gamesec 2010 november 22, berlin mathias humbert, mohammad hossein manshaei, julien freudiger and...
TRANSCRIPT
Tracking Games in Mobile Networks
GameSec 2010November 22, Berlin
Mathias Humbert, Mohammad Hossein Manshaei, Julien Freudiger and Jean-Pierre Hubaux
EPFL - Laboratory for Computer communications and Applications (LCA1)
P2P Wireless Communications Smartphones equipped with
advanced communication capabilities (WiFi & Bluetooth)
=> enable P2P communication between mobile users
Application examples:
2
Vehicular networks Mobile social networks
Location Privacy Problem
Identifiers of mobile devices unveiled Cryptographic credentials MAC addresses
External eavesdropper can monitor users’ identifiers and track them
3
MessageIdentifi
er
Local Adversary
Countermeasure: Mix Zones
4
AB
DC
E
F
I
J
KGChange identifiers in
regions called mix zones [1]
• Public/private keys used to sign messages
• MAC addresses
2 types of mix zones• Active mix zone
(M): temporal + spatial decorrelations
• Passive mix zone (P):temporal decorrelation [2]
Temporal decorrelation: change identifiers
Spatial decorrelation: remain silent (necessary only if the adversary installed an eavesdropping station at the same place) [1] Beresford, A.R., Stajano, F.: Location privacy in pervasive computing. IEEE
Pervasive Computing (2003)[2] Buttyán, L. et al.: On the effectiveness of changing pseudonyms to provide location privacy in VANETs. Security and Privacy in Ad-hoc and Sensor Networks (2007)
Mixing Effectiveness
5
4
At some intersection i:
pi13
pi12pi
14
pi2
4
pi2
1
pi23
pi32pi
34
13602680
69650194
3835930
3 e
nte
rin
g
road
s
4 exiting roads
Number of vehicles per hour
Normalized entropy-based metric [3]:
1
2
3
5933
38pi
13 = 3/(3+593+38)pi
12 = 593/(3+593+38)pi
14 = 38/(3+593+38)
Ri1=
3Ri
2= 3Ri
3= 2 k: entering roads
j: exiting roadsNormalized traffic intensity of entering road k
Passive mix zones:• mi = 0 if adversary at same place• mi = 1 if no adversary
[3] Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. PET 2002
Tracking GamesPlacement of active/passive mix zones versus placement of eavesdropping stations
6: Eavesdropping station (E) : Active mix zone (M) : Passive mix zone (P)
Strategic behaviors of attacker and defenders=> game theory to model the interactions between players and predict their best strategies 2 knowledge levels• complete information• incomplete info.
Game Model
7
Road network with K intersections
2 players: {mobile nodes, adversary}
Nodes’ strategies sn,i (intersection i): Active mix zone (cost = ci
m) ci
m = cip + ci
q = pseudonyms cost + silence cost
Passive mix zone (cost = cip)
Abstain
Adversary’s strategies sa,i : Eavesdrop (cost = cs) Abstain
Payoffs:
Eavesdrop (E) Abstain (A)
Active mix zone (M)
(λimi-cip-ci
q ; λi(1-mi)-cs)
(λi-cip-ci
q ; 0)
Passive mix zone (P)
(-cip ; λi-cs) (λi- ci
p ; 0)
Abstain (A) (0 ; λi-cs) (0 ; 0)
0 ≤ λi, mi, cim,
cs ≤ 1Adversary
Nodes
• mi ->1 if efficient mixing• mi ->0 if weak mixing
can be represented by a urban/central
authority
Analytical ResultsComplete Information Game
8
One intersection
• Either one pure Nash equilibrium (NE) or one mixed NE• Depending on traffic parameters mi, λi and players’
costs cim, ci
p and cs
• 4 possible pure NE: (M, E), (P, A), (A, E) and (A,A)• 2 pure NE never appear: (M, A) and (P, E)K intersections with limited number of
eavesdropping stations• Algorithm deriving a single Nash equilibrium
• Union of NE at K intersections (supergame [4])• Removal of exceeding eavesdropping stations• Update of nodes’ best response
[4] Friedman, J.W.: A non-cooperative equilibrium for supergames. The Review of Economic Studies (1971)
Analytical ResultsIncomplete and Asymmetric Information
Game:- Nodes do not know the adversary’s power
=> nodes’ belief on this power modeled as a probability distribution f(θ) [5]
9
One intersection• Existence of a pure Bayesian Nash
equilibrium (BNE) • Depending on traffic parameters mi, λi , players’ costs
cim, ci
p , cs and accuracy of nodes’ belief f(θ) on adversary’s type
• All possible pure BNE: (M, E), (P, A), (A, E) , (A, A), (M, A) and (P, E)
K intersections with limited number of eavesdropping stations• Algorithm deriving a single Bayesian Nash
equilibrium• Similar steps as the algorithm for complete information
game• Nodes do not know adversary’s strategy (eavesdropping
stations placement) => have to “guess” it based on their belief
[5] Harsanyi, J.: Games with incomplete information played by Bayesian players. Management science (1967)
Numerical Results
Real traffic data of Downtown Lausanne
10
• Low costs for both players
• 17
(M, E)
• 6
(A, E)
• 0
(P, A)
• 0
Mixed-strategy
• 2
(M, E)
• 3
(A, E)
• 18
(P, A)
• 0
Mixed-strategy
• 2
(M, E)
• 3
(A, E)
• 5
(P, A)
• 13
Mixed-strategy
• 2
(M, E)
• 3
(A, E)
• 18
(P, A)
• 0
Mixed-strategy
• Unlimited number (Γ=23) of eavesdropping stations
• Adversary’s higher cost• Limited number (Γ=5) of eavesdropping stations
Numerical Results
Incomplete Information Game:Probability density functions f(θ) of
nodes’belief on adversary’s cost cs: U(0,1) or
β(2,5)
11
Scenario\Bayesian NE
(M, E)
(P, E)
(A, E)
(M, A)
(P, A)
(A, A)
U(0,1); cs= 0.2; Γ= 23
10 13 0 0 0 0
U(0,1); cs= 0.2; Γ= 5 1 4 0 0 18 0
β(2,5); cs= 0.2; Γ= 23
16 3 4 0 0 0
β(2,5); cs= 0.2; Γ= 5 1 0 4 0 18 0
β(2,5); cs= 0.5; Γ= 23
2 0 2 14 3 2
β(2,5); cs= 0.5; Γ= 5 1 1 2 0 17 2
E = EavesdropA = Abstain
M = Active mix zoneP = Passive mix zoneA = Abstain
Adversary’s
strategies
Nodes’ strategi
es
Conclusion Possible to predict the best response of mobile users with
respect to a local adversary strategy
2 algorithms to reach (Bayesian) NE in both complete and incomplete information games In incomplete information game, nodes’ lack of information about the
adversary’s strategy leading to a significant decrease in the achievable location privacy level or a needless cost increase
Concrete application on a real city network Adversary and mobile nodes adopting complementary strategies
Future work Enrich the analysis by including the spatial interdependencies between
the different road intersections Evaluate the interactions between the attacker and defenders by using
repeated games12
Backup slides – NE at one intersection
13
Backup slides – K intersections
14
Backup slides – Algorithm 1
15
Backup slides – Bayesian Game
16
where
Backup slides – Bayesian NE
17
Backup slides – Algorithm 2
18