Providing Location Anonymity in a Multi- Base ... - Semantic Scholar

3 downloads 9821 Views 866KB Size Report
Dept. of Computer Science and Electrical Engineering. University of ... the introduction of inter-BS deceptive traffic and use game theory to determine the volume ...
Providing Location Anonymity in a MultiBase station Wireless Sensor Network Rania El-Badry and Mohamed Younis Dept. of Computer Science and Electrical Engineering University of Maryland Baltimore County Baltimore, Maryland, USA elbadry1, [email protected] Abstract— Wireless Sensor Networks (WSNs) often operate in inhospitable environments to serve mission-critical and securitysensitive applications that involve hostile adversaries. These adversaries are eager to disrupt the WSN operation. Given the important role that the base-station (BS) plays in a WSN, the adversary opts to identify the BS and determine its location in order to damage the BS or launch a targeted denial of service attack. Therefore, maintaining the BS anonymity is of utmost importance in WSNs. Even if the adversary cannot decode packets, correlating the intercepted transmission through traffic analysis can reveal the position of the BS. This paper considers setups in which the network has multiple base-stations and proposes a novel approach in which these base-stations collaborate on confusing the adversary and averting attacks. The proposed Multi-player Anonymity optimization Game theoretic (MAG) approach calls for the introduction of inter-BS deceptive traffic and use game theory to determine the volume and destination of such traffic so that the variance in the location anonymity over all BSs is reduced. The simulation results demonstrate the effectiveness of MAG. Keywords: Sensor Networks, Anonymity, Traffic Analysis.

longer range than that of sensors, and employing anonymous routing protocols and encrypting packet headers in order to hide its ID in packets [2][3]. However, these techniques will not prevent an adversary from identifying the BS based on the traffic pattern in the network. In this paper, we opt to boost the anonymity of the BSs in wireless ad-hoc networks by complicating the traffic analysis that an adversary performs and deeming it inconclusive. The goal is to confuse the adversary and avert its attention away from the location of BSs. Unlike published work, this paper exploits the presence of multiple BSs in the network to dynamically manage the traffic pattern. The problem is formulated as a game between all BSs. Every BS (player) tries to maximize its location anonymity by selectively forwarding part of its traffic to another BS. The target BS is chosen in a way that minimizes the variance in the location anonymity over all BSs. To the best of our knowledge our Multi-player Anonymity optimization Game theoretic (MAG) approach is the first to foster collaborative effort among the BSs in a sensor network for boosting the privacy of their positions. The performance of MAG is evaluated using simulation experiments. The rest of this paper is organized as follows. Section II discusses related work. Section III covers the assumed system model and anonymity assessment. Section IV describes the proposed MAG approach in detail. The validation results are provided in Section V. Section VI concludes the paper and highlights our future work plan.

I. INTRODUCTION Wireless Sensor Networks (WSNs) have attracted lots of attention in recent years due to their effectiveness in numerous applications. Most notable among these applications are those serving in hostile environments such as border surveillance, military search-and-rescue missions, and combat field reconnaissance [1]. In these applications, a WSN is typically composed of many sensor nodes that are spread in a wide area and operate autonomously without human intervention. The sensors probe their surroundings and report their measurements to one or multiple in-situ users or base-stations. The basestations process the collected data to correlate the detected events for a full situational awareness. The hostile nature of the application exposes the WSN to security threats. While the sensors can be the easy target for attacks, provisioning robust coverage through redundant sensor deployment deems this strategy ineffective for an adversary. Instead, damaging or disrupting the operation of the base-station would inflect the most impact on the network. Therefore, the base-station (BS) location privacy should be sustained. Numerous precautionary measures are often employed in order to maintain the anonymity of the BSs. Anonymity in this context means concealing the role and location. Contemporary techniques include camouflaging the BS design to make it visually undetectable, preventing the BS from transmitting for

II. RELATED WORK Anonymity assessment is directly related to the amount of information an adversary can deduce by performing traffic analysis on the data he collected by observing the network. GSAT [4] was designed to measure BS anonymity provided that the adversary is capable of physically investigating the existence of the BS in the decided location. Another model was proposed in[5] based on evidence theory and will be discussed in detail in Section III.B. Edith and Uppsala [6] proposed a randomized routing with hidden address (RRAH) in which even the sensor nodes do not know the node ID and the location of the BS when routing the packets. The packet keeps traversing in the network until a predefined hop count is reached. When the BS receives the packet, it silently decrypts it. A drawback of this technique is that the hop count assigned to every packet has to be large enough to guarantee that the packet reaches the BS before dying.

157

in the network, more evidences are collected and correlated to prove the presence of communication links between nodes. In the example shown in Figure 1, node A sends a packet to node D. The packet traverses to node D over a multi-hop path A→B→C→D. When A’s transmission is intercepted, the adversary increases the evidences pointing to cells 2, 4, and 5 from cell 1. And, when node B forwards the packet, the adversary increases the evidence pointing to cells 1, 2, 3, 4, 6, 7, and 8 from cell 5. Evidence of a communication channel “L” between any two cells is equal to the minimum evidence assigned to every individual link on the path “L” that a packet takes and can be calculated using:

Acharya and Younis[7] proposed two techniques to boost the BS anonymity level. The first technique requires the BS to retransmit some of the packets it receives with different intensities so that it appears to any adversary as any other sensor node in the network. The second technique assumes a mobile BS that can relocate itself to a more secure location. However, this considers only a network with a single BS. The goal of [8] is to make the computations made by an adversary to identify a BS very complex by increasing the transmission power used by all network nodes. Increasing the transmission power causes an exponential increase in the computational complexity and would thus slow down the traffic analysis conducted by the adversary and thus boost the BS anonymity. This technique assumes a network with a single BS.

  min ⊆    ||  2 1

III. SYSTEM MODEL In this section, we discuss the network model, adversary model and the metric used in assessing location anonymity. A. Network and Adversary Models In this paper, we consider an unattended WSN with multiple BSs. The data traffic is not evenly split among all BSs, which is typical in an event-driven WSN where only sensors near the event report it to the nearest BS. All BSs are assumed to use the same transmission range of sensor nodes in an attempt to be undetectable based on the strength of radio signals. In addition, stealth BS design is assumed in order to make it visually unrecognizable. Sensor nodes have limited transmission coverage. Thus, when a sensor node sends a data packet to a BS and no direct link exists from this node to the BS, the packet traverses over multiple hops until it reaches the BS. Anonymous routing techniques are to be employed so that the IDs of the BSs are protected. We assume that for an adversary all nodes have the same probability of being a BS at the time the network is first deployed. So, any adversary has to build his knowledge by monitoring the packet traffic. We assume that the adversary is passively eavesdropping on communications throughout the area and has a relatively high computational power. Thus, he can monitor all the traffic flowing in the network over a period of time and perform any sophisticated computations on it to correlate the transmissions and identify the BS. The main goal of the adversary is to localize the BS with a reasonable accuracy. The adversary is assumed to be unaware of the number of BSs that a network has and suspect the presence of only one BS.

Figure 1: Illustrating of the correlation the intercepted transmissions to link A to D.

For example, when node B forwards the packet, the adversary concludes new links evidences, e.g. , correlates it to the evidences he captured from the previous transmission, e.g. and concludes that there might be a communication link . Table 1 shows the evidence collected by an adversary after the first and the second transmissions. In this paper, we use the weighted Belief metric [9], defined in (2) to capture the adversary’s confidence in the existence of communication channel over a certain path:   ∑ |⊆   

(2)

Where nE (U) is the Evidence normalized by the number of observed packets.

B. Anonymity Assessment Evidence theory has been shown to be an effective means for assessing location anonymity. Basically, every packet flows in the network is considered an evidence of communication from a source to a destination. Thus, monitoring the network over a period of time, correlating the detected transmissions and counting evidences pointing to a certain node, can be used as a strong measure of the anonymity of this node. As packets flow

Table 1: Linkability analysis between nodes based on the Evidence collected through intercepted transmissions

158

the most recent state of the network, which may be incomplete and have inconsistencies. The state of a BS in this context means the anonymity level of that BS and the average traffic sent to it. BSi that decides to forward some of its data packet to BSj will also report its anonymity level and traffic volume.

IV. ANONYMITY OPTIMIZATION In a WSN with multiple BSs, data traffic may not be evenly split among these BSs since the events may take place in various parts of the network and only a subset of the deployed sensors will detect and report on them. The uneven distribution of traffic makes one BS more vulnerable to being identified by an adversary as a possible target of attack. If the adversary could knock off one BS, the traffic will unevenly shift to the other BSs and again one BS will stand out as the new target for attack. In our proposed MAG approach, all BSs cooperate in confusing the adversary and concealing their identity and location. MAG is applied by the individual BSs in a distributed manner. Instead of making every BS aware of the anonymity level of all other BSs, a BS decides its course of actions based on its local view of the network. MAG formulates the anonymity optimization problem as a game between BSs where every BS takes the action that minimizes the difference between the anonymity levels of all BSs. The idea is to confuse the adversary by equalizing the anonymity of all BSs. To equalize the anonymity of all the BSs in a network, MAG calls for a base-station BSi to forward a portion of its traffic to another BSj based on its anonymity level and on the number of packet BSi received in the past from BSj. We refer to this as the deceptive traffic. As a way of limiting the introduced overhead, deceptive packets forwarded to a BS will not be retransmitted again. Thus, the BS with the least data traffic will serve as a traffic absorber to equalize the traffic, and hence the anonymity of all BSs. The origination and reception of deceptive traffic among BSs is modeled using game theory. The rest of this section presents the game formulation and explains it.

• Actions: Each BS can forward part of its traffic to another BS or just decide to stay quiet. So, every BS has M possible actions. Every action represents forwarding the traffic to a distinct player (i.e., BS). • Payoff: All players try to take the action that minimizes the anonymity variance based on the information it has. The fact that the network state is viewed differently by one BS from the others creates some kind of conflict of interest although they all try to minimize the anonymity variance. Overall, variations of network state among the BSs may slow convergence without causing divergence. • Decision rule: In the MAG game, since an explicit state exchange between BSs is avoided every BS takes its decision under uncertainty. The uncertainty here is a result of the difference between the recent state updates and the actual state of the network. So, in order to guarantee that the proposed MAG technique will not increase the anonymity variance even in the case of incomplete information, MAG adopts the conservative minimax decision rule in taking actions [11]. Thus, MAG guarantees that the resulting anonymity variance will never be greater than the anonymity variance when MAG is not applied. B. History-based Payoff In MAG, BSs do not update each other with their current anonymity level or traffic load periodically. Instead, when the traffic entering BSi exceeds a certain threshold, it has to decide whether it would be better to forward part of its traffic to BSj. If deceptive packets are to be sent, BSi shares its anonymity level and traffic load with BSj. Before deciding on the best course of action, BSi predicts the impact of every action it can take, taking into consideration all possible actions that might be taken independently by the other BSs. We use the following notation in defining the payoff function applied by the individual BSs:

A. Game Formulation MAG models the problem of maximizing the network resilience to traffic analysis attack as an infinite game between M BSs. The network resilience in this context implies the equalization of the location anonymity of the individual BSs so that none of them stands out as a target of attack. A game is generally made up of four main components[10]; namely, players who are the rational decision-makers, actions which represent the set of all possible strategies that can be taken by a player, Payoff matrix which enables the evaluation of the outcome of every possible action and Decision rule which is used to determine which action has the most desirable outcome. In anonymity maximization game, each BS decides which other BS to forward its traffic to, based on the actions taken in the previous game step. The following defines the main components for the anonymity game:



!"#($% ,'( ,)* ,+,) : Represents the payoff when BSs A, B, C and D take actions i, j, k and l respectively.

• - . (/,0,1,2) : Represents the variance of the anonymity level when BSs A, B, C and D take actions i, j, k and l respectively. • 3(4, ")5 : Represents the anonymity of BSx at time t as seen by BSy. When the traffic load of a certain BSx exceeds the threshold, it evaluates the outcome (payoff) of every possible combination of actions. The payoff seen by BSs A when A, B, C and D take actions i, j, k and l respectively can be calculated by:

• Players: All the M BSs participate in the anonymity game. While maximizing the anonymity of all BSs is the objective, MAG opts to avoid the overhead for frequent state exchange among all BSs, which is required for each BS to make a globally optimal decision. Instead, a BS bases its decision on

!"#($% ,'( ,)* ,+,) = - . ($% ,'( ,)* ,+,)

159

(3)

(a)

(b) Figure 3: Illustrating of the operation of the MAG approach

- . ($% ,'( ,)* ,+,) = 6!(3(7, 7)589 3(, 7)589 , 3(:, 7)589 , 3(;, 7)589 )

For a BS, every combination of actions that other three BSs may take represents a possible change to the network state. A BS tries to minimize its maximum payoff over all possible actions. Every node decides on what to do based on its own belief, which is derived from the anonymity information received from the other nodes along with the forwarded traffic.

(4)

3(4, 7)589 = 3(4, 7)5 < ∆3(4, 7)>$% ,'( ,)* ,+,?

∀ 4 = 7, , : !A ; ∆3(4, 7)>$% ,'( ,)*,+, ? = ∆3(4, 7)($% ,) < ∆3(4, 7)>'( ?