Mobile Traffic Sensor Network versus Motion-MIX:Tracing and Protecting Mobile Wireless Nodes

JieJun Kong Dapeng Wu

Xiaoyan Hong and Mario Gerla

Outline

• Background.• Mobility anonymity attacks.• Countermeasure ( Motion-MIX).• Asymptotic network security model.• Security analysis of motion-MIX.

Mobile Traffic Sensor Network • Recent advances in manufacturing technologies have enabled the physical

realization of small, light-weight, low-power, and low-cost micro air vehicles.

Concept of Mobile Anonymity

• In fixed networks anonymity: identity and location are synonyms

• In mobile networks anonymity: identity and location are not synonyms. motion pattern is also a security concern. venue: the smallest area to which the adversary can “pinpoint” the

node only via the node’s communication.

• Motion pattern attack by mobile traffic analysisIf the adversary moves faster than the victim, it can always trace it’s motion pattern.

Mobile Anonymity Attacks

• Venue privacy attack (VPA) (VPA-a): enumerates the set of currently active

nodes. (VPA-b): computes related metrics such as the

size of the set. (VPA-c): performs traffic analysis against a venue.

(How many and what kind of connections in-and-out the venue).

Mobile Anonymity Attacks

• Adversary modelCapable of scanning the entire network area in short

time.Honest-but-curious.Polynomially-bounded cryptanalyst who cannot invert

one-way functions or differentiate cryptographically strong pseudorandom bits from truly random bits with non-negligible probability.

• Network modelPairwise key sharing.

Design Assumption

Motion-MIX

• K incoming mobile nodes or wireless packet flows get fully mixed in the Motion-MIX.

• K-anonymity: the adversary cannot differentiate these k nodes.

In motion-MIX, any mobile node inside a motion-MIX

venue should send out decoy traffic to ensure

k-anonymity.

The above algorithm running on mobile nodes can ensure that there are approximate k wireless transmission in its one-hop neighborhood during the unit time interval.

• Adversary’s capability decides the inner circle.

• The roaming nodes decide the outer ring.

Content Analysis

• A mobile node should be indistinguishable from other nodes in the same motion-MIX venue from the adversary’s view.

• A mobile node’s traffic should be indistinguishable from another’s in the same motion-MIX venue from the adversary’s view.

Necessary Conditions

• Identity-free routing

Every mobile node does not reveal its own identity to other nodes.

• One-time packet content

E.g., for 100 packets, the 2 extreme cases (1 1 sender to 1 recipient & 100 different senders to 100 sender to 1 recipient & 100 different senders to 100 different recipientsdifferent recipients) and all cases in-between are equally probable.

• Avoid being captured the mobile node’s radio signature.

Negligible function

DefinitionDefinition: A function u: N → R is negligible, if for every positive integer c and all sufficiently large n’s (i.e., there exists Nc>0, for all n>Nc),

cnn

1)(

In cryptography, the longer the key length is, the more asymptotically secure a cryptosystem is.

In our analysis, the larger the network scale is, the more asymptotically secure the network is.

Underlying Mobile Networking Model

The spatial distribution of a node is expressed asThe spatial distribution of a node is expressed as

For random waypoint (RWP) mobility model in a square network area of size a×a.

Underlying Mobile Networking Model

If there are N nodes in the network and each of If there are N nodes in the network and each of them roams independently and identically.them roams independently and identically.

Random presence of mobile nodes is modeled by a spatial Poisson point process.

Uniform

Non-uniform

Security Guarantee of Motion-MIX

Theorem 1: The security breach probability of motion-MIX, ( the probability that there are less than k uncompromised nodes in the venue quantified by Δ’), is negligible with respect to the network scale N.

Security Guarantee of Motion-MIX

Theorem 2: The security breach probability of

node tracing, ( the probability that the adversary

can trace an active transmitting mobile node v’s

motion pattern without losing the target), is

negligible with respect to N and |T|.

Security Guarantee of Motion-MIXPublicity assumption : The adversary knows the entire identity set and the network area, it can estimate that the expected number of nodes in each venue is

Nodes in each venue transmit k = E(k') real/decoy packets in a fully distributed manner.

Security Guarantee of Motion-MIX

Theorem 3: In a wireless ad hoc network, a

motion-MIX is min(k,E(kΔ’))-anonymous, where Δ’

is the size of the least enlarged venue defined on

the venue size Δ.