Location Cloaking for Location Safety Protection of Ad Hoc Networks

CS587x LectureDepartment of Computer Science

Iowa State University

Outline

What is location safety How to achieve location safety

Stationary ad hoc networks Mobile ad hoc networks

Performance evaluation Closely related work Conclusion

Why disclosing location information Location information adds a new dimension

to ad hoc networking Location-based routing

Leverage nodes’ location information in path discovery and packet forwarding

Much more efficient and scalable than topology-based routing

Location-oriented applications e.g., enemy detection in battlefield

Dilemma

Disclosing location information presents a major threat to network safety Knowing the position of a node allows an

adversary to locate and destroy it physically

Location Safety Protection

Goal Allow nodes to reveal their location Yet make it practically infeasible for one to

locate them based on such information

Location Safety Protection

Goal Allow nodes to reveal their location Yet make it practically infeasible for one to

locate them based on such information

Observation An adversary can always comb through a whole

region to locate all nodes inside it However, if the region is too large, the cost can

be prohibitively high

Location Safety Protection

Key Idea Instead of its exact position, a node can report it is

inside some spatial region, called a cloaking box Reducing location resolution to achieve a desired

level of safety protection

Location Safety Protection

Key Idea Instead of its exact position, a node can report it is

inside some spatial region, called a cloaking box Reducing location resolution to achieve a desired

level of safety protection

Location Safety Protection

Key Idea Instead of its exact position, a node can report it is

inside some spatial region, called a cloaking box Reducing location resolution to achieve a desired

level of safety protection

Lower node density less attractive for the adversary to locate/destroy the nodes inside higher safety level

Safety Level

Safety level of a cloaking box The ratio of the box’s area and the number of

nodes inside

Safety Level

Safety level of a cloaking box The ratio of the box’s area and the number of

nodes inside

Safety level of a network A network is protected at a safety level θ, if the

adversary cannot find any region whose safety level is less than θ based on nodes’ disclosed location

How to compute cloaking box For safety protection

Each cloaking box must satisfy the safety level requirement

How to compute cloaking box For safety protection

Each cloaking box must satisfy the safety level requirement

A sequence of cloaking boxes must not be correlated to identify an area with a safety level less than θ

Correlation attack

How to compute cloaking box For safety protection

Each cloaking box must satisfy the safety level requirement

A sequence of cloaking boxes must not be correlated to identify an area with a safety level less than θ

For network performance Each cloaking box needs to be as

small as possible

Correlation attack

A Naïve approach

A node broadcasts to query its nearby nodes’ location, and then identify the smallest region that meets the safety requirement

Problems1. Require nodes to report their exact location

2. Difficult to determine the query broadcast region

The node actually reveals it is inside the broadcast region What if the safety level of the region is not enough?

Proposed Technique

Basic idea Partition network domain recursively into a set of

subdomains, each with a safety level at least θ Each node uses its containing subdomain as its

cloaking box

Proposed Technique

Basic idea Partition network domain recursively into a set of

subdomains, each with a safety level at least θ Each node uses its containing subdomain as its

cloaking box

Challenges1. Partitioning needs to be done in a fully distributed manner

2. No node shall reveal its exact position

Stationary Ad Hoc Networks

Nodes are deployed in a domain D Area(D)/#Nodes is no less

than θ Nodes start to do

partitioning at time t0

Partitioning is done round by round

Each round has a fixed time duration

D

Each node sets its partition P to D

Refine P round by round Broadcast a packet PLUS(NID, P)

within P Collect the PLUS packets from

nodes in P during a time period T Calculate the safety level S(P)

If S(P)≥2θ Divide P into two equal halves Set P as the one containing the

node’s current position Go to the next round of partitioning

If S(P)<2θ Take P as its cloaking box Stop partitioning

Partitioning Algorithm

D

Each node sets its partition P to D

Refine P round by round Broadcast a packet PLUS(NID, P)

within P Collect the PLUS packets from

nodes in P during a time period T Calculate the safety level S(P)

If S(P)≥2θ Divide P into two equal halves Set P as the one containing the

node’s current position Go to the next round of partitioning

If S(P)<2θ Take P as its cloaking box Stop partitioning

Partitioning Algorithm

D

Each node sets its partition P to D

Refine P round by round Broadcast a packet PLUS(NID, P)

within P Collect the PLUS packets from

nodes in P during a time period T Calculate the safety level S(P)

If S(P)≥2θ Divide P into two equal halves Set P as the one containing the

node’s current position Go to the next round of partitioning

If S(P)<2θ Take P as its cloaking box Stop partitioning

Partitioning Algorithm

D

Each node sets its partition P to D

Refine P round by round Broadcast a packet PLUS(NID, P)

within P Collect the PLUS packets from

nodes in P during a time period T Calculate the safety level S(P)

If S(P)≥2θ Divide P into two equal halves Set P as the one containing the

node’s current position Go to the next round of partitioning

If S(P)<2θ Take P as its cloaking box Stop partitioning

Partitioning Algorithm

D

Each node sets its partition P to D

Refine P round by round Broadcast a packet PLUS(NID, P)

within P Collect the PLUS packets from

nodes in P during a time period T Calculate the safety level S(P)

If S(P)≥2θ Divide P into two equal halves Set P as the one containing the

node’s current position Go to the next round of partitioning

If S(P)<2θ Take P as its cloaking box Stop partitioning

Partitioning Algorithm

D

Is Partitioning Safe? A node reveals its location P when it

broadcasts a PLUS packet in P It is guaranteed P’s safety level is no less than θ

Recursive partitioning makes the correlation attack impossible Any two partitions P1 and P2

o either do not overlap at all, oro one contains the other completely

o Situation like never happens

Some Concerns A node may be compromised

Inject multiple PLUS packets to enlarge cloaking boxes

This attack can be prevented using authentication techniques Add a certificate field in PLUS packet Allow a node to verify the sender of a packet

Mobile ad hoc networks Initialization

Each node finds its cloaking box right after the deployment

Adjust partitioning when necessary Each node monitors its

movement against its current partition P

If a node moves into a new partition P’• Broadcast a LEAVE packet in P• Broadcast a JOIN packet in P’ D

Performance Study● Performance metrics

Cloaking area Communication overhead

Simulate a mobile ad hoc network Nodes initiate partitioning right after deployment. (overhead Cinit)

Nodes move following a random walk, and adjust partitioning when necessary (overhead Cupdate)

Node distribution follows a Normal distribution Variance v is smaller, distribution is more skewed v = 0.5, 0.1, 0.05

Evaluation Results A more skewed distribution results in

a larger cloaking area in average a smaller Cinit a larger Cupdate (most cases)

Related 1: Encryption Encrypt location information to make it

intelligible only to certain node

Problems The destination node may be compromised In some cases, location information cannot be

encrypted

Related 2: Anonymous Routing

Make routes untraceable to protect important nodes

Problems Do not provide location

safety protection A node can be destroyed

whenever it is located, regardless of its importance

Related 3: Privacy-aware LBS

Location disclosed in LBS may be correlated with restricted spaces for subject identification Service anonymity protection Location privacy protection

Problems Assume some central server for location

depersonalization Location privacy is different from location safety

Conclusion

We define the concept of location safety protection

We propose to reduce location resolution to achieve a desired level of safety protection

We present a novel distributed technique for location cloaking

Thanks!