc.  tracking the physical location of vehicles is easy just by eavesdropping on the wireless channel  one possible solution is to change the vehicle identifier, or in other words, to use pseudonyms 8.2 Location privacy in vehicular networks

14 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 14/37 Adversary model  changing pseudonyms is ineffective against a global eavesdropper  hence, the adversary is assumed to be able to monitor the communications only at a limited number of places and in a limited range A, GPS position, speed, direction predicted position at the time of the next heart beat B, GPS position, speed, direction 8.2 Location privacy in vehicular networks

15 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 15/37 The mix zone concept  the unobserved zone functions as a mix zone where the vehicles change pseudonym and mix with each other  vehicles do not know where the mix zone is (this depends on where the adversary installs observation spots)  vehicles change pseudonyms frequently s.t. each vehicle changes pseudonym while in the mix zone 8.2 Location privacy in vehicular networks

16 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 16/37 Example of mix zone 8.2 Location privacy in vehicular networks 1 2 3 4 Pseudonym: X12 Pseudonym: Y23 Pseudonym: Z34 Pseudonym: W45 mix zone

17 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 17/37  time is divided into discrete steps  p ij = Pr{ exiting at j | entering at i }  D ij is a random variable (delay) that represents the time that elapses between entering at i and exiting at j  d ij (t) = Pr{ D ij = t }  Pr{ exiting at j at t | entering at i at  } = p ij d ij (t-  ) Model of the mix zone d ij (t) t 8.2 Location privacy in vehicular networks

18 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 18/37 Observations t n1n1 n2n2 nknk x1x1 x2x2 xkxk 22 kk t1t1 tktk N1N1 N2N2 NkNk X1X1 X2X2 XkXk  1 = 0  the adversary can observe the points (n i, x i ) and the times (  i, t i ) of enter and exit events (N i, X i )  nodes change pseudonyms inside the mix zone  no easy way to determine which exit event corresponds to which enter event  each possible mapping between exit and enter events is represented by a permutation  of {1, 2, …, k}: m  = (N 1 ~ X  [1], N 2 ~ X  [2], …, N k ~ X  [k] ) where  [i] is the i-th element of the permutation  we want to determine Pr{ m  | N, X } 8.2 Location privacy in vehicular networks

19 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 19/37 Computing the level of privacy 8.2 Location privacy in vehicular networks where m π is the mapping described by the permutation π where p ij is a cell of the matrix P of size nxn, where n is the number of gates of the mix zone and d ij (t) describes the probability distribution of the delay when crossing the mix zone from gate i to gate j.

20 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 20/37 Another privacy metric  tracking game: –the adversary picks a vehicle v in the observed zone –she tracks v until it enters the mix zone at port s –then, she observes the exiting events until time T (where the probability that v leaves the mix zone until T is close to one) –for each exiting vehicle at port j and time t, the adversary computes q jt = p sj d sj (t) –the adversary decides to the exiting vehicle v’ for which q jt is maximal this realizes a Bayesian decision (minimizes the error probability of the decision) –the adversary wins if v’ = v  the level of privacy achieved is characterized by the success probability of the adversary –if success probability is high, then level of privacy is low 8.2 Location privacy in vehicular networks

21 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 21/37 Location-Based Services  People share their location on-line –Social purposes –Contextual services 8.2 Location privacy in location-based services

22 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 22/37 Quantifying location privacy 8.2 Location privacy in location-based services  The Framework

23 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 23/37 Protecting location privacy 8.2 Location privacy in location-based services  Anonymization –Pseudonyms  Obfuscation –Deleting –Randomizing –Discretizing –Sub-sampling

24 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 24/37 Adversary Model 8.2 Location privacy in location-based services ObservationKnowledge Anonymized and Obfuscated Traces Users’ mobility profiles PDF anonymization PDF obfuscation LPPM Inference Attack Examples Localization Attack : “Where was Alice at 8pm?” What is the probability distribution over the locations for user ‘Alice’ at time ‘8pm’? Tracking Attack : “Where did Alice go yesterday?” What is the most probable trace (trajectory) for user ‘Alice’ for time period ‘yesterday’?

25 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 25/37 Inference Attacks 8.2 Location privacy in location-based services A practical solution: Decoupling De-anonymization from De-obfuscation Computationally infeasible:  (anonymization / permutation) can take N! values (A u is the actual trace of user u)

26 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 26/37 De-anonymization 8.2 Location privacy in location-based services 1 - Compute the likelihood of observing trace ‘i’ from user ‘u’, for all ‘i’ and ‘u’, using HMP (Hidden Markov Process): Forward-Backward algorithm. 2 - Compute the most likely assignment using a Maximum Weight Assignment algorithm (e.g., Hungarian algorithm). O(N 4 ) u1u1 u2u2 uNuN … Users 1 … Nyms 2 N

27 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 27/37 De-obfuscation 8.2 Location privacy in location-based services Given the most likely assignment  *, the localization probability can be computed using Hidden Markov Model: the Forward-Backward algorithm Tracking Attack Given the most likely assignment  *, the most likely trace for each user can be computed using Viterbi algorithm Localization Attack

28 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 28/37 The game 8.2 Location privacy in location-based services User Adversary (leader) (follower) LBS message user gain / adversary loss

29 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 29/37 Hands-on Exercises 3 8.2 Location privacy in location-based services  Part A –Wireless traces –Analysis –De-anonymization –Countermeasures –Bonus: Track (multiple) users  Part B –LPPM evaluation using LPM –E.g., sub-sampling: hoe3_lpm configFile s subsamplingProb –Bonus: Analyze and understand the privacy levels obtained

30 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 30/37 Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy in vehicular networks 8.3 Privacy preserving routing in ad hoc networks

31 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 31/37 8.3 Privacy preserving routing in ad hoc networks  Goal: unlinkability (make it very hard for a global observer to know who communicates with whom)  Some nodes may be compromised  even the forwarding nodes should not know who the source and the destination are  We also want to hide the identity of the forwarding nodes from each other (because this information would be useful for the attacker) 8.3 Privacy preserving routing in ad hoc networks

32 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 32/37 Effective but inefficient solution  Route establishment: flooding the network with a route request  Source: -1 –generates an asymmetric key-pair (K,K -1 ), a secret key k 0, and a nonce n 0 -1 –Encrypts D, S, and K -1 with the public key K D of the destination –Encrypts k 0 and n 0 with K –Broadcasts the route request: 8.3 Privacy preserving routing in ad hoc networks

33 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 33/37 Effective but inefficient solution  F1 receives this route request  It verifies if it is the target of the request: –decrypts with its private key  If F1 is not the target: –Generates a secret key k 1 and a nonce n 1 –Concatenates them to –Encrypts the result with K –Broadcasts  General format of the route request message: 8.3 Privacy preserving routing in ad hoc networks

34 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 34/37 Effective but inefficient solution  D attempts to decrypt and it succeeds  D broadcasts a dummy request:  It decrypts and obtains the secret keys and the nonces of the forwarding nodes  It generates a link key for each link and sends a route reply: 8.3 Privacy preserving routing in ad hoc networks

35 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 35/37 Effective but inefficient solution  F i receives route reply: decrypts it with k i  If k i works: checks if it received back its n i  If this is the case: –F i peels the outer layer off the route reply –Applies some padding to retain its original length – Re-broadcasts  Sending data: –Source encrypts the packet with k out 0 and broadcasts it –Each node tries to decrypt it with its incoming link keys –If F i succeeds to decrypt the packet with k i in : it re-encrypts it with k i out, and re-broadcasts it –Until the packet arrives to the destination 8.3 Privacy preserving routing in ad hoc networks

36 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 36/37 Improving efficiency  Much computation from the nodes: –Solution: replace the public key encryption with symmetric key encryption  Source and destination share a secret key k SD and a counter c SD  Source computes a one-time hint for the destination: h(k SD,c SD )  Each node can pre-compute the hint of each possible source: –only a table lookup when processing route request messages 8.3 Privacy preserving routing in ad hoc networks

37 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 37/37 Improving efficiency  Modified route request:  Modified route reply:  Hint for F i : hashing n i with g  When processing route reply: –Only a table lookup to determine which key should be used to decrypt the route reply 8.3 Privacy preserving routing in ad hoc networks

38 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection 38/37 Summary on Privacy Protection  Location privacy in LBS services: –Aversary model: sporadic location exposure (with LPPM) –The level of location privacy can be quantified based on the result of the inference –Trade-off with utility  Location privacy in vehicular networks: –Adversary model: monitored zones and unmonitored zones –The level of location privacy can be quantified using an entropy-based metric  Privacy in ad hoc network routing protocols: –A routing protocol that makes it very hard for a global observer to know who communicates with whom

39 Security and Cooperation in Wireless Networks Chapter 8: Privacy protection Our research projects on privacy protection -Privacy in mobile and pervasive networks: http://lca.epfl.ch/projects/privacy http://lca.epfl.ch/projects/privacy To probe further on some aspects presented in this lecture: - R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. Quantifying Location Privacy. In Proc. of the IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, 2011.Quantifying Location Privacy - R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, and J.-Y. Le Boudec. Protecting Location Privacy: Optimal Strategy against Localization Attacks. In Proc. of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, USA, 2012. Protecting Location Privacy: Optimal Strategy against Localization Attacks -Genome privacy: http://lca.epfl.ch/projects/genomic-privacy/ http://lca.epfl.ch/projects/genomic-privacy/ -Privacy and security mechanisms with selfish players: http://lca.epfl.ch/projects/gamesec http://lca.epfl.ch/projects/gamesec

Download ppt "Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides."

Similar presentations

Efficient Secure Aggregation in VANETs Maxim Raya, Adel Aziz, and Jean-Pierre Hubaux Laboratory for computer Communications and Applications (LCA) EPFL.

Efficient Secure Aggregation in VANETs Maxim Raya, Adel Aziz, and Jean-Pierre Hubaux Laboratory for computer Communications and Applications (LCA) EPFL.
On the Optimal Placement of Mix Zones Julien Freudiger, Reza Shokri and Jean-Pierre Hubaux PETS, 2009.

On the Optimal Placement of Mix Zones Julien Freudiger, Reza Shokri and Jean-Pierre Hubaux PETS, 2009.
Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,

Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,
Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.
EPFL, Lausanne, Switzerland Márk Félegyházi Equilibrium Analysis of Packet Forwarding Strategies in Wireless Ad Hoc Networks – the Static Case Márk Félegyházi.

EPFL, Lausanne, Switzerland Márk Félegyházi Equilibrium Analysis of Packet Forwarding Strategies in Wireless Ad Hoc Networks – the Static Case Márk Félegyházi.
Maximum Battery Life Routing to Support Ubiquitous Mobile Computing in Wireless Ad Hoc Networks By C. K. Toh.

Maximum Battery Life Routing to Support Ubiquitous Mobile Computing in Wireless Ad Hoc Networks By C. K. Toh.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Delay bounded Routing in Vehicular Ad-hoc Networks Antonios Skordylis Niki Trigoni MobiHoc 2008 Slides by Alex Papadimitriou.

Delay bounded Routing in Vehicular Ad-hoc Networks Antonios Skordylis Niki Trigoni MobiHoc 2008 Slides by Alex Papadimitriou.
GrooveSim: A Topography- Accurate Simulator for Geographic Routing in Vehicular Networks 簡緯民 P76964275.

GrooveSim: A Topography- Accurate Simulator for Geographic Routing in Vehicular Networks 簡緯民 P
Quantifying Location Privacy: The Case of Sporadic Location Exposure Reza Shokri George Theodorakopoulos George Danezis Jean-Pierre Hubaux Jean-Yves Le.

Quantifying Location Privacy: The Case of Sporadic Location Exposure Reza Shokri George Theodorakopoulos George Danezis Jean-Pierre Hubaux Jean-Yves Le.
A Mobile Infrastructure Based VANET Routing Protocol in the Urban Environment School of Electronics Engineering and Computer Science, PKU, Beijing, China.

A Mobile Infrastructure Based VANET Routing Protocol in the Urban Environment School of Electronics Engineering and Computer Science, PKU, Beijing, China.
Mini-Project 2007 On Location Privacy in Vehicular Mix-Networks Julien Freudiger IC-29 Self-Organised Wireless and Sensor Networks Tutors: Maxim Raya Márk.

Mini-Project 2007 On Location Privacy in Vehicular Mix-Networks Julien Freudiger IC-29 Self-Organised Wireless and Sensor Networks Tutors: Maxim Raya Márk.
Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.

Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.
Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259

Slicing the Onion: Anonymous Routing without PKI Saurabh Shrivastava CS 259
1 A Distortion-based Metric for Location Privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009 Reza Shokri.

1 A Distortion-based Metric for Location Privacy Workshop on Privacy in the Electronic Society (WPES), Chicago, IL, USA - November 9, 2009 Reza Shokri.
overview Motivation Ongoing research on VANETs Introduction Objectives Applications Possible attacks Conclusion.

overview Motivation Ongoing research on VANETs Introduction Objectives Applications Possible attacks Conclusion.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Cashmere: Resilient Anonymous Routing CS290F March 7, 2005.

Cashmere: Resilient Anonymous Routing CS290F March 7, 2005.
Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.

Nov.6, 2002 Secure Routing Protocol for Ad Hoc Networks Li Xiaoqi.

Similar presentations

Ads by Google