ON THE OPTIMAL PLACEMENT OF MIX ZONES: A GAME-THEORETIC APPROACH

Mathias HumbertLCA1/EPFLJanuary 19, 2009

Supervisors:Mohammad Hossein ManshaeiJulien FreudigerJean-Pierre Hubaux

Mini-project of the Security and Cooperation in Wireless Networks course

MOTIVATIONS

Pratical case study on location privacy

Use of the relevant information from Lausanne’s traffic data

Game-theoretic model evaluating agents’ behaviors a priori

Incomplete information game analysis

2

OUTLINE

Lausanne traffic: a case study System model and mixing effectiveness Game-theoretic approach Game results:

A complete information game Numerical evaluations An incomplete information game

Conclusion and future work

3

LAUSANNE DOWNTOWN

4

Intersections’ statistics stored in 23 matrices (size = 5x5)

Place ChauderonPlace Chauderon:

23 intersectionsTraffic matrix:

SYSTEM MODEL Road network with N intersections Mobile nodes vs. Local passive adversary Nodes’ privacy-preserving mechanisms (at intersection i):

Active mix zone (cost = cim)

cim = ci

p + ciq = pseudonyms cost + silence cost

Passive mix zone (cost = cip)

Adversary’s tracking devices:: Sniffing station (cost = cs)

Mobility parameters: Relative traffic intensity λi

Mixing effectiveness mi 5

mixmix

Traffic matrix:

MIXING EFFECTIVENESS Mixing: uncertainty for an adversary trying to match

nodes leaving the active mix zone to the entering ones=> normalized entropy=> relative traffic intensity

6

Smallest mixing between Chaudron & Bel-Air: mi = 0 (no uncertainty for the adversary)

Greatest mixing at place Chaudron: mi = 0.74

GAME-THEORETIC APPROACH G = {P, S, U} 2 players: {mobile nodes, adversary} Nodes’ strategies sn,i (intersection i):

Active mix zone (AMZ) Passive mix zone (PMZ) Nothing (NO)

Adversary’s strategies sa,i : Sniffing station (SS) Nothing (NO)

Payoffs:7

AdversaryAdversary

Nod

esN

odes

0 < λi, mi, cim, cs < 1

COMPLETE INFORMATION GAME FOR ONE INTERSECTION

Pure-strategy NE [theorem 1]:

Mixed-strategy NE:

Probabilities:

Probabilities:

pi = (λi-cs) /λimi 1- pi

qi = min(ciq/λimi, 1)

0

1- qi

mixed-strategy

mixed-strategy

Nash equilibrium

Nash equilibrium

8

N INTERSECTIONS-GAME Global NE = Union of local NE Global payoffs at equilibrium defined as

Number of sniffing stations = Ws (upper bound) Game = two maximisation problems:

9

Nodes

Adversary

N INTERSECTIONS-GAME Algorithm converging to an equilibrium [theorem 2]

10

Remove sniffing stations at mixed NE first

Remove sniffing stations at pure NE (Start with smallest adversary’s payoff)

The nodes normally take advantage of the absence of sniffing station to deploy a passive mix zone

The nodes normally take advantage of the absence of sniffing station to deploy a passive mix zone

As uia = 0 at mixed-strategy NE and assuming (wlos) that m1 < m2 < … < mn

11

NUMERICAL RESULTS: LOW PLAYERS’ COSTS

Fixed (normalized) costs and unlimited nb of sniffing stations:Fixed (normalized) costs and limitedlimited nb of sniffing stations (Ws = 5):

12

NUMERICAL RESULTS: MEDIUM SNIFFING COST Fixed (normalized) costs and unlimited nb of sniffing stations:Fixed (normalized) costs and limitedlimited nb of sniffing stations (Ws = 5):

INCOMPLETE INFORMATION GAME FOR ONE INTERSECTION Assumptions:

Nodes do not know the sniffing cost Instead, they have a probability distribution on cost’s type

Theorem 3: one pure-strategy Bayesian Nash equilibrium (BNE) with strategy profile defined by:

13

with (probability that the adversary installs a sniffing station) defined using the probability distribution on cost’s type

Suboptimal BNE, such as (AMZ, NO) or (PMZ, SS) for nodes’ payoff can occur if nodes’ belief on sniffing station cost’s type is inacurrateSuboptimal BNE, such as (AMZ, NO) or (PMZ, SS) for nodes’ payoff

can occur if nodes’ belief on sniffing station cost’s type is inacurrate

N INTERSECTIONS INCOMPLETE INFORMATION GAME Potential algorithm to converge to a Bayesian Nash

equilibrium (ongoing work):

14

Complete knowledge for the adversary => remove sniffing stations leading to smallest payoffs at BNE

Nodes know Ws => put passive mix zones where adversary’s expected payoffs are the smallest

CONCLUSION AND FUTURE WORK Prediction of nodes’ and adversary’s strategic behaviors using

game theory Algorithms reaching an optimal (Bayesian) NE in complete

and incomplete information games In incomplete information game, significant decrease of nodes’

location privacy due to lack of knowledge about adversary’s payoff Concrete application on a real city network

Nodes and adversary often adopting complementary strategies Future work

Evaluation of the incomplete information game with the real traffic data and various probability distributions on sniffing station cost

15

NUMERICAL EVALUATION OF OPTIMAL STRATEGIES WITH VARIABLE COSTS

16

1) Unlimited 1) Unlimited number of SS: number of SS: 2) Limited 2) Limited number of SS: number of SS:

BACKUP: MIXING EFFECTIVENESS COMPUTATION Mixing: uncertainty for an adversary trying to match

nodes leaving the active mix zone to the entering ones => entropy => relative traffic intensity

Dfdf

Dfdf

dfd 17

BACKUP: BAYESIAN NE FOR THE INCOMPLETE INFORMATION GAME @ ONE INTERSECTION Nodes do not know the sniffing cost Instead, they have a probability distribution on cost’s type Theorem 3: one pure-strategy Bayesian Nash equilibrium (BNE) with strategy profile

defined by:

18

With (probability that the adversary installs a sniffing station) defined using the cdf of the cost’s type:

Suboptimal BNE, such as (AMZ, NO) or (PMZ, SS) for nodes’ payoff can occur if nodes’ belief on sniffing station cost’s type is inacurrateSuboptimal BNE, such as (AMZ, NO) or (PMZ, SS) for nodes’ payoff

can occur if nodes’ belief on sniffing station cost’s type is inacurrate

BACKUP: MOTIVATION Master project [1]: study of mobile nodes’ location privacy

threatened by a local adversary Application of this work on a practical and real example Collaboration with people of TRANSP-OR research group at EPFL Lausanne’s traffic data based on actual road measurements and

Swiss Federal census (more on this in next slide) Selection of the relevant information from the traffic data New game-theoretic model in order to exploit the provided

data and evaluate nodes’ location privacy Incomplete information game to better model the players’

knowledge on payoffs and behaviors of other participants 19

[1] M. Humbert , Location Privacy amidst Local Eavesdroppers, Master thesis, 2009