View
215
Download
0
Category
Tags:
Preview:
Citation preview
Mobile Traffic Sensor Network versus Motion-MIX:Tracing and Protecting Mobile Wireless Nodes
JieJun Kong Dapeng Wu
Xiaoyan Hong and Mario Gerla
Outline
• Background.• Mobility anonymity attacks.• Countermeasure ( Motion-MIX).• Asymptotic network security model.• Security analysis of motion-MIX.
Mobile Traffic Sensor Network • Recent advances in manufacturing technologies have enabled the physical
realization of small, light-weight, low-power, and low-cost micro air vehicles.
Concept of Mobile Anonymity
• In fixed networks anonymity: identity and location are synonyms
• In mobile networks anonymity: identity and location are not synonyms. motion pattern is also a security concern. venue: the smallest area to which the adversary can “pinpoint” the
node only via the node’s communication.
• Motion pattern attack by mobile traffic analysisIf the adversary moves faster than the victim, it can always trace it’s motion pattern.
Mobile Anonymity Attacks
• Venue privacy attack (VPA) (VPA-a): enumerates the set of currently active
nodes. (VPA-b): computes related metrics such as the
size of the set. (VPA-c): performs traffic analysis against a venue.
(How many and what kind of connections in-and-out the venue).
Mobile Anonymity Attacks
• Adversary modelCapable of scanning the entire network area in short
time.Honest-but-curious.Polynomially-bounded cryptanalyst who cannot invert
one-way functions or differentiate cryptographically strong pseudorandom bits from truly random bits with non-negligible probability.
• Network modelPairwise key sharing.
Design Assumption
Motion-MIX
• K incoming mobile nodes or wireless packet flows get fully mixed in the Motion-MIX.
• K-anonymity: the adversary cannot differentiate these k nodes.
In motion-MIX, any mobile node inside a motion-MIX
venue should send out decoy traffic to ensure
k-anonymity.
The above algorithm running on mobile nodes can ensure that there are approximate k wireless transmission in its one-hop neighborhood during the unit time interval.
• Adversary’s capability decides the inner circle.
• The roaming nodes decide the outer ring.
Content Analysis
• A mobile node should be indistinguishable from other nodes in the same motion-MIX venue from the adversary’s view.
• A mobile node’s traffic should be indistinguishable from another’s in the same motion-MIX venue from the adversary’s view.
Necessary Conditions
• Identity-free routing
Every mobile node does not reveal its own identity to other nodes.
• One-time packet content
E.g., for 100 packets, the 2 extreme cases (1 1 sender to 1 recipient & 100 different senders to 100 sender to 1 recipient & 100 different senders to 100 different recipientsdifferent recipients) and all cases in-between are equally probable.
• Avoid being captured the mobile node’s radio signature.
Negligible function
DefinitionDefinition: A function u: N → R is negligible, if for every positive integer c and all sufficiently large n’s (i.e., there exists Nc>0, for all n>Nc),
cnn
1)(
In cryptography, the longer the key length is, the more asymptotically secure a cryptosystem is.
In our analysis, the larger the network scale is, the more asymptotically secure the network is.
Underlying Mobile Networking Model
The spatial distribution of a node is expressed asThe spatial distribution of a node is expressed as
For random waypoint (RWP) mobility model in a square network area of size a×a.
Underlying Mobile Networking Model
If there are N nodes in the network and each of If there are N nodes in the network and each of them roams independently and identically.them roams independently and identically.
Random presence of mobile nodes is modeled by a spatial Poisson point process.
Uniform
Non-uniform
Security Guarantee of Motion-MIX
Theorem 1: The security breach probability of motion-MIX, ( the probability that there are less than k uncompromised nodes in the venue quantified by Δ’), is negligible with respect to the network scale N.
Security Guarantee of Motion-MIX
Theorem 2: The security breach probability of
node tracing, ( the probability that the adversary
can trace an active transmitting mobile node v’s
motion pattern without losing the target), is
negligible with respect to N and |T|.
Security Guarantee of Motion-MIXPublicity assumption : The adversary knows the entire identity set and the network area, it can estimate that the expected number of nodes in each venue is
Nodes in each venue transmit k = E(k') real/decoy packets in a fully distributed manner.
Security Guarantee of Motion-MIX
Theorem 3: In a wireless ad hoc network, a
motion-MIX is min(k,E(kΔ’))-anonymous, where Δ’
is the size of the least enlarged venue defined on
the venue size Δ.
Recommended