Fast track articleUsing data mules to preserve source location privacy in Wireless Sensor Networks
Introduction
In recent years, WSNs have played an important role in a number of security applications, like remotely monitoring objects. In such applications, the location of the monitored object is tightly coupled with the sensor that detects it, called the data source. Therefore, preserving the location of the data source is important for protecting the object from being traced. Such a preservation cannot be simply accomplished by encrypting the data packets as the location of the data source can be disclosed by analyzing the traffic flow in WSNs.
The problem of preserving source-location privacy can be explained using the “Panda-Hunter Game” [1], in which the sensors are deployed in the forest to monitor the movement of pandas. Each panda is mounted with an actuator which signals to the surrounding sensors in its communication range. When the sensor close to the panda receives the signal, it creates and sends data reports to the base station over the wireless network. A hunter who is monitoring the wireless communication between the sensors will be able to identify the direction of incoming traffic flow and trace back the data transmission path to locate the data source, thus catching the panda. In fact, any WSNs used for such monitoring applications are vulnerable to such kinds of traffic analysis based attacks.
There have been extensive techniques proposed to preserve source-location privacy against different attack models: the local-eavesdropping model and the global-eavesdropping model. Local-eavesdropping [1], [2], [3], [4] assumes the attacker’s ability to monitor the wireless communication is limited to a very small region, up to very few hops. In the global-eavesdropping model [5], [6], [7], the attacker is assumed to be capable of monitoring the traffic over the entire network. We believe both of them are unrealistic, because the former stringently restricts the attacker’s ability while the latter exaggerates it, considering the resources and cost required for launching such an attack.
In this paper, we propose a more practical attack model, the semi-global eavesdropping model, in which the attacker is able to eavesdrop on wireless communications in a substantial area that is much smaller than the entire monitoring network. This attack model allows the attacker to gather substantially more information than a local eavesdropper. As shown in Section 3, this attack allows the attacker to overcome defenses that defeat a local eavesdropper. On the other hand, without the ability of monitoring the entire network, system designers can consider alternatives to network flooding and other approaches against the global eavesdropping model that suffer from a high communication overhead.
Under the semi-global eavesdropping model, we explore a novel protocol for preserving source-location privacy by using data mules. Traditionally, data mules are used in WSNs for reducing energy consumption due to the data transmission between sensors and facilitating communication in disconnected networks. A data mule picks up data from the data source and then delivers them directly to the base station. We adapt the functionality of data mules so that they not only maintain their traditional functionality, but also facilitate the preservation of the location privacy of data sources.
Our main contributions in this paper are summarized as follows: (1) we propose a new attack model, called semi-global eavesdropping; (2) we introduce a linear-regression based traffic analysis approach to enable the attacker to infer the direction of the data source and demonstrate its effectiveness by breaking an existing routing protocol of preserving source-location privacy; (3) we define the -angle anonymity model for studying the source-location privacy; (4) we propose a novel protocol, called the Mule-Saving-Source protocol (MSS), that uses data mules to achieve -angle anonymity; (5) we theoretically analyze the delay in the MSS protocol which includes the buffering time at the data source and the data mule; (6) we propose the Mule-Saving-Source-Shortest Path Protocol (MSS-SP), which aims at reducing the buffering time at the data mules as compared to MSS by modifying the data delivery path of the data mules; (7) we propose the Mule-Saving-Source-Two Level (MSS-TL), which aims at reducing the total delay by restricting the data mules to local areas in the network; (8) we study the impact of the mobility pattern of the data mule on the MSS protocol by changing the mobility model of the data mule to a Random Waypoint based mobility model; and (9) through theoretical analysis and a comprehensive set of experiments we show their effectiveness in reducing the total delay as well as drawing comparisons between them.
The roadmap of this paper is given as follows. We describe the system model and network scenario in Section 2. In Section 3 we introduce the attack model as well as our proposed linear-regression based approach to analyze traffic, followed by the -angle anonymity model for preserving source location privacy. In Section 4, we present the Mule-Saving-Source protocol to protect the location of the data source. In addition, we theoretically analyze the data delay introduced by our protocol in Section 5. We evaluate the performance of the MSS protocol by analyzing the results from a comprehensive set of simulations in Section 6. The two proposed modifications to the MSS protocols are discussed in Sections 7 Mule-Saving-Source-Shortest Path (MSS-SP) protocol, 8 Mule-Saving-Source-Two Level (MSS-TL) protocol respectively. In Section 9, we study the impact of the choice of the mobility pattern of data mules on the delay in the MSS protocol. We discuss related works in Section 10 and conclude the paper in Section 11.
Section snippets
System model
The terrain of our underlying network is a finite two-dimensional grid, which is further divided into cells of equal size. The network is composed of one base station, static sensors, and mobile agents, called data mules.
Preliminaries
In this section, we will first introduce our attack model and then propose a linear-regression based approach for analyzing data traffic. Furthermore, we will demonstrate the effectiveness of our attack model by compromising the phantom routing protocol [1]. Finally, we will define the -angle anonymity model for studying the location privacy preservation of the data source.
Mule-Saving-Source protocol
To protect the source location privacy against a semi-global eavesdropper, we design a protocol, called the Mule-Saving-Source protocol, achieving -angle anonymity. Our protocol exploits the random mobility of data mules to establish a data transmission pattern which effectively preserves the location privacy of the data source. Specifically, we modify the traditional function of data mules by having them hand data to regular sensors at only specific locations in the network, from where data
MSS protocol analysis
In order to model the mobility pattern of data mules we use a discrete-time Markov chain model, similar to the model proposed in [8]. Each state in the Markov chain represents the condition when the data mule is present at a specific cell in the network. Let be the transitional probability matrix for the defined Markov chain model, where the entry representing the probability of a data mule transiting from one state to another state for Markov chain with state space is:
Experimental study of the MSS protocol
A comprehensive set of simulations was conducted using a customized C++ based simulator to evaluate the performance of the discussed protocols. Specifically, we evaluated the MSS protocol and characterized the delay in it due to the number of data mules and privacy level ( angle). Furthermore, we establish the fact that the MSS protocol gives better performance than the DD protocol.
The simulation configuration is detailed in Table 2. We assume the base station is located at the center of the
Mule-Saving-Source-Shortest Path (MSS-SP) protocol
We propose the MSS-SP protocol by modifying the MSS protocol to reduce the total delay of the data packets by minimizing the carrying delay of the data mules. The carrying delay at the data mule is the total time the data packets are buffered at the data mule after it picks them up from the data source. The data mules deliver the data packets to the sensors closest to the dropping line. The carrying delay at the data mules is primarily dependent on the size of the network, the number of logical
Mule-Saving-Source-Two Level (MSS-TL) protocol
In reality, allowing any data mules to move in the entire wireless sensor network may not be efficient for data delivery from the perspective of data delay. Hence, we partition the network into blocks and restrict the movement of each data mule to a block, aimed at reducing the buffering time at the sensors. In this section, we first describe the deployment of data mules and then introduce a new protocol for routing the data by correspondingly adjusting our MSS protocol.
MSS protocol-Random Waypoint Model (MSS-RWP)
The mobility pattern of the data mules has an impact on the spatial and temporal distribution of the data mules in the network, thus affecting the inter-arrival time of the data mules at different sensors in the network. In this section, we study the impact of various mobility patterns of data mules on the MSS protocol.
In Section 4, the mobility pattern of the data mule was modeled as a random walk on the grid, wherein in each transition it moves with equal probability to one of the
Related work
We discuss the techniques for preserving the location privacy of the data source by categorizing them based on different attack models they counteract, namely local-eavesdropping model and global-eavesdropping model. For a more comprehensive taxonomy of techniques of preserving privacy in WSNs, we refer readers to the state-of-the-art survey [16].
For local-eavesdropping based attack, the flooding based approach was first introduced in [2], where each sensor broadcasts data that it receives to
Conclusion
In this paper, we address the issue of source-location privacy in WSNs. We described a realistic semi-global eavesdropping attack model and established its effectiveness by compromising the Phantom Routing protocol. Furthermore, we defined the -angle anonymity model for measuring the privacy preservation of source location in WSNs. To this end, we proposed a Mule-Saving-Source protocol which adapts the traditional functions of the data mules for making it -angle anonymous. Through theoretical
Acknowledgments
This work is partially supported by US National Science Foundation grants CNS-0916221, IIS-0326505, IIS-1064460, and CNS-1150192. Any opinions, findings and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect those of the National Science Foundation. The authors would also like to thank the anonymous reviewers for their valuable comments.
References (17)
- P. Kamat, Y. Zhang, W. Trappe, C. Ozturk, Enhancing source-location privacy in sensor network routing, in: Proceedings,...
- C. Ozturk, Y. Zhang, W. Trappe, Source-location privacy in energy-constrained sensor network routing, in: Proceedings,...
- Y. Ouyang, X. Le, G. Chen, J. Ford, F. Makedon, Entrapping adversaries for source protection in sensor networks, in:...
- Y. Li, J. Ren, Source-location privacy through dynamic routing in wireless sensor networks, in: Proceedings of INFOCOM,...
- K. Mehta, D. Liu, M. Wright, Location privacy in sensor networks against a global eavesdropper, in: Proceedings of...
- Y. Yang, M. Shao, S. Zhu, B. Urgaonkar, G. Cao, Towards event source unobservability with minimum network traffic in...
- W. Yang, W. Zhu, Source location privacy in wireless sensor networks with data aggregation, in: Proceedings of UIC,...
- et al.
Data mules: modeling and analysis of a three-tier architecture for sparse sensor networks
Ad Hoc Networks
(2003)
Cited by (37)
WSNs-assisted opportunistic network for low-latency message forwarding in sparse settings
2019, Future Generation Computer SystemsCitation Excerpt :However, in unknown areas, the decision-making of routes would be very difficult, resulting in a higher level of uncertainty in terms of routing performance. Mules [25–27] is another kind of opportunistic networks designed for message delivery among isolated sensor networks. The message is delivered from one network to another via data mules.
A source location protection protocol based on dynamic routing in WSNs for the Social Internet of Things
2018, Future Generation Computer SystemsCitation Excerpt :Solutions in this category make it difficult for an adversary to differentiate the real traffic from the fake traffic. Another kind of solution that aims at providing a better SLP is cyclic entrapment [24–27]. Long et al. proposed a Ring-Based Routing (RBR) scheme [28].
The Internet of People (IoP): A new wave in pervasive mobile computing
2017, Pervasive and Mobile ComputingCitation Excerpt :While people-centric sensing provides, in principle, a huge sensing environment available to support context-aware human-centric services and applications, there are clearly huge challenges related to privacy of the data and the knowledge about the users’ behavior that can be inferred. Privacy is, therefore, a major research challenge [223–228], in this framework. People-centric sensing is an example of a service that can be implemented by exploiting the personal-device resources.
Dynamic routing approach for enhancing source location privacy in wireless sensor networks
2023, Wireless NetworksA Multipath Source Location Privacy Protection Scheme in Wireless Sensor Networks via Proxy Node
2022, Proceedings - IEEE Congress on Cybermatics: 2022 IEEE International Conferences on Internet of Things, iThings 2022, IEEE Green Computing and Communications, GreenCom 2022, IEEE Cyber, Physical and Social Computing, CPSCom 2022 and IEEE Smart Data, SmartData 2022