1 / 39

Mobile Networks - Module H2 Privacy in Mobile Networks

Mobile Networks - Module H2 Privacy in Mobile Networks. P rivacy notions and metrics L ocation privacy P rivacy preserving routing in ad hoc networks. The Lives of Others, 2006. Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection” .

quinta
Download Presentation

Mobile Networks - Module H2 Privacy in Mobile Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks The Lives of Others, 2006 Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection”

  2. Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy 8.3 Privacy preserving routing in ad-hoc networks

  3. Privacy related notions • Anonymity: hiding who performed a given action • Untraceability: making difficult for an adversary to identify that a given set of actions were performed by the same subject • Unlinkability: generalization of the two former notions: hiding information about the relationships between any item • Unobservability: hiding of the items themselves (e.g., hide the fact that a message was sent) • Pseudonymity: making use of a pseudonym instead of the real identity 8.1 Important privacy related notions

  4. Privacy metrics (1/3) The adversary tries to de-anonymize an observed action • Anonymity set: set of subjects that might have performed the action • Is a good measure only if all the members of the set are equally likely to have performed the observed action • Entropy-based measure of anonymity: 8.1 Important privacy related notions

  5. Privacy metrics (2/3) The adversary tries to link elements • Entropy-based measure for unlinkability: 8.1 Important privacy related notions

  6. How accurate is the estimate?Confidence intervals How focused is the estimate on a value? Entropy How close is the estimate to the true value? Expected error Privacy metrics (3/3) The adversary runs an inference attack • Entropy-based measure for certainty:where is the set of possible values for a given attribute is the probability (for the adversary) that the value of the attribute is for a given user • Expected error-based measure for correctness: 8.1 Important privacy related notions

  7. Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy 8.3 Privacy preserving routing in ad hoc networks

  8. Location privacy A location trace is not only a set of positions on a map The contextual information attached to a trace tells much about our habits, interests, activities, and relationships 8.2 Location privacy in vehicular networks

  9. GPS, GALILEO Terrestrial Broadcast RDS, DAB UMTS GSM WiMAX • Beacon • CALM-IR • CALM-M5 • DSRC Hot-Spot (Wireless LAN, WiFi) RSU to RSU Variable Message Sign 50 RFID Broadcaster Vehicle to Vehicle A first example: Vehicular networks 8.2 Location privacy in vehicular networks

  10. Vehicle Communication (VC) • VC promises safer roads, Warning: Accident at (x,y) Warning: Accident at (x,y) ! ! • … more efficient driving, Traffic Update: Congestion at (x,y) TOC Congestion Warning: At (x,y), use alt. route RSU RSU ! 8.2 Location privacy in vehicular networks

  11. Vehicle Communication (VC) • … more fun, Text message: We'll stop at next roadhouse MP3-Download RSU • … and easier maintenance. Software Update Malfunction Notification: Arriving in 10 minutes,need ignition plug CarManuf. 8.2 Location privacy in vehicular networks

  12. Security and Privacy Location Tracking • More fun, but for whom? Position Beacon RSU • … and a lot more … Your newignition-control-software 8.2 Location privacy in vehicular networks

  13. The location privacy problem and a solution • vehicles continuously broadcast heart beat messages, containing their ID, position, speed, etc. • tracking the physical location of vehicles is easy just by eavesdropping on the wireless channel • one possible solution is to change the vehicle identifier, or in other words, to use pseudonyms 8.2 Location privacy in vehicular networks

  14. Adversary model • changing pseudonyms is ineffective against a global eavesdropper • hence, the adversary is assumed to be able to monitor the communications only at a limited number of places and in a limited range predicted position at the time of the next heart beat A, GPS position, speed, direction B, GPS position, speed, direction 8.2 Location privacy in vehicular networks

  15. The mix zone concept • the unobserved zone functions as a mix zone where the vehicles change pseudonym and mix with each other • vehicles do not know where the mix zone is (this depends on where the adversary installs observation spots) • vehicles change pseudonyms frequently s.t. each vehicle changes pseudonym while in the mix zone 8.2 Location privacy in vehicular networks

  16. Example of mix zone 3 Pseudonym: Z34 mix zone 1 4 Pseudonym: X12 Pseudonym: W45 2 Pseudonym: Y23 8.2 Location privacy in vehicular networks

  17. Model of the mix zone • time is divided into discrete steps • pij = Pr{ exiting at j | entering at i } • Dij is a random variable (delay) that represents the time that elapses between entering at i and exiting at j • dij(t) = Pr{ Dij = t } • Pr{ exiting at j at t | entering at i at t } = pij dij(t-t) dij(t) t 8.2 Location privacy in vehicular networks

  18. Observations • the adversary can observe the points (ni, xi) and the times (ti, ti) of enter and exit events (Ni, Xi) • nodes change pseudonyms inside the mix zone  no easy way to determine which exit event corresponds to which enter event • each possible mapping between exit and enter events is represented by a permutation p of {1, 2, …, k}: mp = (N1 ~ Xp[1], N2 ~ Xp[2], …, Nk ~ Xp[k]) where p[i] is the i-th element of the permutation • we want to determine Pr{ mp | N, X } N1 N2 Nk t2 t1 = 0 tk n1 n2 nk t x1 x2 xk t1 tk X1 X2 Xk 8.2 Location privacy in vehicular networks

  19. Computing the level of privacy where mπ is the mapping described by the permutation π where pij is a cell of the matrix P of size nxn, where n is the number of gates of the mix zone and dij(t) describes the probability distribution of the delay when crossing the mix zone from gate i to gate j. 8.2 Location privacy in vehicular networks

  20. Another privacy metric • tracking game: • the adversary picks a vehicle v in the observed zone • she tracks v until it enters the mix zone at port s • then, she observes the exiting events until time T (where the probability that v leaves the mix zone until T is close to one) • for each exiting vehicle at port j and time t, the adversary computes qjt = psjdsj(t) • the adversary decides to the exiting vehicle v’ for which qjt is maximal • this realizes a Bayesian decision (minimizes the error probability of the decision) • the adversary wins if v’ = v • the level of privacy achieved is characterized by the success probability of the adversary • if success probability is high, then level of privacy is low 8.2 Location privacy in vehicular networks

  21. Location-Based Services • People share their location on-line • Social purposes • Contextual services 8.2 Location privacy in location-based services

  22. Quantifying location privacy • The Framework 8.2 Location privacy in location-based services

  23. Protecting location privacy • Anonymization • Pseudonyms • Obfuscation • Deleting • Randomizing • Discretizing • Sub-sampling 8.2 Location privacy in location-based services

  24. Anonymized and Obfuscated Traces Users’ mobility profiles LPPM PDFanonymization PDFobfuscation Inference Attack Examples Localization Attack: “Where was Alice at 8pm?” What is the probability distribution over the locations for user ‘Alice’ at time ‘8pm’? Tracking Attack: “Where did Alice go yesterday?” What is the most probable trace (trajectory) for user ‘Alice’ for time period ‘yesterday’? Adversary Model Observation Knowledge 8.2 Location privacy in location-based services

  25. Inference Attacks • Computationally infeasible: • (anonymization / permutation) can take N! values • (Auis the actual trace of user u) A practical solution: Decoupling De-anonymization from De-obfuscation 8.2 Location privacy in location-based services

  26. Users Nyms u1 1 u2 2 … … uN N De-anonymization 1 - Compute the likelihood of observing trace ‘i’ from user ‘u’, for all ‘i’ and ‘u’, using HMP (Hidden Markov Process): Forward-Backward algorithm. 2 - Compute the most likely assignment using a Maximum Weight Assignment algorithm (e.g., Hungarian algorithm). O(N4) 8.2 Location privacy in location-based services

  27. De-obfuscation Localization Attack Given the most likely assignment *, the localization probability can be computed using Hidden Markov Model: the Forward-Backward algorithm Tracking Attack Given the most likely assignment *, the most likely trace for each user can be computed using Viterbialgorithm 8.2 Location privacy in location-based services

  28. The game UserAdversary (leader) (follower) User accesses LBS from location known to adversary LBS message user gain / adversary loss Chooses to minimize it Chooses to maximizeit 8.2 Location privacy in location-based services

  29. Hands-on Exercises 3 • Part A • Wireless traces • Analysis • De-anonymization • Countermeasures • Bonus: Track (multiple) users • Part B • LPPM evaluation using LPM • E.g., sub-sampling: hoe3_lpm configFile s subsamplingProb • Bonus: Analyze and understand the privacy levels obtained 8.2 Location privacy in location-based services

  30. Chapter outline 8.1 Important privacy related notions and metrics 8.2 Location privacy in vehicular networks 8.3 Privacy preserving routing in ad hoc networks

  31. 8.3 Privacy preserving routing in ad hoc networks • Goal: unlinkability (make it very hard for a global observer to know who communicates with whom) • Some nodes may be compromised  even the forwarding nodes should not know who the source and the destination are • We also want to hide the identity of the forwarding nodes from each other (because this information would be useful for the attacker) 8.3 Privacy preserving routing in ad hoc networks

  32. Effective but inefficient solution • Route establishment: flooding the network with a route request • Source: • generates an asymmetric key-pair (K,K-1), a secret key k0, and a nonce n0 • Encrypts D, S, and K-1with the public key KD of the destination • Encrypts k0 and n0 with K • Broadcasts the route request: 8.3 Privacy preserving routing in ad hoc networks

  33. Effective but inefficient solution • F1 receives this route request • It verifies if it is the target of the request: • decrypts with its private key • If F1 is not the target: • Generates a secret key k1 and a nonce n1 • Concatenates them to • Encrypts the result with K • Broadcasts • General format of the route request message: 8.3 Privacy preserving routing in ad hoc networks

  34. Effective but inefficient solution • D attempts to decrypt and it succeeds • D broadcasts a dummy request: • It decrypts and obtains the secret keys and the nonces of the forwarding nodes • It generates a link key for each link and sends a route reply: 8.3 Privacy preserving routing in ad hoc networks

  35. Effective but inefficient solution • Fi receives route reply: decrypts it with ki • If ki works: checks if it received back its ni • If this is the case: • Fi peels the outer layer off the route reply • Applies some padding to retain its original length • Re-broadcasts • Sending data: • Source encrypts the packet with kout0 and broadcasts it • Each node tries to decrypt it with its incoming link keys • If Fi succeeds to decrypt the packet with kiin: it re-encrypts it with kiout, and re-broadcasts it • Until the packet arrives to the destination 8.3 Privacy preserving routing in ad hoc networks

  36. Improving efficiency • Much computation from the nodes: • Solution: replace the public key encryption with symmetric key encryption • Source and destination share a secret key kSD and a counter cSD • Source computes a one-time hint for the destination: h(kSD,cSD) • Each node can pre-compute the hint of each possible source: • only a table lookup when processing route request messages 8.3 Privacy preserving routing in ad hoc networks

  37. Improving efficiency • Modified route request: • Modified route reply: • Hint for Fi: hashing niwith g • When processing route reply: • Only a table lookup to determine which key should be used to decrypt the route reply 8.3 Privacy preserving routing in ad hoc networks

  38. Summary on Privacy Protection • Location privacy in LBS services: • Aversary model: sporadic location exposure (with LPPM) • The level of location privacy can be quantified based on the result of the inference • Trade-off with utility • Location privacy in vehicular networks: • Adversary model: monitored zones and unmonitored zones • The level of location privacy can be quantified using an entropy-based metric • Privacy in ad hoc network routing protocols: • A routing protocol that makes it very hard for a global observer to know who communicates with whom

  39. Our researchprojects on privacy protection • Privacyin mobile and pervasive networks:http://lca.epfl.ch/projects/privacy To probe further on some aspects presented in this lecture: - R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. Quantifying Location Privacy. In Proc. of the IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, 2011. - R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, and J.-Y. Le Boudec. Protecting Location Privacy: Optimal Strategy against Localization Attacks. In Proc. of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, USA, 2012. • Genomeprivacy: http://lca.epfl.ch/projects/genomic-privacy/ • Privacyand securitymechanismswithselfishplayers:http://lca.epfl.ch/projects/gamesec

More Related