View
215
Download
1
Category
Tags:
Preview:
Citation preview
On the Optimal Placement of Mix Zones
Julien Freudiger, Reza Shokri and Jean-Pierre Hubaux
PETS, 2009
2
• Phones– Always on (Bluetooth, WiFi)– Background apps
• New hardware going wireless– Cars, passports, keys, …
Wireless Trends
3
Peer-to-Peer Wireless Networks
1
MessageIdentifier
2
4
Examples
• Urban Sensing networks• Delay tolerant networks• Peer-to-peer file exchange
VANETs Social networks
5
Location Privacy Problem
a
b
c
Monitor identifiers used in peer-to-peer communications
6
bluetoothtracking.org
7
Previous Work
• Pseudonymous location traces– Home/work location pairs are unique [1]
– Re-identification of traces through data analysis [2,3,5]
• Location traces without any pseudonyms– Re-identification of individual trace and home [4]
• Attack: Spatio-Temporal correlation of traces
MessageIdentifier
[1] P. Golle and K. Partridge. On the Anonymity of Home/Work Location Pairs. Pervasive Computing, 2009[2] A. Beresford and F. Stajano. Location Privacy in Pervasive Computing. IEEE Pervasive Computing, 2003[3] B. Hoh et al. Enhancing Security & Privacy in Traffic Monitoring Systems. Pervasive Computing, 2006[4] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. SECURECOMM, 2005[5] J. Krumm. Inference Attacks on Location Tracks. Pervasive Computing, 2007
Pseudonym Message
8
Location Privacy with Mix ZonesPrevent long term tracking
Mix zone
121
21
a
b?
Change identifier in mix zones [6,7]• Key used to sign messages is changed• MAC address is changed
[6] A. Beresford and F. Stajano. Mix Zones: User Privacy in Location-aware Services. Pervasive Computing and Communications Workshop, 2004[7] M. Gruteser and D. Grunwald. Enhancing location privacy in wireless LAN through disposable interface identifiers: a quantitative analysis . Mobile Networks and Applications, 2005
9
Mix ZonesMix network
Mix networks vs Mix zones
Mixnode
Mixnode
Mixnode
Alice Bob
Alice home
Alice work
10
Where to place mix zones?
11
Outline
1. Mix Zone Effectiveness
2. Placement of Mix Zones
3. Application Example
Shibuyu Crossing, Tokyo
12
Mobility Model
• Nodes move according to flows [8]– A flow defines a trajectory in network– Nodes belong to a single flow– Several nodes share same flow
[8] M.C. Gonzalez, C.A. Hidalgo, and A.-L. Barabasi. Understanding individual Human Mobility Patterns. Nature, 2008
13
Mix Zones Model
• Mix zones have – Set of entry/exit points– Traversed by mobile nodes
• Mobility profile of a mix zone [6]– Trajectory– Sojourn time
14
Trajectory
3/41/4 0
1/31/3 1/3
2/30 1/3
1/21/4 1/4
15
Sojourn Time
Δt
Pr(Δt)
16
Mix Zone EffectivenessEvent-Based Metric [6]
Pv is probability of assignment I = total number of assignments
T
t
t
Entering events
Exiting events
21
( ) log ( )I
T v vv
i p pH
1 2
a b
17
Event-Based Discussion
• Precise• Measures attacker success
• Requires installing eavesdropping stations at every mix zones
• What if nodes are across various windows T• High complexity (compute all assignments)
+
–
18
Mix Zone EffectivenessFlow-based Metric
• Desired properties– Prior to network operation– Rely on general statistics of mobility– Efficient
• Key idea– Consider average behavior in mix zones– Measure probability of error of adversary
19
Decision Theory Model
• Assume 2 flows f1, f2 converge to same exit
Mix zone
1
x
2
Choice under uncertainty
Any event
20
Bayes Decision Rule
• Choose hypothesis with largest a posteriori probability• Minimizes probability of error
is the a priori probability that an event belongs to fj
is the conditional probability of observing x knowing that x belongs to fj
21
pe
Probability of Error
1 1( )p x 2 2 ( )p x
x
22
Jensen-Shannon Divergence
• Measure distance between probability distributions
• Provides both lower and upper bounds for the probability of error
23
OutlineIllustration of Metric
24
Outline
1. Mix Zone Effectiveness
2. Placement of Mix Zones
3. Application Example
25
Description
• Central authority decides offline where to deploy mix zones– Knows mobility model
– Knows effectiveness of possible mix zones locations
26
Distance to Confusion [9]
• Between mix zones, adversary can track nodes• Mix zone = confusion point• Bound distance between mix zones
Mix zone 1
Mix zone 2
Distance-to-confusion
[9] B. Hoh et al.. Virtual Trip Lines for Distributed Privacy-Preserving Traffic Monitoring. MobiSys, 2008
27
Cost of mix zones
• Use pseudonyms• Must remain silent for a period of time• Bound cost for each node
28
Placement Optimization• Use a subset of all possible mix zones
Cost
Distance to confusion
Mix zone effectiveness
where wi is cost of a mix zone Wmax is maximum costCmax is maximum distance-to-confusion
{0,1}iz
ˆZ Z
29
Illustration of Algorithm
32
1
4
30
Outline
1. Mix Zone Effectiveness
2. Placement of Mix Zones
3. Application Example
31
Simulation Setup
• Urban mobility simulator (SUMO)– Real (cropped) map– Flows
• Attack Implementation (MOBIVACY)– Compute mobility profiles for each mix zone– Predict most probable assignment of
entering/exiting nodes for each mix zone
32
Map of New York City
33
Metric & Configuration
• Matching success of mix zone i
• Tracking success
• System parameters– dtc <= 2km– cost <= 3 mix zones
Number of nodes matched
Total number of nodesim
Number of nodes tracked over k consecutive mix zones
Total number of nodes traversing k consecutive mix (
zones)ts k
34
Mix Zone Performance
35
Mix Zone Placement
(avg=0.48)(avg=1.56)(avg=1.55)(avg=3.56)
0 1 2 3 4 5 6 7 80
10
20
30
40
50
60
70
80
BadRandomOptimalFull
Number of traversed mix zones
Frac
tion
of n
odes
36
Tracking Success for different deployments
37
Performance of Deployment
Bad Random Optimal Full0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
38
Tracking Success with different traffic conditions
39
Conclusion• Construct a network of mix zones
• Measure of mix zones effectiveness based on– Mobility profiles– Jensen-Shannon divergence
• Optimization model• Results
– Optimal algorithm prevents bad placement– 30% increase of location privacy compared to
randomjulien.freudiger@epfl.ch
40
BACKUP SLIDES
41
Future Work
• Real mobility traces– More realistic intersection model
• Weight location in optimization– Some regions are more sensitive
• Larger map
• Other attacks
42
How to obtain mix zones?
• Silent mix zones– Turn off transceiver
• Passive mix zones– Where adversary is absent– Before connecting to Wireless Access Points
• Encrypt communications– With help of infrastructure– Distributed
43
Event-based Metric
• Assume adversary knows mobility profiles• Consider nodes entering/exiting mix zone i
over T time steps
Pv is probability of assignment
I = total number of assignments
• Average entropy:
44
GeneralizationConsider average behavior
Mix zone
1
x
2222
1
45
Mix Zone Placement
• Average number of traversed mix zone = average cost
• Optimal performs close to full at much lower cost
46
Tracking Success for different adversary strength
47
Tracking Success for different mix zone radius
48
Average Tracking Success
Bad Random Optimal Full0
10
20
30
40
50
60
70
80
90
100
Frac
tion
of N
odes
Mat
ched
Recommended