Location Privacy Preservation in Collaborative Spectrum Sensing

Location Privacy Preservation in Collaborative Spectrum Sensing

Shuai Li, Haojin Zhu, Zhaoyu Gao, Xinping Guan, Shanghai Jiao Tong University

Kai Xing University of Science and Technology of China

and Xuemin (Sherman) ShenUniversity of Waterloo

Presenter: Haojin ZhuAssociate Professor

Computer Science & Engineering DepartmentShanghai Jiao Tong University

Outline

• Background– Cognitive Radio Networks– Spectrum Sensing– Collaborative Spectrum Sensing

• Existing Researches on Spectrum Sensing Security• Location Privacy Leaking Problem• Privacy Preserving Collaborative Spectrum Sensing• Experiment Results• Conclusion

Cognitive Radio

Primary User (PU) PU uses the spectrum exclusively

SUs can access the idle spectrumSecondary User (SU)

Traditional Spectrum Allocation

Cognitive Radio

Cognitive Radio is proposed to increase the efficiency of channel utilization under the current static channel allocation policy.

Cognitive Radio： access the spectrum dynamically

Spectrum Sensing

Spectrum Sensing： In order to identify the idle spectrum, secondary users should sense the spectrum first.

Spectrum 1

Spectrum 2

Spectrum n…

……

……

……

.

Which one is idle?

Collaborative Spectrum Sensing

But, spectrum sensing accuracy

is often degraded by:

□Fading □Shadowing

□Receiver Uncertainty

Collaborative Spectrum Sensing is proposed to overcome these challenges.

Step1: SUs sense the spectrum individually

Step2: SUs submit the sensing reports to a fusion center

Step3: Fusion center combines these reportsCollaborative sensing is also

facing a series of security threats!

Existing Research in Spectrum Sensing Security

• 1 Attack: Primary Emulation Attack (JSAC'08, Oakland S&P'10, )

• 2 Attack: Sensing Data Falsification Attack (INFOCOM'08, TMC 2011, NDSS 2011)

• 3 Attack: Selfishness in Collaborative Sensing (ACM MC2R)

None of existing works consider the privacy issues in CR networks before!

Outline

• Background• The Location Privacy Leaking Problem• Privacy Preserving collaborative Spectrum Sensing– Privacy Preserving Sensing Report Aggregation– Distributed Dummy Report Injection Protocol

• Experiment Results• Conclusion

Exploiting Spectrum Sensing Reports for Involuntary Geo-localization- An Attacker Point of View

The Good Side: Exploit spatial diversity for spectrum sensing

A Converse Question: Could we exploit correlation of CR sensing reports and their physical location to make an involuntary geo-localization of SU.

SU

SU

SU

SU

Different Locations Correspond to Different Sensing Reports due to Spatial Diversity.

Attack I: Single Report Location Privacy (SRLP) Attack

Test bed Setup and Experiment Approach:1. Using USRP to detect the TV radio signal of 13 sampling regions.2. The attacker using classification algorithm to obtain spectrum characteristics

of each region (the cluster centroids).3. Geo-localization a user by comparing the distance of the sensing data and the

various cluster centroids.

Single Report Location Privacy (SRLP) Attack: the adversary tries to compromise the location privacy of a CR user by correlating his sensing report and physical location.

Attack II: Differential Location Privacy Attack in Aggregation Mode

Inspired from database security concept, differential privacy.In the context of CR security: Untrusted Fusion Center (Aggregator), secondary users may frequently join or leave the networks

We could get , then based on SRLP attack, we could infer its location.

𝒓 𝟏 𝒓 𝟐 𝒓 𝟑 𝒓 𝟒

Aggregation Result: Aggregation Result: Even under the

presence of privacy preserving

aggregation solution

Experimental Results for the Attack

Result I:Significant location-dependent fluctuation in the RSS sensing of three Digital TV (DTV) channels.

Result II:the attackers could localize a user within 10-50 meters accuracy with 90% successful rate by choosing a proper parameter

How to enable the collaborative spectrum sensing without location privacy leaking?

Formal Definition on Location Privacyin Collaborative Spectrum Sensing

We define the uncertainty of the adversary and thus the location privacy level of a node involved in a successful privacy preserving spectrum sensing by adopting the entropy concept as follows:

Total number of regions

the probability that user a is located in the

region b

If the attacker could uniquely identify the location of the user, we can get and . Otherwise, the entropy is maximum for a uniform probability distribution .

Outline



Privacy Preserving collaborative Spectrum Sensing (PPSS)

Conceal each user’s sensing reports in aggregation (thwarting SRLP attack)

Conceal the user’s sensing reports when he leaves or joins the aggregation (thwarting the DLP attack)

Privacy Preserving Sensing Report Aggregation Protocol (PPSRA)

Distributed DummyReport Injection protocol (DDRI)

∑𝑖=0

𝑛

𝑠𝑘𝑖=0

Protocol I: PPSRAObjective: Allowing the aggregator to obtain the aggregation results without knowing the individual sensing report.

E() is an homomorphic encryption such as Paillier or NDSS’11[1].

Each data is encrypted by multiplying to prevent aggregator from recovering the individual data. By letting , we obtain .

Phase II:

Multiplying the encrypted data

Aggregation Result

Phase III:

Decryption for the result

𝐸 (∑𝑖=0

𝑛

𝑟 𝑖)

Decrypt it for the aggregation result.

1. E. Shi, T. Chan, E. Rieffel, R. Chow, and D. Song, “Privacy-preserving aggregation of time-series data,” in Proc. of NDSS’11, 2011.

𝐸 (∑𝑖=0

𝑛

𝑟 𝑖)

Phase I:

Individual Encryption

… …

𝐸 (𝑟 1 )𝐻 (𝑡 )𝑠𝑘1

𝐸 (𝑟 2 )𝐻 (𝑡 )𝑠𝑘2

𝐸 (𝑟 𝑛)𝐻 (𝑡 )𝑠 𝑘𝑛

Protocol II: Distributed DummyReport Injection protocol (DDRI)

Differential Location Privacy Attack:

Traditional differential privacy protection approach needs to add a large noise to the sensing reports, which will seriously degrade the collaborative sensing performance, obviously deviating from the original goal of collaboration.

Distributed DummyReport Injection protocol

Our Approach:

Our dummy report based approach will not pollute the aggregation result.

Broadcast the fusion center’s sensing results

Send his own sensing results

Send the center’s sensing results i

i1

LEAVE/JOIN

Using some public available sensing data (dummy report) to replace the noises


The introduced randomness in aggregation result can successfully confuse the attacker.


Question 1: How much randomness has been introduced?

Question 2: What’s the impact introduced to collaborative sensing (the actual number of the sensing nodes)?


Question 3: What’s the impact introduced to collaborative sensing (the weight of the dummy report)?

In general, we will demonstrate thatour scheme can generate sufficient randomness to protect the user’s differential location privacy.It has limited impact on collaborative sensing performance

Outline



Experimental Results

After executing our PPSS protocol, the entropy rises to a high level. This demonstrate that PPSS can well protect the user’s location privacy.


It demonstrates that a small is enough to protect the user’s location privacy. Meanwhile, a small means little impact on collaborative sensing.

i

i


This experiment result further demonstrates the practicality of our PPSS protocol.

Outline



Conclusion and Future Work

• We identify and formulate a new security threat in collaborative sensing

• We introduce PPSS to protect secondary users’ location privacy in collaborative sensing.

• We evaluate the effectiveness and efficiency of PPSS by implementation in a real experiment.

• Our future work includes investigating the privacy issues in database-driven CR networks.

Documents

Location Privacy Preservation in Collaborative Spectrum Sensing