1. 1 Enhancing Source-Location Privacy in Sensor Network Routing P. Kamat, Y. Zhang, W. Trappe and C. Ozturk Proceedings of the 25th IEEE Int. Conference on Distributed Computing Systems Rutgers University Matthew Sanderson

2. 2 Presentation Outline Introduction to issue Introduction to issue Panda vs Hunter Panda vs Hunter Techniques for Stationary Sources Techniques for Stationary Sources  Routing Protocols  Performance Comparison  Improvement for privacy. (Briefly) Mobile Sources (Briefly) Mobile Sources Related/Future Work Related/Future Work Conclusion Conclusion Questions Questions

3. 3 The issue is privacy. “Guarantee that information is observable or decipherable by only those who are intentionally meant to observe or decipher it.” “Guarantee that information is observable or decipherable by only those who are intentionally meant to observe or decipher it.” Two broad categories: Two broad categories:  content-oriented  context-oriented

4. 4 Content-oriented Security/Privacy Security of the contents of messages. Security of the contents of messages. Cryptographic methods. Cryptographic methods.

5. 5 Contextual Privacy Deals with context in which the sensor application works. Deals with context in which the sensor application works. In this case: location In this case: location Not as thoroughly researched. Not as thoroughly researched. What this paper covers. What this paper covers.

6. 6 Source-location Privacy Privacy of the node sending the initial message. Privacy of the node sending the initial message. Two metrics: Two metrics:  safety period – how long until the node is discovered  capture likelihood – how likely it will get discovered

7. 7 Accomplishing source-location privacy Look at popular routing techniques. Look at popular routing techniques. Augment these techniques with a new approach. Augment these techniques with a new approach. Energy consumption still important. Energy consumption still important.

8. 8 Panda-Hunter Game Model Scenario Panda-Hunter Game: Panda-Hunter Game:  A sensor network has been deployed to monitor a panda habitat.  Sensors send Panda_Here messages  Messages are forwarded to a data sink.  The hunter observes packets and traces his way back to the panda. Privacy Goal: Increase the time needed for an adversary to track and capture the panda (safety period). Privacy Goal: Increase the time needed for an adversary to track and capture the panda (safety period). Data Sink Sensor Node Slide source: Wenyuan Xu

9. 9 Additional Game Setup Issues One panda – one source One panda – one source Additional Goal: deliver messages to base station. Additional Goal: deliver messages to base station. Concern: energy usage. Concern: energy usage. Data Sink Sensor Node

10. 10 The Hunter Non-malicious – does not interfere with network Non-malicious – does not interfere with network Device-rich – has devices to measure angle of arriving message Device-rich – has devices to measure angle of arriving message Resource-rich – move at any rate and unlimited power Resource-rich – move at any rate and unlimited power Informed – knows how the network works Informed – knows how the network works

11. 11 How the hunter gets each message. Two primary routing techniques. Two primary routing techniques.  Flooding  Single-path New approach: Phantom Routing. New approach: Phantom Routing.

12. 12 Routing Techniques - Flooding Flooding-based: source sends the message to all its neighbors, who in turn do the same. Flooding-based: source sends the message to all its neighbors, who in turn do the same. If node has received it already, the node discards it. If node has received it already, the node discards it. Performance drawbacks, but easy implementation. Performance drawbacks, but easy implementation.

13. 13 Probabilistic Flooding Like flooding, but with a probability. Like flooding, but with a probability. When a node receives a message, it randomly generates a number uniformly distributed between 0 and 1. When a node receives a message, it randomly generates a number uniformly distributed between 0 and 1. If # < forwarding probability, it sends, otherwise, it doesn't. If # < forwarding probability, it sends, otherwise, it doesn't.

14. 14 Single-Path Routing Instead of sending out to all neighbors, single-path sends out to one or a small subset of neighbors. Instead of sending out to all neighbors, single-path sends out to one or a small subset of neighbors. Usually require extra hardware or a pre- configuration phase. Usually require extra hardware or a pre- configuration phase. Data Sink Sensor Node

15. 15 How well do they work?

16. 16 Performance Comparison cont.

17. 17 Privacy of Routing Techniques Problems with single-path and flooding Problems with single-path and flooding  Single-path reduces energy, but poor at protecting source- location privacy.  Flooding isn't any better, because the shortest-path is still contained within the flood.  Probabilistic flooding helps – higher safety period, but at the cost of delivery ratio. There is room for improvement. There is room for improvement.  Maybe trick the hunter?

18. 18 Routing with Fake Sources Idea: inject fake messages to throw off hunter. Idea: inject fake messages to throw off hunter. Multiple ways this can be done. Multiple ways this can be done.  Short-lived – similar to probabilistic flooding.

19. 19 Persistent Fake Source Short-lived fake sources can only draw the hunter away momentarily. Short-lived fake sources can only draw the hunter away momentarily. A persistent fake source is more effective, but requires a global overview of network. A persistent fake source is more effective, but requires a global overview of network. Source sends its hop count to sink – sink instigates a fake source at a node with the same hop count in the opposite direction. Source sends its hop count to sink – sink instigates a fake source at a node with the same hop count in the opposite direction. Works best when fake source sends at higher rate than real source, but requires large energy budget. Works best when fake source sends at higher rate than real source, but requires large energy budget.

20. 20 Problem with Fake Sources: Perceptive Hunter Recall the assumptions on our hunter – he's informed. Recall the assumptions on our hunter – he's informed. Once he realizes the fake source, he knows which direction to go for the real source. Once he realizes the fake source, he knows which direction to go for the real source. We need a new approach. We need a new approach.

21. 21 Phantom Routing Idea: entice hunter to phantom instead of source. Idea: entice hunter to phantom instead of source. Has two phases: Has two phases:  Random walk phase  Flood/Single-path phase

22. 22 Types of Random Walk Sector-based – requires knowledge of landmark nodes to send message away from source. Sector-based – requires knowledge of landmark nodes to send message away from source. Hop-based – requires knowledge of the hop count from each node to the base station. Hop-based – requires knowledge of the hop count from each node to the base station.

23. 23 Phantom Routing Performance Can significantly improve the safety period. Can significantly improve the safety period. Higher the hopcount, higher the safety period. Higher the hopcount, higher the safety period. Also increases latency (Random walk of 20: 30% increase = 4x privacy). Also increases latency (Random walk of 20: 30% increase = 4x privacy).

24. 24 Possible Counter: Cautious Hunter Since the phantom routing may leave the hunter stranded, after some time, the cautious hunter may go back. Since the phantom routing may leave the hunter stranded, after some time, the cautious hunter may go back. No benefit – no progress made by hunter. No benefit – no progress made by hunter. Better to be patient. Better to be patient.

25. 25 Mobile Source Need to rethink entire process again. Need to rethink entire process again. Depends on panda's movement pattern and velocity. Depends on panda's movement pattern and velocity.

26. 26 Panda Velocity More profound on single-path routing, as subsequent route may have little overlap compared to flooding. More profound on single-path routing, as subsequent route may have little overlap compared to flooding. Panda's speed with single-path is protection enough. Panda's speed with single-path is protection enough. Improves privacy of phantom routing. Improves privacy of phantom routing.

27. 27 Hunter's Range Not so surprising, if the hunter's hearing range is increased, the hunter is more effective.

28. 28 Related/Future Material Entrapping Adversaries for Source Protection in Sensor Networks Entrapping Adversaries for Source Protection in Sensor Networks  Yi Ouyang, Zhengyi Le, Guanling Chen, James Ford, Fillia Makedon – Dartmouth College Preserving Source Location Privacy in Monitoring-based Wireless Sensor Networks Preserving Source Location Privacy in Monitoring-based Wireless Sensor Networks  Yong Xi, Loren Schwiebert, Weisong Shi – Wayne State University Location Privacy in Sensor Networks Against a Global Eavesdropper Location Privacy in Sensor Networks Against a Global Eavesdropper  Kiran Mehta, Donggang Liu, Matthew Wright – University of Texas at Arlington

29. 29 Conclusion The panda-hunter game is somewhat contrived. The panda-hunter game is somewhat contrived.  Does a great job at visualizing concept. Concept is simple and effective. Concept is simple and effective. Source-location privacy for sensor networks seems to be a minor issue. Source-location privacy for sensor networks seems to be a minor issue.  I'm willing to admit I'm wrong here.  Come up with some examples.

30. 30 Questions? ?