1. Hiding Contextual Information in WSNs Alejandro Proaño and Loukas Lazos Dept. of Electrical and Computer Engineering University of Arizona

2. Private Communications over Public Channels 6/25/20122D-SPAN 2012: Alejandro Proaño and Loukas Lazos Alice K enc Bob K dec Eve hdrpayloa hdrpayloa

3. Insufficiency of Cryptographic Methods Communication attributes remain exposed Headers, control packets, packet sizes, inter-packet timings, total bytes Leads to leakage of contextual information 6/25/20123D-SPAN 2012: Alejandro Proaño and Loukas Lazos Alice Packet size Inter-arrival time Eve hdrpayloa hdr Internet Alice communicated with Bob at 10:00 Alice typed pswd XYZ (Keystroke analysis over SSH) [ Wright et. al 2001 ] Alice accessed website xyz.com (HTTP object sig.) [Sun et al., 2002] Bob

4. Contextual Information in WSN Types of contextual information: Event location Event time Source-sink path Sink location Event type 6/25/20124D-SPAN 2012: Alejandro Proaño and Loukas Lazos S Legitimate of sensors Adversary sensors

5. Problem Statement Given a set of sensors V A set of eavesdroppers A, covering the WSN (global adversary) Low cost adversarial sensors Cannot distinguish packets from different sources based on AOA, power, RF sig. etc. 6/25/20125D-SPAN 2012: Alejandro Proaño and Loukas Lazos Problem: hide contextual information in a resource-efficient manner Legitimate of sensors Adversary sensors

6. Current Approaches Normalize traffic patterns observed by the adversary Flooding [Mehta et al. 2007] Emulation of events [Mehta et al. 2007] Proxy-based approaches [Yang et al. 2008] Transmission delay reduction [Shao et al. 2008] Problem: Overhead proportional to the size of the WSN 6/25/20126D-SPAN 2012: Alejandro Proaño and Loukas Lazos S Legitimate of sensors Proxies Adversary sensors

7. Our Contributions We develop a resource-efficient scheme for hiding contextual information Only a subset D ⊆ V generates bogus traffic We map the problem of finding D to the problem of finding a minimum connected dominating set (MCDS) that covers the WSN We regulate the transmission rates of real traffic to maintain the statistical properties of the traffic observed by the adversary We achieve significant reduction in number of bogus traffic sources Dependent on sensor density, not size 6/25/20127D-SPAN 2012: Alejandro Proaño and Loukas Lazos

8. Design Motivation Apply link-level re-encryption Minimize number of bogus sources Cover all adversarial sensors Regulate real traffic rates Design in two phases: 1.Selection of bogus sources 2.Rate assignment 6/25/20128D-SPAN 2012: Alejandro Proaño and Loukas Lazos v4v4 v3v3 v2v2 v1v1 v6v6 v5v5 Legitimate of sensors Bogus sources Adversary sensors

9. Phase 1: Selection of Bogus Sources D is selected based on four selection principles: 1.The set D must be of minimum size 2.Transmissions in V \ D are minimized 3.D forms a connected network 4.Every a i ∈ A must overhear bogus traffic 6/25/20129D-SPAN 2012: Alejandro Proaño and Loukas Lazos V : set of sensors D: set of bogus sources A: set of adversary sensors

10. Phase 1: Selection of Bogus Sources Dominating Set (DS): A subset D ⊆ V such that every node in V is part of D or is adjacent to a node in D. If D is connected, then it is a CDS D is chosen as a minimum CDS (MCDS) Finding a MCDS is NP-Complete We use a coloring algorithm of complexity O(|V|) proposed in [Cardei et al. 2002] 6/25/201210D-SPAN 2012: Alejandro Proaño and Loukas Lazos a1a1 a 10 a 12 a 11 a3a3 a2a2 a7a7 a8a8 a9a9 a6a6 a5a5 a4a4 v5v5 v3v3 v4v4 v2v2 v1v1 v 10 v6v6 v7v7 v 11 v9v9 v8v8

11. Step 1: Constructing on MCDS Initially: All nodes v i are marked as m(v i ) = WHITE DS Generation: Node with the highest number of WHITE neighbors is marked as BLACK If v i becomes BLACK, its neighbors become GRAY Process repeated until no nodes are marked as WHITE 6/25/201211D-SPAN 2012: Alejandro Proaño and Loukas Lazos a1a1 a 10 a 12 a 11 a3a3 a2a2 a7a7 a8a8 a9a9 a6a6 a5a5 a4a4 v5v5 v3v3 v4v4 v2v2 v1v1 v 10 v6v6 v7v7 v 11 v9v9 v8v8

12. Step 1: Constructing on MCDS Approximation of the MCDS: Each GRAY node keeps track of the number of non-dominated BLACK neighbors b(v i ) The GRAY node with the maximum b(v i ) in its neighborhood becomes BLACK and all its BLACK neighbors become dominated Process repeated until all BLACK nodes are dominated 6/25/201212D-SPAN 2012: Alejandro Proaño and Loukas Lazos a1a1 a 10 a 12 a 11 a3a3 a2a2 a7a7 a8a8 a9a9 a6a6 a5a5 a4a4 v5v5 v3v3 v4v4 v2v2 v1v1 v 10 v6v6 v7v7 v 11 v9v9 v8v8

13. a1a1 a 10 a 12 a 11 a3a3 a2a2 a7a7 a8a8 a9a9 a6a6 a5a5 a4a4 v5v5 v3v3 v4v4 v2v2 v1v1 v 10 v6v6 v7v7 v 11 v9v9 v8v8 Step 2: Covering the Deployment Area Verifying coverage: A GRAY node becomes BLACK if the area of its neighborhood is not covered by BLACK nodes. 6/25/201213D-SPAN 2012: Alejandro Proaño and Loukas Lazos The set D = { v i : m ( v i ) = BLACK} forms a CDS that covers the sensor field S

14. Phase 2: Rate Assignment Given: O: set of observations E: set of events ( E ⊆ O ), Z(θ 1,…,θ k ): distribution of O when E = Ø Z ’ (θ ’ 1,…,θ ’ k ): distribution of O when E ≠ Ø ( α,ε )-unobservability [Shao et. Al 2008]: Distributions Z and Z’ indistinguishable if, a) f ( Z, Z ’ ) ≤ g ( α ) b)( 1- ε ) θ i ≤ θ ’ i ≤( 1 + ε ) θ i where: f ( Z, Z ’ ): distance between Z and Z ’ g ( α ): maximum allowed deviation of Z and Z ’ α: false alarms rate ε: deviation factor 6/25/201214D-SPAN 2012: Alejandro Proaño and Loukas Lazos

15. Phase 2: Rate Assignment in D Time divided in intervals I 1, I 2, … At each interval, v ∈ D transmit bogus traffic at rate: R v ~ Y ( θ 1Y,…,θ kY ) a ∈ A observes traffic at rate: R a = ∑ v є Na R v N a is the set of v ∈ D neighbors of a R a ~ Z a ( θ 1Z,…,θ kZ ) and θ iZ = | Na | θ iY v ∈ D substitutes bogus packets with real ones 6/25/201215D-SPAN 2012: Alejandro Proaño and Loukas Lazos

16. Phase 2: Rate Assignment in V \ D To detect an event, a ∈ A test indistinguishability between Z a and Z ’ a Z ’ a estimated from a set O ’ of n observations of R a O’ = { r j-n+1 a, r a j-n+2,…, r a j } A transmission of s ∉ D at a rate r j s deviates Z ’ a from Z a Transmission of s ∉ D affects n sets of observations To remain undetected, s must satisfy indistinguishability for n sets of observations 6/25/201216D-SPAN 2012: Alejandro Proaño and Loukas Lazos r1ar1a r2ar2a r3ar3a r 4 a + r 4 s r5ar5a r6ar6a r7ar7a r8ar8a I1I1 I2I2 I5I5 I6I6 I7I7 I8I8 I3I3 I4I4 n = 4

17. Phase 2: Rate Assignment in V \ D Sensor s is not aware of the location of a Its neighborhood is divided in m non- overlapping areas Consider all distinct rates possibly observed by a Sensors share random seeds Finally, test indistinguishability on the n x m sets of observations Chooses the highest rate that passes all the tests If failure, transmission is delayed one interval 6/25/201217D-SPAN 2012: Alejandro Proaño and Loukas Lazos v1v1 v2v2 v3v3 s U4U4 U3U3 U2U2 U1U1 U7U7 U5U5 U6U6 C s (l s,γ) =U 1 ∪ … ∪ U 7 U 1 = C s (l s,γ) ∩ C v1 (l v1,γ) C v (l v,γ): comm. range of v ∈ V

18. Performance Evaluation 6/25/201218D-SPAN 2012: Alejandro Proaño and Loukas Lazos Evaluation Criteria: Fraction of sensors generating bogus traffic, average transmission rate for nodes s ∉ D, and average delay introduced by our scheme Simulation parameters: 5,000 sensors deployed in an area of 1,000 x 1,000 meters Bogus traffic rates are assigned according a uniform distribution in the interval (0,1] Real traffic rates assigned using a χ 2 goodness of fit test n = 100, α = 0.05, ε = 0.1

19. Fraction of sensors in D vs d v 6/25/201219D-SPAN 2012: Alejandro Proaño and Loukas Lazos

20. Average rate r s vs |N a | 6/25/201220D-SPAN 2012: Alejandro Proaño and Loukas Lazos

21. Average delay vs |N a | 6/25/201221D-SPAN 2012: Alejandro Proaño and Loukas Lazos

22. Conclusions 6/25/201222D-SPAN 2012: Alejandro Proaño and Loukas Lazos We addressed the problem of hiding contextual information in WSNs in a resource efficient manner We proposed a mechanism that generates bogus traffic from a fixed subset bogus sources The number of bogus sources was minimized by forming a minimum connected dominating set that covers the WSN We showed that ( α,ε )-unobservability can be satisfied by regulating the transmission rates of bogus and real traffic sources

23. Future Work 6/25/201223D-SPAN 2012: Alejandro Proaño and Loukas Lazos Reduce the number of tests required to select transmission rates Generation and schedule algorithms to use multiple MCDS Derive analytical delay bounds when routing occurs over multiple MCDS Ensure that packets are delivered in timely manner (avoiding cycles, long routes, etc)