39
Mobile Networks - Module H2 Privacy in Mobile Networks Privacy notions and metrics Location privacy Privacy preserving routing in ad hoc networks Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection” The Lives of Others, 2006

Mobile Networks - Module H2 Privacy in Mobile Networks

  • Upload
    quinta

  • View
    67

  • Download
    0

Embed Size (px)

DESCRIPTION

Mobile Networks - Module H2 Privacy in Mobile Networks. P rivacy notions and metrics L ocation privacy P rivacy preserving routing in ad hoc networks. The Lives of Others, 2006. Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection” . - PowerPoint PPT Presentation

Citation preview

Page 1: Mobile Networks - Module H2  Privacy in Mobile Networks

Mobile Networks - Module H2 Privacy in Mobile Networks

Privacy notions and metricsLocation privacyPrivacy preserving routing in ad hoc networks

Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection”

The Lives of Others, 2006

Page 2: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 2/37

Chapter outline

8.1 Important privacy related notions and metrics8.2 Location privacy8.3 Privacy preserving routing in ad-hoc networks

Page 3: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 3/37

Privacy related notions Anonymity: hiding who performed a given action

Untraceability: making difficult for an adversary to identify that a given set of actions were performed by the same subject

Unlinkability: generalization of the two former notions: hiding information about the relationships between any item

Unobservability: hiding of the items themselves (e.g., hide the fact that a message was sent)

Pseudonymity: making use of a pseudonym instead of the real identity 8.1 Important privacy related notions

Page 4: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 4/37

Privacy metrics (1/3)The adversary tries to de-anonymize an observed action

Anonymity set: set of subjects that might have performed the action– Is a good measure only if all the members of the set are equally

likely to have performed the observed action

Entropy-based measure of anonymity:

8.1 Important privacy related notions

.log

where is the anonymity set is the probability (for the adversary)

that the observed action has been performed by subject

x xx A

x

p p

Ap

x A

Page 5: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 5/37

Privacy metrics (2/3)The adversary tries to link elements

Entropy-based measure for unlinkability:

8.1 Important privacy related notions

1 2

1 2

R

1 2

.log

where and are the sets of items that the adversary wants to relate is the probability (for the adversary) that the real relationship

between the elements in and in is ca

R RR I I

p p

I Ip

I I

1 2ptured by relation R I I

Page 6: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 6/37

Privacy metrics (3/3)The adversary runs an inference attack

Entropy-based measure for certainty:

where is the set of possible values for a given attribute is the probability (for the adversary) that the value of the attribute is for a given user

Expected error-based measure for correctness:

8.1 Important privacy related notions

−∑𝑣∈𝑉

𝑝𝑣 log𝑝𝑣

How focused is the estimate on a value? Entropy

How accurate is the estimate?Confidence intervals

How close is the estimate to the true value? Expected error

∑𝑣∈𝑉

𝑝𝑣×𝑑 (𝑣 ,𝑣0)

Page 7: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 7/37

Chapter outline

8.1 Important privacy related notions and metrics8.2 Location privacy8.3 Privacy preserving routing in ad hoc networks

Page 8: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 8/37

Location privacy

8.2 Location privacy in vehicular networks

The contextual information attached to a trace tells much about our habits, interests, activities, and relationships

A location trace is not only a set of positions on a map

Page 9: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 9/37

A first example: Vehicular networks

Variable Message Sign

Terrestrial BroadcastRDS, DAB

UMTS GSM

Beacon• CALM-IR• CALM-M5• DSRC

GPS, GALILEO

50

Broadcaster Vehicle to VehicleRFID

WiMAX

RSU to RSU

Hot-Spot(Wireless LAN,

WiFi)

8.2 Location privacy in vehicular networks

Page 10: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 10/37

Vehicle Communication (VC)

VC promises safer roads,

… more efficient driving,

Warning:Accident at (x,y)

Warning:Accident at (x,y)

!!

TOC

RSU RSU

Traffic Update:Congestion at (x,y)

!

Congestion Warning:At (x,y), use alt. route

8.2 Location privacy in vehicular networks

Page 11: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 11/37

Vehicle Communication (VC)

… more fun,

MP3-Download

Text message:We'll stop at next roadhouse

… and easier maintenance. Software Update

Malfunction Notification:Arriving in 10 minutes,

need ignition plug

RSU

CarManuf.

8.2 Location privacy in vehicular networks

Page 12: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 12/37

Security and Privacy

More fun, but for whom?

Position Beacon

… and a lot more …Your new

ignition-control-software

RSU

Location Tracking

8.2 Location privacy in vehicular networks

Page 13: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 13/37

The location privacy problem and a solution vehicles continuously broadcast heart beat

messages, containing their ID, position, speed, etc.

tracking the physical location of vehicles is easy just by eavesdropping on the wireless channel

one possible solution is to change the vehicle identifier, or in other words, to use pseudonyms

8.2 Location privacy in vehicular networks

Page 14: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 14/37

Adversary model changing pseudonyms is ineffective against a global

eavesdropper

hence, the adversary is assumed to be able to monitor the communications only at a limited number of places and in a limited range

A, GPS position, speed, direction

predicted positionat the time of thenext heart beat

B, GPS position, speed, direction

8.2 Location privacy in vehicular networks

Page 15: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 15/37

The mix zone concept

the unobserved zone functions as a mix zone where the vehicles change pseudonym and mix with each other

vehicles do not know where the mix zone is (this depends on where the adversary installs observation spots)

vehicles change pseudonyms frequently s.t. each vehicle changes pseudonym while in the mix zone

mix zone

1

2 3

4

56

ports

1

2

3

4

5

6

observationspots

unobserved zone

8.2 Location privacy in vehicular networks

Page 16: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 16/37

Example of mix zone

8.2 Location privacy in vehicular networks

1

2

3

4

Pseudonym: X12

Pseudonym: Y23

Pseudonym: Z34

Pseudonym: W45

mix zone

Page 17: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 17/37

time is divided into discrete steps pij = Pr{ exiting at j | entering at i } Dij is a random variable (delay) that represents the

time that elapses between entering at i and exiting at j

dij(t) = Pr{ Dij = t }

Pr{ exiting at j at t | entering at i at t } = pij dij(t-t)

Model of the mix zone

dij(t)

t

8.2 Location privacy in vehicular networks

Page 18: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 18/37

Observations

tn1 n2 nk

x1 x2 xk

t2 tk

t1 tk

N1 N2 Nk

X1 X2 Xk

t1 = 0

the adversary can observe the points (ni, xi) and the times (ti, ti) of enter and exit events (Ni, Xi)

nodes change pseudonyms inside the mix zone no easy way to determine which exit event corresponds to which enter event

each possible mapping between exit and enter events is represented by a permutation p of {1, 2, …, k}:

mp = (N1 ~ Xp[1], N2 ~ Xp[2], …, Nk ~ Xp[k])where p[i] is the i-th element of the permutation

we want to determine Pr{ mp | N, X }

8.2 Location privacy in vehicular networks

Page 19: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 19/37

Computing the level of privacy

8.2 Location privacy in vehicular networks

where mπ is the mapping described by the permutation π

where pij is a cell of the matrix P of size nxn, where n is the number of gates of the mix zoneand dij(t) describes the probability distribution of the delay when crossing the mix zone from gate i to gate j.

Page 20: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 20/37

Another privacy metric tracking game:

– the adversary picks a vehicle v in the observed zone– she tracks v until it enters the mix zone at port s– then, she observes the exiting events until time T (where the

probability that v leaves the mix zone until T is close to one)– for each exiting vehicle at port j and time t, the adversary

computes qjt = psjdsj(t)– the adversary decides to the exiting vehicle v’ for which qjt is

maximal• this realizes a Bayesian decision (minimizes the error probability

of the decision)– the adversary wins if v’ = v

the level of privacy achieved is characterized by the success probability of the adversary– if success probability is high, then level of privacy is low

8.2 Location privacy in vehicular networks

Page 21: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 21/37

Location-Based Services People share their location on-line

– Social purposes– Contextual services

8.2 Location privacy in location-based services

Page 22: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 22/37

Quantifying location privacy

8.2 Location privacy in location-based services

The Framework

Page 23: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 23/37

Protecting location privacy

8.2 Location privacy in location-based services

Anonymization– Pseudonyms

Obfuscation– Deleting

– Randomizing

– Discretizing

– Sub-sampling

Page 24: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 24/37

Adversary Model

8.2 Location privacy in location-based services

Observation KnowledgeAnonymized and Obfuscated Traces Users’ mobility profiles

PDFanonymization

PDFobfuscation

LPPM

Inference Attack Examples

Localization Attack: “Where was Alice at 8pm?”What is the probability distribution over the locations for user ‘Alice’ at time ‘8pm’?

Tracking Attack: “Where did Alice go yesterday?”What is the most probable trace (trajectory) for user ‘Alice’ for time period ‘yesterday’?

Page 25: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 25/37

Inference Attacks

8.2 Location privacy in location-based services

A practical solution: Decoupling De-anonymization from De-obfuscation

Computationally infeasible:s (anonymization / permutation) can take N! values

(Au is the actual trace of user u)

Page 26: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 26/37

De-anonymization

8.2 Location privacy in location-based services

1 - Compute the likelihood of observing trace ‘i’ from user ‘u’, for all ‘i’ and ‘u’, using HMP (Hidden Markov Process): Forward-Backward algorithm.

2 - Compute the most likely assignment using a Maximum Weight Assignment algorithm (e.g., Hungarian algorithm). O(N4)

u1

u2

uN

Users

1

…Nyms

2

N

Page 27: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 27/37

De-obfuscation

8.2 Location privacy in location-based services

Given the most likely assignment s*, the localization probability can be computed using Hidden Markov Model: the Forward-Backward algorithm

Tracking AttackGiven the most likely assignment s*, the most likely trace for each user can be computed using Viterbi algorithm

Localization Attack

Page 28: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 28/37

The game

8.2 Location privacy in location-based services

User Adversary (leader) (follower)

𝑟 𝑟 ′ �̂�LBS message

Chooses to maximize it Chooses to minimize it

User accesses LBS from location known to adversary

user gain / adversary loss

Page 29: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 29/37

Hands-on Exercises 3

8.2 Location privacy in location-based services

Part A– Wireless traces– Analysis– De-anonymization– Countermeasures– Bonus: Track (multiple) users

Part B– LPPM evaluation using LPM– E.g., sub-sampling: hoe3_lpm configFile s subsamplingProb– Bonus: Analyze and understand the privacy levels obtained

Page 30: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 30/37

Chapter outline

8.1 Important privacy related notions and metrics8.2 Location privacy in vehicular networks8.3 Privacy preserving routing in ad hoc networks

Page 31: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 31/37

8.3 Privacy preserving routing in ad hoc networks Goal: unlinkability (make it very hard for a global

observer to know who communicates with whom)

Some nodes may be compromised even the forwarding nodes should not know who the source and the destination are

We also want to hide the identity of the forwarding nodes from each other (because this information would be useful for the attacker)

8.3 Privacy preserving routing in ad hoc networks

Page 32: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 32/37

Effective but inefficient solution Route establishment: flooding the network with a

route request

Source:– generates an asymmetric key-pair (K,K-1), a secret key k0,

and a nonce n0

– Encrypts D, S, and K-1 with the public key KD of the destination

– Encrypts k0 and n0 with K– Broadcasts the route request:

8.3 Privacy preserving routing in ad hoc networks

Page 33: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 33/37

Effective but inefficient solution F1 receives this route request It verifies if it is the target of the request:

– decrypts with its private key

If F1 is not the target:– Generates a secret key k1 and a nonce n1– Concatenates them to – Encrypts the result with K– Broadcasts

General format of the route request message:

8.3 Privacy preserving routing in ad hoc networks

Page 34: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 34/37

Effective but inefficient solution D attempts to decrypt and it succeeds D broadcasts a dummy request:

It decrypts and obtains the secret keys and the nonces of the forwarding nodes

It generates a link key for each link and sends a route reply:

8.3 Privacy preserving routing in ad hoc networks

Page 35: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 35/37

Effective but inefficient solution Fi receives route reply: decrypts it with ki If ki works: checks if it received back its ni If this is the case:

– Fi peels the outer layer off the route reply– Applies some padding to retain its original length– Re-broadcasts

Sending data:– Source encrypts the packet with kout

0 and broadcasts it– Each node tries to decrypt it with its incoming link keys– If Fi succeeds to decrypt the packet with ki

in: it re-encrypts it with ki

out, and re-broadcasts it– Until the packet arrives to the destination

8.3 Privacy preserving routing in ad hoc networks

Page 36: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 36/37

Improving efficiency Much computation from the nodes:

– Solution: replace the public key encryption with symmetric key encryption

Source and destination share a secret key kSD and a counter cSD

Source computes a one-time hint for the destination: h(kSD,cSD)

Each node can pre-compute the hint of each possible source:– only a table lookup when processing route request messages

8.3 Privacy preserving routing in ad hoc networks

Page 37: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 37/37

Improving efficiency Modified route request:

Modified route reply:

Hint for Fi: hashing ni with g When processing route reply:

– Only a table lookup to determine which key should be used to decrypt the route reply

8.3 Privacy preserving routing in ad hoc networks

Page 38: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 38/37

Summary on Privacy Protection Location privacy in LBS services:

– Aversary model: sporadic location exposure (with LPPM)– The level of location privacy can be quantified based on the

result of the inference– Trade-off with utility

Location privacy in vehicular networks:– Adversary model: monitored zones and unmonitored zones– The level of location privacy can be quantified using an

entropy-based metric

Privacy in ad hoc network routing protocols: – A routing protocol that makes it very hard for a global

observer to know who communicates with whom

Page 39: Mobile Networks - Module H2  Privacy in Mobile Networks

Security and Cooperation in Wireless NetworksChapter 8: Privacy protection

Our research projects on privacy protection Privacy in mobile and pervasive networks:

http://lca.epfl.ch/projects/privacyTo probe further on some aspects presented in this lecture:- R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. Quantifying Location Privacy. In Proc. of the IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, 2011.- R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, and J.-Y. Le Boudec. Protecting Location Privacy: Optimal Strategy against Localization Attacks. In Proc. of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, USA, 2012.

- Genome privacy: http://lca.epfl.ch/projects/genomic-privacy/

- Privacy and security mechanisms with selfish players:http://lca.epfl.ch/projects/gamesec