On the Optimal Placement of Mix Zones

Julien Freudiger, Reza Shokri and Jean-Pierre Hubaux

PETS, 2009

2

• Phones– Always on (Bluetooth, WiFi)– Background apps

• New hardware going wireless– Cars, passports, keys, …

Wireless Trends

3

Peer-to-Peer Wireless Networks

1

MessageIdentifier

2

4

Examples

• Urban Sensing networks• Delay tolerant networks• Peer-to-peer file exchange

VANETs Social networks

5

Location Privacy Problem

a

b

c

Monitor identifiers used in peer-to-peer communications

6

bluetoothtracking.org

7

Previous Work

• Pseudonymous location traces– Home/work location pairs are unique [1]

– Re-identification of traces through data analysis [2,3,5]

• Location traces without any pseudonyms– Re-identification of individual trace and home [4]

• Attack: Spatio-Temporal correlation of traces

MessageIdentifier

[1] P. Golle and K. Partridge. On the Anonymity of Home/Work Location Pairs. Pervasive Computing, 2009[2] A. Beresford and F. Stajano. Location Privacy in Pervasive Computing. IEEE Pervasive Computing, 2003[3] B. Hoh et al. Enhancing Security & Privacy in Traffic Monitoring Systems. Pervasive Computing, 2006[4] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. SECURECOMM, 2005[5] J. Krumm. Inference Attacks on Location Tracks. Pervasive Computing, 2007

Pseudonym Message

8

Location Privacy with Mix ZonesPrevent long term tracking

Mix zone

121

21

a

b?

Change identifier in mix zones [6,7]• Key used to sign messages is changed• MAC address is changed

[6] A. Beresford and F. Stajano. Mix Zones: User Privacy in Location-aware Services. Pervasive Computing and Communications Workshop, 2004[7] M. Gruteser and D. Grunwald. Enhancing location privacy in wireless LAN through disposable interface identifiers: a quantitative analysis . Mobile Networks and Applications, 2005

9

Mix ZonesMix network

Mix networks vs Mix zones

Mixnode

Mixnode

Mixnode

Alice Bob

Alice home

Alice work

10

Where to place mix zones?

11

Outline

1. Mix Zone Effectiveness

2. Placement of Mix Zones

3. Application Example

Shibuyu Crossing, Tokyo

12

Mobility Model

• Nodes move according to flows [8]– A flow defines a trajectory in network– Nodes belong to a single flow– Several nodes share same flow

[8] M.C. Gonzalez, C.A. Hidalgo, and A.-L. Barabasi. Understanding individual Human Mobility Patterns. Nature, 2008

13

Mix Zones Model

• Mix zones have – Set of entry/exit points– Traversed by mobile nodes

• Mobility profile of a mix zone [6]– Trajectory– Sojourn time

14

Trajectory

3/41/4 0

1/31/3 1/3

2/30 1/3

1/21/4 1/4

15

Sojourn Time

Δt

Pr(Δt)

16

Mix Zone EffectivenessEvent-Based Metric [6]

Pv is probability of assignment I = total number of assignments

T

t

t

Entering events

Exiting events

21

( ) log ( )I

T v vv

i p pH

1 2

a b

17

Event-Based Discussion

• Precise• Measures attacker success

• Requires installing eavesdropping stations at every mix zones

• What if nodes are across various windows T• High complexity (compute all assignments)

+

–

18

Mix Zone EffectivenessFlow-based Metric

• Desired properties– Prior to network operation– Rely on general statistics of mobility– Efficient

• Key idea– Consider average behavior in mix zones– Measure probability of error of adversary

19

Decision Theory Model

• Assume 2 flows f1, f2 converge to same exit

Mix zone

1

x

2

Choice under uncertainty

Any event

20

Bayes Decision Rule

• Choose hypothesis with largest a posteriori probability• Minimizes probability of error

is the a priori probability that an event belongs to fj

is the conditional probability of observing x knowing that x belongs to fj

21

pe

Probability of Error

1 1( )p x 2 2 ( )p x

x

22

Jensen-Shannon Divergence

• Measure distance between probability distributions

• Provides both lower and upper bounds for the probability of error

23

OutlineIllustration of Metric

24

Outline

1. Mix Zone Effectiveness

2. Placement of Mix Zones

3. Application Example

25

Description

• Central authority decides offline where to deploy mix zones– Knows mobility model

– Knows effectiveness of possible mix zones locations

26

Distance to Confusion [9]

• Between mix zones, adversary can track nodes• Mix zone = confusion point• Bound distance between mix zones

Mix zone 1

Mix zone 2

Distance-to-confusion

[9] B. Hoh et al.. Virtual Trip Lines for Distributed Privacy-Preserving Traffic Monitoring. MobiSys, 2008

27

Cost of mix zones

• Use pseudonyms• Must remain silent for a period of time• Bound cost for each node

28

Placement Optimization• Use a subset of all possible mix zones

Cost

Distance to confusion

Mix zone effectiveness

where wi is cost of a mix zone Wmax is maximum costCmax is maximum distance-to-confusion

{0,1}iz

ˆZ Z

29

Illustration of Algorithm

32

1

4

30

Outline

1. Mix Zone Effectiveness

2. Placement of Mix Zones

3. Application Example

31

Simulation Setup

• Urban mobility simulator (SUMO)– Real (cropped) map– Flows

• Attack Implementation (MOBIVACY)– Compute mobility profiles for each mix zone– Predict most probable assignment of

entering/exiting nodes for each mix zone

32

Map of New York City

33

Metric & Configuration

• Matching success of mix zone i

• Tracking success

• System parameters– dtc <= 2km– cost <= 3 mix zones

Number of nodes matched

Total number of nodesim

Number of nodes tracked over k consecutive mix zones

Total number of nodes traversing k consecutive mix (

zones)ts k

34

Mix Zone Performance

35

Mix Zone Placement

(avg=0.48)(avg=1.56)(avg=1.55)(avg=3.56)

0 1 2 3 4 5 6 7 80

10

20

30

40

50

60

70

80

BadRandomOptimalFull

Number of traversed mix zones

Frac

tion

of n

odes

36

Tracking Success for different deployments

37

Performance of Deployment

Bad Random Optimal Full0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

38

Tracking Success with different traffic conditions

39

Conclusion• Construct a network of mix zones

• Measure of mix zones effectiveness based on– Mobility profiles– Jensen-Shannon divergence

• Optimization model• Results

– Optimal algorithm prevents bad placement– 30% increase of location privacy compared to

randomjulien.freudiger@epfl.ch

40

BACKUP SLIDES

41

Future Work

• Real mobility traces– More realistic intersection model

• Weight location in optimization– Some regions are more sensitive

• Larger map

• Other attacks

42

How to obtain mix zones?

• Silent mix zones– Turn off transceiver

• Passive mix zones– Where adversary is absent– Before connecting to Wireless Access Points

• Encrypt communications– With help of infrastructure– Distributed

43

Event-based Metric

• Assume adversary knows mobility profiles• Consider nodes entering/exiting mix zone i

over T time steps

Pv is probability of assignment

I = total number of assignments

• Average entropy:

44

GeneralizationConsider average behavior

Mix zone

1

x

2222

1

45

Mix Zone Placement

• Average number of traversed mix zone = average cost

• Optimal performs close to full at much lower cost

46

Tracking Success for different adversary strength

47

Tracking Success for different mix zone radius

48

Average Tracking Success

Bad Random Optimal Full0

10

20

30

40

50

60

70

80

90

100

Frac

tion

of N

odes

Mat

ched