toward privacy preserving and collusion resistance in a ......to protect source location privacy...
TRANSCRIPT
Toward Privacy Preserving andCollusion Resistance in a
Location Proof Updating SystemZhichao Zhu, Student Member, IEEE, and Guohong Cao, Fellow, IEEE
Abstract—Today’s location-sensitive service relies on user’s mobile device to determine the current location. This allows malicious
users to access a restricted resource or provide bogus alibis by cheating on their locations. To address this issue, we propose A
Privacy-Preserving LocAtion proof Updating System (APPLAUS) in which colocated Bluetooth enabled mobile devices mutually
generate location proofs and send updates to a location proof server. Periodically changed pseudonyms are used by the mobile devices
to protect source location privacy from each other, and from the untrusted location proof server. We also develop user-centric location
privacy model in which individual users evaluate their location privacy levels and decide whether and when to accept the location proof
requests. In order to defend against colluding attacks, we also present betweenness ranking-based and correlation clustering-based
approaches for outlier detection. APPLAUS can be implemented with existing network infrastructure, and can be easily deployed in
Bluetooth enabled mobile devices with little computation or power cost. Extensive experimental results show that APPLAUS can
effectively provide location proofs, significantly preserve the source location privacy, and effectively detect colluding attacks.
Index Terms—Location-based service, location proof, location privacy, pseudonym, colluding attacks
Ç
1 INTRODUCTION
LOCATION-BASED services take advantage of user locationinformation and provide mobile users with various
resources and services. Nowadays, more and more location-based applications and services require users to providelocation proofs at a particular time. For example, “GoogleLatitude” and “Loopt” are two services that enable users totrack their friends’ locations in real time. These applicationsare location-sensitive since location proof plays a criticalrole in enabling these applications.
There are many kinds of location-sensitive applications.One category is location-based access control. For example,a hospital may allow patient information access only whendoctors or nurses can prove that they are in a particularroom of the hospital [19]. Another class of location-sensitiveapplications require users to provide past location proofs[26], such as auto insurance quote in which auto insurancecompanies offer discounts to drivers who can prove thatthey take safe routes during their daily commutes, policeinvestigations in which detectives are interested in findingout if a person was at a murder scene at some time, andlocation-based social networking in which a user can ask for alocation proof from the service requester and accepts therequest only if the sender is able to present a valid locationproof. The common theme across these location sensitiveapplications is that they offer a reward or benefit to users
located in a certain geographical location at a certain time.Thus, users have the incentive to cheat on their locations.
Location-sensitive applications require users to prove thatthey really are (or were) at the claimed locations. Althoughmost mobile users have devices capable of discovering theirlocations, some users may cheat on their locations and thereis a lack of secure mechanism to provide their current or pastlocations to applications and services. One possible solution[15] is to build a trusted computing module on each mobiledevice to make sure trusted GPS data is generated andtransmitted. For example, Lenders et al. [15] proposed such asolution which can be used to generate unforgeable geotagsfor mobile content such as photos and video; however, itrelies on the expensive trusted computing module on mobiledevices to generate proofs. Although cellular serviceproviders have tracking services that can help verify thelocations of mobile users in real time, the accuracy is notgood enough and the location history can not be verified.Recently, several systems have been designed to let endusers prove their locations through WiFi infrastructures. Forexample, Saroiu and Wolman [26] proposed a solutionsuitable for third-party attestation, but it relies on PKI andthe wide deployment of WiFi infrastructure.
In this paper, we propose A Privacy-Preserving LocA-tion proof Updating System (APPLAUS), which does notrely on the wide deployment of network infrastructure orthe expensive trusted computing module. In APPLAUS,Bluetooth enabled mobile devices in range mutuallygenerate location proofs, which are uploaded to a untrustedlocation proof server that can verify the trust level of eachlocation proof. An authorized verifier can query andretrieve location proofs from the server. Moreover, ourlocation proof system guarantees user location privacyfrom every party. More specifically, we use statisticallyupdated pseudonyms at each mobile device to protect
. The authors are with the Department of Computer Science andEngineering, The Pennsylvania State University, Information Scienceand Technology Building, University Park, PA 16802.E-mail: {zzhu, gcao}@cse.psu.edu.
Manuscript received 25 Apr. 2011; revised 16 Aug. 2011; accepted 12 Oct.2011; published online 4 Nov. 2011.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TMC-2011-04-0214.Digital Object Identifier no. 10.1109/TMC.2011.237.
IEEE TRANSACTIONS ON MOBILE COMPUTING VOL:12 NO: 1 YEAR 2013
location privacy from each other, and from the untrustedlocation proof server. We develop a user-centric locationprivacy model in which individual users evaluate theirlocation privacy levels in real time and decide whether andwhen to accept a location proof request. In order to defendagainst colluding attacks, we also present betweennessranking-based and correlation clustering-based approachesfor outlier detection. Extensive experimental and simula-tion results based on multiple data sets show thatAPPLAUS can effectively provide location proofs, signifi-cantly preserve the source location privacy, and effectivelydetect colluding attacks.
The rest of the paper is organized as follows: We firstintroduce preliminaries of our scheme in Section 2, and thenpresent our location proof updating scheme in Section 3.Section 4 presents the source location privacy analysis andSection 5 discusses colluding attacks and countermensures.The performance of our scheme is evaluated in Section 6.Finally, we describe related work in Section 7 and concludethe paper in Section 8.
2 PRELIMINARIES
In this paper, we focus on mobile networks where mobiledevices such as cellular phones communicate with eachother through Bluetooth. In our implementation, mobiledevices periodically initiate location proof requests to allneighboring devices through Bluetooth. After receiving arequest, a mobile node decides whether to exchangelocation proof, based on its own location proof updatingrequirement and its own privacy consideration. Given itsappropriate range (about 10 m) and low power consump-tion, Bluetooth is a natural choice for mutual encountersand location proof exchange.
2.1 Pseudonym
As commonly used in many networks, we consider an online
Certification Authority (CA) run by independent trusted
third party which can preestablish credentials for the mobile
devices. Similar to many pseudonym approaches, to protect
location privacy, every mobile node i registers with the
CA by preloading a set of M public/private key pairs
KPubi ;KPrv
iM
i¼1 before entering the network. The public key
KPubi is used to serve as the pseudonym of node i. The
private key KPrvi enables node i to digitally sign messages
so that the receiver can validate the signature authenticity.Due to the broadcast nature of wireless communication,
probes are used for mobile nodes to discover theirneighbors. When a node i receives a probe from anothernode, it checks the certificate of the public key of the senderand the physical identity, e.g., Bluetooth MAC address.After that, i verifies the signature of the probe message.Subsequently, if confidentiality is required, a securityassociation is established (e.g., with Diffie-Hellman).
2.2 Threat Model
We assume that an adversary aims to track the location of amobile node. An adversary can have the same credential asa mobile node and is equipped to eavesdrop communica-tions. We assume that the adversary is internal, passive, andglobal. By internal, we mean that the adversary is able tocompromise or control individual mobile device and thencommunicate with others to explore private information, or
individual devices may collude with each other to generatefalse proofs, which will be discussed in detail in Section 5.We assume that the number of colluders is small comparedwith that of valid devices. In the worst case, the adversarycould compromise the location proof server to get the storedlocation proof records. However, it is not able to takecontrol of the server to work as a colluder, since oncecompromised, the attack will be detected promptly andthe location proof server will be replaced by a back-upserver. The same assumption applies to the CA. By passive,we assume the adversary cannot perform active channeljamming, mobile worm attacks [34] or other denial-of-service attacks, since these attacks are not related to locationprivacy. By global, we assume the adversary can monitor,eavesdrop, and analyze all the traffic in its neighboring area,or even monitor all the traffic around the server.
In practice, the adversary can thus be a rogueindividual, a set of malicious mobile nodes, or eavesdrop-ping devices in the network. In the worst case, it is possiblethat the untrusted location proof server may be compro-mised by the adversary and the location information canthen be easily inferred by examining the records of locationproofs, e.g., the adversary could apply statistical testingsuch as K-S test to identify a user although no real identityis included. Therefore, we need to appropriately designand arrange the location proof records in the untrustedserver so that no private information related to individualusers will be revealed even after it is compromised. Hence,the problem we address in this paper consists of collectinga set of location proofs for each peer node and protectingthe location privacy of peer nodes from each other, fromthe adversary, or even from the untrusted location proofserver to prevent other parties from learning a node’s pastand current location information.
2.3 Location Privacy Level
In this paper, we use multiple pseudonyms to preservelocation privacy; i.e., mobile nodes periodically change thepseudonym used to sign messages, thus reducing their longterm linkability. To avoid spatial correlation of their location,mobile nodes in proximity coordinate pseudonym changesby using silent mix zones [16], [17], or regions where theadversary has no coverage [4]. Without loss of generality, weassume each node changes its pseudonyms from time totime according to its privacy requirement. If this nodechanges its pseudonym at least once during a time period(mix zone), a mix of its identity and location occurs, andthe mix zone becomes a confusion point for the adversary.
Consider a mobile network composed of N mobile nodesand each node has M pseudonyms. At time t, for eachnode i there are a group of mðtÞ pseudonyms observed atthe location proof server. Each pseudonym among the mðtÞpseudonyms can involve multiple location proofs acrossvarious locations l1; l2; . . . ; ln at different time t1; t2; . . . ; tn.An adversary is able to correlate the location and timedistribution of each pseudonym to see if two pseudonymsbelong to the same node. For example, the adversary canobserve a series of location proofs with mðT Þ pseudonymsduring time T . He then compares the distribution of locationproof set B of pseudonym b with the distribution of locationproof set D of pseudonym d to determine if the twopseudonyms can be linked. Let pd¼b ¼ Pr (distribution D ofpseudonym corresponds to distribution B of pseudonym b),
the location privacy level of node i (i.e., the uncertainty ofthe adversary) at time T , is
EiðT Þ ¼ �X
d;b2mðT Þpd¼blog2ðpd¼bÞ: ð1Þ
The achievable location privacy depends on the numberof nodes (mðT Þ) and the unpredictability of their where-abouts in the mix zone (pdjb). If a node i has only onepseudonym observed till time T , its identity is known tothe adversary and its location privacy level is defined to beEiðT Þ ¼ 0. We can achieve the maximum entropy whenevery pd¼b is close to 0; i.e., the distribution of locationproofs for each pseudonym is undistinguishable.
3 THE LOCATION PROOF UPDATING SYSTEM
In this section, we introduce the location proof updatingarchitecture, the protocol, and how mobile nodes scheduletheir location proof updating to achieve location privacy inAPPLAUS.
3.1 Architecture
In APPLAUS, mobile nodes communicate with neighboringnodes through Bluetooth, and communicate with theuntrusted server through the cellular network interface.Based on different roles they play in the process of locationproof updating, they are categorized as Prover, Witness,Location Proof Server, Certificate Authority or Verifier. Thearchitecture and message flow of APPLAUS is shown inFig. 1.
. Prover: the node who needs to collect location proofsfrom its neighboring nodes. When a location proof isneeded at time t, the prover will broadcast a locationproof request to its neighboring nodes throughBluetooth. If no positive response is received, theprover will generate a dummy location proof andsubmit it to the location proof server.
. Witness: Once a neighboring node agrees to providelocation proof for the prover, this node becomes awitness of the prover. The witness node will generatea location proof and send it back to the prover.
. Location proof server: As our goal is not only tomonitor real-time locations, but also to retrievehistory location proof information when needed, alocation proof server is necessary for storing the
history records of the location proofs. It commu-nicates directly with the prover nodes who submittheir location proofs. As the source identities of thelocation proofs are stored as pseudonyms, thelocation proof server is untrusted in the sense thateven though it is compromised and monitored byattackers, it is impossible for the attacker to revealthe real source of the location proof.
. Certificate authority: As commonly used in manynetworks, we consider an online CA which is run byan independent trusted third party. Every mobilenode registers with the CA and pre-loads a set ofpublic/private key pairs before entering the net-work. CA is the only party who knows the mappingbetween the real identity and pseudonyms (publickeys), and works as a bridge between the verifier andthe location proof server. It can retrieve locationproof from the server and forward it to the verifier.
. Verifier: a third-party user or an application who isauthorized to verify a prover’s location within aspecific time period. The verifier usually has closerelationship with the prover, e.g., friends or collea-gues, to be trusted enough to gain authorization.
3.2 Protocol
When a prover needs to collect location proofs at time t, itexecutes the protocol in Fig. 2 to obtain location proofs fromthe neighboring nodes within its Bluetooth communicationrange. Each node uses its M pseudonyms PM
i¼1 as itsidentity throughout the communication.
1. The prover broadcasts a location proof request to itsneighboring nodes through Bluetooth according toits update scheduling. The request should containthe prover’s current pseudonym Pprov, and a randomnumber Rprov.
2. The witness decides whether to accept the locationproof request according to its witness scheduling.Once agreed, it will generate a location proof forboth prover and itself and send the proof back to theprover. This location proof includes the prover’spseudonym Pprov, prover’s random number Rprov,witness’s current time stamp Twitt, witness’s pseu-donym Pwitt, and their shared location L. This proofis signed and hashed by the witness to make surethat no attacker or prover can modify the locationproof and the witness cannot deny this proof. It isalso encrypted by the server’s public key to preventfrom traffic monitoring or eavesdropping.
3. After receiving the location proof, the prover isresponsible for submitting this proof to the locationproof server. The message also includes prover’spseudonym Pprov and random number Rprov, or itsown location for verification purpose.
Fig. 1. Location proof updating architecture and message flow.
Fig. 2. Location proof updating protocol.
4. An authorized verifier can query the CA for locationproofs of a specific prover. This query contains areal identity and a time interval. The CA firstauthenticates the verifier, and then converts the realidentity to its corresponding pseudonyms duringthat time period and retrieves their location proofsfrom the server. In order not to expose correlationbetween pseudonyms to the location server, CA willalways collect enough queries from k differentnodes before a set of queries are sent out.
5. The location proof server only returns hashedlocation rather than the real location to the CA, whothen forwards to the verifier. The verifier comparesthe hashed location with the claimed locationacquired from the prover to decide if the claimedlocation is authentic.
In order to prevent the CA from knowing locations of areal identity, the location proof server calculates the hash ofeach location and only sends the hashed locations to theCA in step 5. In this way, the following property can beachieved.
Definition 1 (Separation of privacy knowledge). Theknowledge of the privacy information is separately distributedto the location proof server, the CA, and the verifier. Thus, eachparty only has partial knowledge.
The privacy property of our protocol is ensured by theseparation of privacy knowledge: the location proof serveronly knows pseudonyms and locations, the CA only knowsthe mapping between the real identity and its pseudonyms,while the verifier only knows the real identity and itsauthorized locations. Attackers are unable to learn a user’slocation information without integrating all the knowledge.Therefore, compromising either party of the system doesnot reveal privacy information.
3.3 Scheduling Location Proof Updates
As discussed before, the adversary may obtain completecoverage and track nodes throughout the entire network, bycompromising the location proof server and obtain allhistory location proofs. Therefore, we need to appropriatelydesign and arrange the location proof updating schedulesfor both prover and witness so that no source locationinformation related to individual user is revealed even if theserver is compromised.
Suppose a mobile node i has a set of pseudonymsP1; P2; . . . ; PM which change periodically, and distinctparameters �1; �2; . . . ; �M for each pseudonym are prede-termined. If each pseudonym Pj updates its location proofssuch that the interupdate interval follows Poisson distribu-tion with parameter �j, as shown in Fig. 3, then the entireinterupdate intervals for node i follow Poisson distributionwith a parameter of � ¼ �1 þ �2 þ � � � þ �M . As will bediscussed in the next section, it has the properties ofpseudonym unlinkability and statistically strong sourcelocation unobservability. The detailed scheduling protocolfor the prover is shown in Algorithm 1. The predefinedupdating parameter � determines how frequently locationproofs are updated. In some cases, no location proof isgenerated when the location proof updating time arrives.To ensure that location proof updating follows the
scheduled Poisson distribution, a dummy proof is gener-ated and submitted. The dummy proof has the same formatas the real location proof and cannot be differentiated by
the attackers.
Algorithm 1. Location Proof Update Scheduling for
the prover
Input: updating parameter �;
1: generate M distinct parameter �1; �2; � � � ; �M suchthat �1 þ �2 þ � � � þ �M ¼ �
2: for each pseudonym i do
3: while current timestamp t follows Poisson
distribution with �i do
4: send location proof request
5: if request is accepted then
6: submit location proof
7: else
8: generate and submit dummy proof
9: end if
10: end while
11: end for
The location privacy of witness nodes varies depending
on the time and location when they exchange locationproofs. It is thus desirable to protect the location privacyin a user-centric manner, such that each user can decidewhen and how to protect his location privacy. User-centriclocation privacy [12], [17] follows a distributed approach
where each mobile node locally monitors its locationprivacy level over time. A network wide metric measuresthe average location privacy but may ignore that somenodes have low location privacy levels. However, the usercentric approach is more scalable and can maintain location
privacy at a more fine-grained level. In our model, thelocation privacy of a node may accumulate over time. Itdepends on the distribution diversity of the last pseudo-nym and its previous pseudonyms before the last success-ful pseudonym change. Each mobile node monitors and
measures its own privacy level in real time and decideswhether and when to accept a location proof exchangerequest. After receiving a location proof exchange request,it calculates the privacy loss between the next scheduledupdating time and the current updating time. In this way, a
node has autonomy to control the time period over whichits location is tracked. The privacy loss of node i is definedas follows:
Fig. 3. Example of individual pseudonym update versus entire nodeupdate.
� ¼ Eiðt0Þ � EiðtÞEiðtÞ
; ð2Þ
where EiðtÞ is the location privacy level when the locationproof exchange request is accepted while Eiðt0Þ is thelocation privacy level at the next scheduled location proofupdating cycle. The difference between them indicates theprivacy loss if this location proof request is accepted. Thelocation proof request is only accepted when the privacyloss is less than a predefined threshold. The drawback ofthe user-centric model is that nodes may have misalignedincentives (i.e., different privacy requirement), which canlead to failed attempts to obtain enough location proofs. Weuse dummy proofs in Algorithm 1 to deal with failedattempts. The detailed scheduling protocol for witness ispresented in Algorithm 2.
Algorithm 2. Scheduling Location Proof Updates
at WitnessesInput: time t of incoming location proof request;
1: calculate location privacy loss � assuming the
incoming request is accepted
2: if � > �, � is pre-defined location privacy loss threshold
then
3: deny location proof request
4: else
5: accept location proof request6: end if
4 SOURCE LOCATION PRIVACY ANALYSIS
In this section, we discuss the location privacy threat in oursystem, as well as our countermeasures.
We first look at how an adversary may reveal locationinformation by analyzing the location proof history.Suppose the attacker has sufficient resources (e.g., instorage, computation and communication). First, the attack-er may simply monitor and examine the content of a recordthat contain the user’s identity and location. Second, evenif the user’s ID is encrypted or pseudonymized, it is easy forthe adversary to trace back all the location activities relatedto the same ID once its pseudonym is discovered. Third,even though the user’s pseudonyms change periodically, itis still possible for the adversary to infer this user’s otherpseudonyms from one pseudonym if these pseudonymschange at similar time or locations. Moreover, the attackermay perform more advanced traffic analysis including ratemonitoring and location correlation. In a rate monitoringattack, the attacker tries to monitor and correlate locationproof updating rates from different pseudonyms. In alocation correlation attack, the attacker may observe thecorrelation in the updated location between a node and itsneighbors, attempting to deduce a relationship.
According to [23], a mechanism to achieve anonymityappropriately combined with dummy traffic yields unobser-vability, In our case, we are interested in the privacyproperty of each node, and we have the following definition:
Definition 2. Source location unobservability is a privacyproperty that can be satisfied if an attacker cannot determinethe real identity of mobile nodes through observation of thelocation proof records. That is, for each possible observation Othat an attacker can make, if the probability of an identity I is
equal to the probability of I given O; i.e., 8O;P ðIÞ ¼ P ðIjOÞ,then I is called unobservable.
Based on the above definition, we have the followingdefinition on pseudonym unlinkability:
Definition 3. A system has the property of pseudonymunlinkability if the pseudonyms P1; P2; . . . ; PM of an identityI presented in the location proof records cannot be inferred fromone to another: 8i; j; 8O; probðPijOÞ 6¼ probðPjjOÞ; i; j 2f1; 2; . . . ;Mg; i 6¼ j.
Obviously, a system satisfies source location unobserva-bility if and only if it has the property of pseudonymunlinkability. We need to design a probabilistic solution,which can provide a satisfactory degree of event unobser-vability and reduce the latency as much as possible. Forexample, we can adopt a Poisson distribution to determinethe time intervals between location proof updates. Underour attack model, an adversary can easily know a constantrate distribution and its mean by statistic test over thehistory of location proof records. However, if we use aprobabilistic rate scheme and keep the seed for generatingrandom numbers secret from an attacker, the attacker maynot be able to notice if a proof update is due to a real eventor a dummy message even if a node sends out a real eventmessage immediately. Intuitively, a node cannot alwaysinitiate or accept a proof request immediately in thepresence of burst events; otherwise, an attacker may noticethe change of the underlying distribution. Therefore, it isdifficult to guarantee perfect event unobservability whileproviding low latency. Thus, we adopt statistically strongsource location unobservability to achieve low latency andhigh privacy.
Suppose the interupdate delay (d) between locationproof updates kðk > 0Þ and kþ 1 from a pseudonym ið1 �i�MÞ of a mobile node is dik ¼ tikþ1� tik, where tik is theupdate time of location proof k from pseudonym i. A globalattacker can observe a sequence of interupdate delays,which can be represented as a distribution Xi ¼ di1; di2; . . ..Ideally, in a scheme with perfect unobservability but highlatency, interupdate delays from all the pseudonyms of thesame node follow different distribution, so that an attackercannot identify the relations between these pseudonyms. Inour case of statistically strong source location unobserva-bility, distributions of interupdate delays by differentpseudonyms are statistically distinct from each other. Theyare distinct from each other in the sense that by a statistictest one cannot correlate them with each other. We have thedefinition of statistically distinct distributions as follows:
Definition 4. Two probabilistic distinct distribution Xi andXjð1 � i; j �M; i 6¼ jÞ are statistically distinct from eachother if they follow the same type of probabilistic distributionwith distinct parameter.
Clearly, the more parameters a distribution has, theharder it is to prove its statistical distinction. In our scheme,we decided to use Poisson distribution to control the rate oflocation proof updating due to its one-parameter advan-tage, which makes it relatively easy to achieve sourcelocation unobservability. More specifically, we have thefollowing lemma:
Lemma 1. Suppose a mobile node has a set of pseudonymsP1; P2; . . . ; PM which change periodically. Each pseudonym isends out its location proof updates (including dummyupdates) whose interupdate delay follows Poisson distributionwith a parameter �i. Then all the interupdate delays of thismobile node follow Poisson distribution with parameter � ¼�1 þ �2 þ � � � þ �M .
Proof 1. Without loss of generality, we assume the mobile
node changes its pseudonyms in the order of P1; P2; . . . ;
PM . As each pseudonym i follows Poisson distribution
Xi ¼ P ðX ¼ tÞ ¼ �tie��i
t! , the distribution of the combina-
tion of pseudonyms Pi and Pj is
Y ¼ P ðXi þXj ¼ kÞ ð3Þ
¼Xk
t¼0
P ðXi ¼ tÞP ðXj ¼ k� tÞ ð4Þ
¼Xk
t¼0
�tie��i
t!��ðjk� tÞe��iðk� tÞ! ð5Þ
¼ ð�i þ �jÞte�ð�iþ�jÞ
t!: ð6Þ
That is, the sum of two independent Poisson distribu-tions with parameters of �i and �j also follow aPoisson distribution with parameter �i þ �j. It is easyto extend that the sum of all pseudonyms also followsPoisson distribution with a parameter of � ¼ �i þ�2 þ � � � þ �M . tuTherefore, if each mobile node in the network chooses M
distinct parameters from �1 to �M for its M pseudonyms,and schedules location proof updates based on theaforementioned Poisson distributions, the location proofrecords in the server have the properties of pseudonymunlinkability and statistically strong source location un-observability. When parameter � is fixed, increasing thenumber of pseudonyms (M) improves the privacy level, asit increases the possibility for attackers to confuse betweenpseudonyms from different nodes. Meanwhile, as eachnode presents more pseudonyms in the system, it alsodecreases the possibility for this node to be identified even
though one of its pseudonym has been recognized.Quantifying the relationship between the number ofpseudonyms (M) and the privacy level is difficult sincethe privacy level is determined by many other parameters.However, the upper bound of M may always be deter-mined due to the space limit of mobile devices. There are anumber of ways to pick individual �i when � is fixed. Forexample, one intuitive solution is to generate an arithmeticprogression or a geometric progression which sums to �.
5 COLLUDING ATTACKS AND COUNTERMEASURES
The joint issues of location proof and location privacy havebeen studied in [33], but the threat of colluding attack is stillan open issue. This threat exists when two nodes colludewith each other to generate bogus location proofs. Forexample, when a dishonest node C1 from San Francisconeeds to prove herself in New York City (NYC), she canhave another colluding node C2 to generate bogus locationproofs for her, with location tag of New York City.Generally speaking, such attacks can be identified bylooking into the location traces and examining the interac-tions between colluders as well as the time and locationconsistency along the moving trajectory. We first considerstatistical threshold based solution in which the systemrequires the prover to obtain a number of witness nodes, nomatter what their real identities are. As we know, thelocation proof server has information about the number ofpseudonyms at a particular time and location. Thisinformation can be used to estimate whether the proverlies about not finding enough peers or always finding thesame peer based on some statistical techniques.
More specifically, the server-level detection is performedon individual location proof based on its embedded timestamp and location information, where all concurrent andco-located location proofs from other nodes (pseudonyms)are used to verify its trust level. For example in the normalcase, as in Fig. 4a, PA is a legitimate prover who hasreceived location proofs from all neighboring witnessnodes PB, PE , and PF , except PG due to interference orsynchronization reasons. Therefore, PA has collectedthree location proofs (Nproof ¼ 3) from four neighbors(Nneighbor ¼ 4), and we denote the trust level of this locationproof as TLPA ¼
Nproof
Nneighbor¼ 0:75. Since the trust level TL is
Fig. 4. Threshold based verification. (a) all nodes are legitimate nodes. TLPA ¼Nproof
Nneighbor¼ 0:75. (b) PA tries to claim her location in NYC with her
colluders although she is not at NYC. PB is PA’s colluder and witness. TLPA ¼ 1=4 ¼ 0:25, and PA is detected as malicious.
higher than preselected threshold, PA is considered as agood node.
Fig. 4b illustrate a colluding case where node PA tries toclaim her location in New York city with her colludersalthough she is not at NYC. Although PA finds a colluderPB who is located in NYC to generate a fake location prooffor her, it can’t use other provers since she is not at NYC.The location proof server looks through the location proofrecords to check if there are other provers in PA’scommunication range. In this example, several othernodes (e.g., PE , PF , and PG) exist. It is easy to calculatethe trust level of PA’s location proof is TLPA ¼ 1=4 ¼ 0:25,which is below the threshold. Thus, PA is listed assuspicious to be malicious.
Calculating the trust level of a location proof involves theexamination of its surrounding location proofs for bothprover and witness, as well as large amount of redundantcalculations between individual location proofs. To addressthis problem, we develop techniques that can performverifications on a set of location proofs which are relevant intime and space, rather than individual proofs. We presenttwo approaches to detect suspicious location proofs andpseudonyms: betweenness ranking and correlation clustering.The betweenness ranking approach calculates the between-ness of each pseudonym in a graph and then ranks thesepseudonyms based on their betweenness value. Thepseudonyms with low ranking are considered as suspiciousnodes. The correlation clustering approach takes into accountthe time delay between two neighboring location proofs,and uses a modified correlation clustering algorithm on atemporal-weighted graph to rule out outlier clusters, whichare considered as suspicious location proofs. Both ap-proaches use undirected graph to reflect the relationshipbetween pseudonyms or between location proofs.
5.1 Betweenness Ranking
As the pseudonyms of each node keep changing, we don’thave the contact patterns of individual nodes except theirpseudonyms. Therefore, we can only verify pseudonymsthat are relevant enough in both temporal and spatialdomains. Considering all the concurrent (within 60 secondsdelay) location proofs in a region, we first describe how toconstruct a pseudonym-correlation graph.
Definition 5. A pseudonym-correlation graph for region R is anundirected graph G ¼ ðV ;EÞ, with vertex set v1; v2; . . . ; vn,were n ¼ jV j. Each vertex vi 2 V represents a pseudonym Pi
in region R, while each edge ðvi; vjÞ 2 E denotes that there isa location proof generated between node vi and node vj.
Let s ¼ v0 and t ¼ vl. A path from s to t is defined as asequence of edges ðvi; viþ1Þ, 0 � i � l. The length of a path isthe number of edges in the sequence. We use dðs; tÞ to denotethe distance (the minimum length of any path connecting sand t in G) between s and t. With dði; iÞ ¼ 0, we have thefollowing definition of betweenness:
Definition 6. Let �st (which is equal to �ts) denote the totalnumber of shortest paths from s to t, where �ss ¼ 1. Let �stðvÞdenote the number of shortest paths from s to t which includenode v 2 V . Then the betweenness of v is as following:
BðvÞ ¼X
s 6¼v 6¼t
�stðvÞ�st
: ð7Þ
Betweenness is defined as the number of shortest pathsfrom all vertices to all others that pass through node v. It isan indicator of who is the most influential node in thenetwork (i.e., who interconnects with most others). As inFig. 5a, there are seven shortest paths (v1 � v5; v1 � v6;v2 � v5; v2 � v6; v3 � v5; v3 � v6; v5 � v6) pass through v4, thebetweenness of node v4 can be calculated as Bðv4Þ ¼P
7 ð1Þ ¼ 7. Similarly, we can get Bðv5Þ ¼ Bðv6Þ ¼ 0. Ob-viously v5 and v6 have higher chance to be malicious nodethan v4. One notable feature of the definition is that thebetweenness measurement gives very clear winners andlosers among the nodes in the network: individuals withthe highest betweenness are well ahead of those with thesecond highest, who are in turn well ahead of those withthe third highest, and so on. Individuals with the lowestbetweenness usually only connect to one or few neighbors.They are treated as outliers among all the nodes and thusmost likely are colluding attackers.
Let �stðvÞ ¼ �stðvÞ�st
. The dependency of a source vetex s on avertex v is defined as
�s�ðvÞ ¼X
t:t6¼s;t 6¼v�stðvÞ: ð8Þ
The betweenness of a vertex v can be expressed as
BðvÞ ¼X
s6¼v�s�ðvÞ: ð9Þ
Define the set of predecessors of a vertex v on the shortestpaths from s as PsðvÞ¼u2V :ðu; vÞ2E; dðs; vÞ ¼ dðs; uÞþ1.
Fig. 5. Examples of unweighted pseudonym-correlation graph and temporal-weighted proof-correlation graph.
The following theorem states that the dependencies of thecloser vertices can be computed from the dependencies ofthe farther vertices.
Lemma 2. If there is exactly one shortest path from s to each t,the dependency of s on any vertex v obeys
�s�ðvÞ ¼X
w:v2PsðwÞð1þ �s�ðwÞÞ: ð10Þ
Proof 2. The assumption implies that the vertices and edgesof all shortest paths from s form a tree. Therefore, v lieson either all or none of the paths between s and somevertex t, i.e., �stðvÞ equals either 1 or 0. Moreover, v lies onall shortest paths to those vertices for which it is apredecessor, and on all shortest paths that these lie on.tu
In the general case, a very similar theorem [2] holdsbelow:
Theorem 1. The dependency of s on any vertex v obeys
�s�ðvÞ ¼X
w:v2PsðwÞ
�sv�sw� ð1þ �s�ðwÞÞ: ð11Þ
The naive way to calculate betweenness takes time oforder Oðmn2Þ, since there are Oðn2Þ shortest paths to beconsidered, each of which takes OðmÞ to calculate. How-ever, since breadth-first search algorithms can calculate nshortest paths in time OðmÞ, we can calculate betweennessfor all vertices in time OðmnÞ. Here, we present analgorithm that performs betweenness calculation based onthe above theorem.
In Algorithm 3, n single-source shortest paths are firstcomputed, for each s. The predecessor sets PsðwÞ aremaintained during these computations. Next, for every s,using the information from the shortest path tree andpredecessor sets along the paths, we can compute thedependencies �s�ðvÞ for all other vertex v. To obtain thebetweenness value of vertex v, we then calculate the sumof all dependency values. The Oðn2Þ space requirementscan be reduced to OðnþmÞ by maintaining a runningbetweenness score. This algorithm runs in OðnmÞ time forunweighted pseudonym-correlation graphs.
Algorithm 3. Betweenness calculation on
pseudonym-correlation graph
Input: B½v� ¼ 0, v 2 V ; S empty stack; Q empty
queue;
1: for s 2 V do
2: P ½w� empty list, �½w� ¼ 0, d½w� ¼ �1, w 2 V ;
3: �½s� ¼ 1; d½s� ¼ 0;
4: enqueue s! Q
5: while Q not empty do
6: dequeue v Q;
7: push v! S;
8: for each neighbor w of v do
9: if w found for the first time then
10: enqueue w! Q;
11: d½w� ¼ d½v� þ 1;
12: end if
13: if d½w� ¼ d½v� þ 1 then
14: �½w� ¼ �½w� þ �½v�
15: append v! P ½w�;16: end if
17: end for
18: end while
19: �½v� ¼ 0, v 2 V ;
20: while S not empty do
21: pop w S;
22: for v 2 P ½w� do
23: �½v� ¼ �½v� þ �½v��½w� � ð1þ �½w�Þ;
24: end for
25: if w 6¼ s then
26: B½w� ¼ B½w� þ �½w�;27: end if
28: end while
29: end for
5.2 Correlation Clustering
The above approach only considers two location proofs
correlated if they occurred at the same time (e.g., within
60 seconds). However, in most case, a node may have to
wait for a time period until its next location proof updating
cycle. If the time delay between two location proofs is not
too large, we should still consider them correlated. There-
fore, if we consider each location proof as a vertex, we have
the following definition of temporal-weighted proof-corre-
lation graph.
Definition 7. A weighted proof-correlation graph for region R is
an undirected graphG ¼ ðV ;EÞ, with vertex set v1; v2; . . . ; vn,
where n ¼ jV j. Each vertex vi 2 V represents a location
proof LPi in region R. Each positive edge ðvi; vjÞ 2 E denotes
that location proofs LPi and LPj share prover or witness while
each negative edge ðvi; vjÞ 2 E denotes that LPi’s prover is
actually LPj’s witness, or vice versa. For each edge ði; jÞ, let tijbe the time difference between two location proofs represented
by vi and vj, where 0 � tij < þ1, then we define weight
function cij for each edge ði; jÞ as follows:
cij ¼1
1þ tij: ð12Þ
The weight function cij has both 0 � cij � 1 for positive and
negative edges. The smaller the time interval tij is, the larger
the weight cij is.
Fig. 5b shows one example of weighted proof-correla-
tion graph. Location proof v1 and location proof v2 share
the same prover node, so the edge between them is
positive with weight of 1. On the other hand, location
proof v5’s prover is also location proof v6’s witness, so the
edge is negative. Our goal is to have location proofs with
position edges grouped together (e.g., v1 and v2), and to
separate the location proofs with negative edges (e.g., v5
and v6). The reason is intuitive: the location proofs with
negative edges are abnormal, since within similar time
interval and similar space, there should be another location
proof consisting of v5’s prover and v6’s witness. Fig. 5b
shows how correlation clustering works on the graph.
Since this problem is NP-hard, we transfer the above
proof-correlation graph to a double-labeled graph.
With G¼ðV ;EÞ, each edge ði; jÞ has a weight function cij.Let eðu; vÞ denote the label ðhþi; h�iÞ of the edge ðu; vÞ. LetEhþi be the set of positive edges (where 0 � tij � 1) and letGhþi be the graph induced byEhþi,Ghþi ¼ ðV ;EhþiÞ. We thendefine Eh�i and Gh�i for negative edges in the same way. Inour scenario, the weight value from one node to another canbe treated as a measure of similarity, with high weightindicating similarity and low weight indicating dissimilar-ity. We can perform a correlation clustering over the graph,grouping nodes together who have higher positive weightwith others, and separating nodes who have higher negativeweight with others. Since the time complexity is too high forcorrelation clustering, we focus on approximation algo-rithms to achieve better performance.
Let OPT represent the optimal clustering algorithm, inwhich positive labeled edges are always in one cluster,while negative labeled edges are always between differentclusters. Our goal is to propose an approximation algorithmclose to OPT , by minimizing the weight of positive edgesbetween clusters and the weight of negative edges insideclusters. Also, the approximation algorithm should max-imize the weight of positive edges inside clusters andmaximize the weight of negative edges between clusters.Given a clustering algorithm S, the difference between S
and OPT is denoted as dðSÞ which is the sum of theweights of negative labeled edges inside a cluster, plusweights of positive labeled edges between clusters in S. Wethen formulate the problem with linear programming andthen give an approximation algorithm. Consider assigninga variable xij to each pair of vertices (xij ¼ xji); xij ¼ 0 if viand vj are in a common cluster, and xij ¼ 1 otherwise. As1� xij is 1 if edge ði; jÞ is within a cluster and 0 if edge ði; jÞis between clusters, we have the following:
dðSÞ ¼X
ði;jÞ2Eh�icijð1� xijÞ þ
X
ði;jÞ2Ehþicijxij: ð13Þ
Our goal is to find an assignment of xij to minimize thedifference dðSÞ. We relax the requirement and get thefollowing linear program:
minimizeX
ði;jÞ2Eh�icijð1� xijÞ þ
X
ði;jÞ2Ehþicijxij; ð14Þ
subject to xij 2 ½0; 1�; ð15Þ
xij þ xjk � xik; ð16Þ
xij ¼ xji: ð17Þ
We present a OðlognÞ approximation solution to thislinear program, which is the best approximation factor thatcan be achieved as proved in [7].
First we define a circle Cði; rÞ with radius r aroundnode vi which consists of all nodes vj such that xij � r. Thecut of a set of nodes S, denoted by cutðSÞ, is the weight ofthe positive edges with exactly one endpoint in S:
cutðSÞ ¼X
jvj;vk\Sj¼1;ðj;kÞ2Ehþicjk: ð18Þ
The cut of a circle is the cut induced by the set of verticesincluded in the circle. The volume of a set of nodes S,denoted by volðSÞ, is the weighted distance of the edgeswith both endpoints in S:
volðSÞ ¼X
vj;vk�S;ðj;kÞ2Ehþicjkxjk: ð19Þ
Therefore, the volume of a circle is the volume of Cði; rÞincluding the fractional weighted distance of positiveedges leaving Cði; rÞ. In other words, if ðj; kÞ 2 Ehþi is acut positive edge of circle Cði; rÞ with vj 2 Cði; rÞ andvk 62 Cði; rÞ, then ðj; kÞ contributes cjk � ðr� xijÞweight to thevolume of circle Cði; rÞ. We include an initial volume I tothe volume of every circle (i.e., circle Cði; 0Þ has volume I).The correlation clustering algorithm on a weighted proof-correlation graph is shown in Algorithm 4. One advantageof this approach is that the correlation clustering algorithmcan handle outliers naturally. Outliers will usually have acluster of their own. Thus, when the algorithm ends, we cansimply discard small isolated clusters.
Algorithm 4. Correlation clustering on proof-correlation
graph
Input: queue G with all the nodes vi 2 V , weight
function cij for each edge ði; jÞ;1: while G not empty do
2: dequeue vi G;
3: r ¼ 0;
4: while cutðCði; rÞÞ > c � lnðnþ 1Þ volðCði; rÞÞ do
5: r ¼ rþminfðdij � rÞ > 0 : v 62 Cði; rÞg;6: end while
7: output Cði; rÞ as one of the clusters;
8: remove Cði; rÞ and related edges from G;
9: end while
6 PERFORMANCE EVALUATIONS
In this section, we study the feasibility of deployingAPPLAUS such as the computation and storage constraint,power consumption, and the proof exchange latency. Wealso use simulations to evaluate the performance ofAPPLAUS.
6.1 Prototype Implementation
To study the feasibility of our scheme, we have developed aprototype of APPLAUS based on the techniques presentedin the previous sections. The prototype has two softwarecomponents: client and server. The client is implemented inJAVA on Android Developer Phone 2 (ADP2), which isequipped with 528 MHz chipset, 512 MB ROM, 192 MBRAM, Bluetooth, and GPS module, and running GoogleAndroid 1.6 OS. It can communicate with the serveranytime through AT&T’s 3G wireless data service. Theserver is implemented on a T4300 2.1 GHz 3 GB RAMlaptop. It stores the uploaded location proof records andmanages corresponding indices using MySQL 5.0. We usetwo android phones to communicate with each other to testour solution.
The client code consumes only 80 KB of data memory.When running, less than 2.5 percent of the available
memory is used. We measure the CPU utilization of ourclient code using a monitoring application, which allowsone to monitor the CPU usage of all the processes runningon the phone. When the application is in standby, the CPUutilization is about 0.5 percent, indicating that listening toincoming Bluetooth inquiries requires very low computa-tion. The CPU utilization goes to 3 and 5 percent,respectively, when communicating with another deviceand with the server, due to using different communicationinterfaces. We observe that the CPU utilization reaches thehighest level of 10 percent when a location proof packet isgenerated, in which heavy computations such as authenti-cation and encryption/decryption are involved.
We also study the appropriate size of the public/privatekey pair. The key size determines the number of bits of theencrypting key as well as the size of the pseudonym. Largerkey size can provide better security, but involves morecomputations and storage resources, as well as powerconsumption. We use Elliptic Curve Cryptography (ECC) inour implementation as it provides the same functionalityand security features as the widely used RSA cryptosystem,but requires much shorter key length for achieving a similarsecurity level. For example, a 160-bit ECC-key attains aboutthe same level of security as a 1,024-bit RSA key. There isalways a tradeoff between performance and security levelwhen choosing the key size. In mobile computing scenariowhere computation and power resource are limited, wetend to assign more weight to performance. Some of theorganizations (e.g., recent ECRYPT II recommendation [28])recommend 160-bit key for ECC, while others recommend256-bit. Our experimental results in Fig. 6 show that 256-bitkey consumes much more power than that of 160-bit key,under different Poisson distribution parameters. As ourgoal is to find the smallest key size which can achievegeneral security requirement for light-weight mobile sce-nario, 160-bit is used to in our prototype. Other crypto-graphy methods or key sizes can be also applied dependingon different emphasis of performance or security.
We also show how power consumption affects the dailynormal usage of the mobile device. Fig. 6 shows thepercentage of power consumption as a function of thePoisson parameter � used in location proof exchange. As �becomes larger, the power consumption increases, due to the
more frequent location proof updating activities. It is easyto see our scheme will not increase the power consumptiontoo much (with less than 2.5 percent power consumption).
The distance between the phones when they exchangelocation proofs also affects the latency, where longer distancemeans longer delay due to the weak signal strength. As hasbeen established in earlier studies [14], more than 80 percentof contact durations are less than 10 seconds, and thus thereis no problem for our proof exchange process to be finishedwithin the contact duration. Fig. 7 measures the powerconsumption under different Bluetooth status. There arethree status: inquiry, standby and proof exchange. The inquirystatus is used to discover other Bluetooth devices withincommunication range, and send out proof requests. Theinquiry process continues for a prespecified time, until aprespecified number of units have been discovered or until itis stopped explicitly. Bluetooth devices that only listen toinquiry messages are in standby. In our system, inquiry andstandby are mutual exclusive at any time. The device entersthe proof exchange status when it exchanges location proofswith others. The most frequent status is standby, whichconsumes less than 0.1 mW of power with any communica-tion distance. The proof exchange status consumes the mostamount of power and deteriorates with increasing commu-nication distance; however, it will not appear until the nextlocation proof updating cycle.
6.2 Simulation Results
In our simulations, 1,000 mobile nodes are deployed in a3 km 3 km area. We use the Levy walk mobility model[24] to generate synthetic node contact events. Previouswork has shown that the Levy walk model can describe themobility patterns of a human being relatively well for acampus-sized area. A contact between two nodes happenswhen the nodes are within 10 m range of each other, whichis the communication range of Bluetooth.
For each simulation run, we generate a Levy walk tracewith a certain contact rate and initiate the location proofupdating process with various time intervals. We repeatthis experiment 100 times, choosing different contact ratesfor each run. Each node has M ¼ 10 pairs of 160-bit public/private keys and a Poisson distribution parameter �, whichis used to determine when to change pseudonyms. � is
Fig. 6. Power consumptions under different key sizes and Poissondistribution mean �.
Fig. 7. Power consumption under different Bluetooth status and differentcommunication distance.
divided into 10 different numbers: �1; �2; . . . ; �10, where � ¼�1 þ �2 þ � � � þ �10. We define a parameter �, which is thestandard deviation of two consecutive �i and �iþ1 (assum-ing �i and �iþ1 are in nondecreasing order), to control howto cut �. Another parameter � is chosen by each node as athreshold to determine whether to accept a location proofexchange request based on the user-centric privacy level.
We compare our APPLAUS scheme with a baselinescheme. In the baseline scheme, each node does not changepseudonyms based on Poisson distribution. Instead, it usesa constant rate to upload location proofs. Unlike APPLAUSwhere two nodes mutually exchange location proofs, thebaseline scheme only uploads its own location proof if thereis a proof available. A dummy message is uploaded whenthere is no proof available.
In the comparisons, we use three metrics: message overheadratio, proof delivery ratio, and average delay. The messageoverhead ratio is defined as the ratio of dummy proof trafficand real location proof traffic. The proof delivery ratio is thepercentage of location proof message that is successfullyuploaded to the location proof server. The average delay isthe time difference between the time when a location proofupdate is needed and when the location proof messagehas reached the location proof server.
Fig. 8 shows the performance comparisons between ourscheme and the baseline scheme under different ratio of! ¼ Tproof=Tcontact, where Tproof is the required intervalbetween two location proof updates, and Tcontact is themean real node contact interval. Fig. 8a shows thatAPPLAUS outperforms baseline on overhead ratio when! is larger than 0.75. When ! > 1:5, the overhead ratio ofAPPLAUS decreases to as low as 0.2. As shown in Fig. 8b,the proof delivery ratio of APPLAUS significantly outper-forms the baseline scheme, and it reaches 93 percent when! > 1:5. From Fig. 8c, we can see that APPLAUS andbaseline have similar average delay when ! > 1, in whichthe delay is measured as the unit of Tproof . When ! > 1:5,the delay of APPLAUS becomes lower than 0.15 of Tproof .Thus, when ! > 1:5; i.e., when the location proof updateinterval is at least 1.5 of the contact interval, theperformance of APPLAUS reaches an adequate level. Thedelay will not change too much after ! ¼ 2. Therefore, anappropriate ratio ! should be chosen between 1.5 and 2.
6.3 Privacy Evaluation
In the previous section, we already showed that our locationproof updating system has the property of pseudonym
unlinkability and statistically strong source location unob-servability. In this section, we evaluate the robustness ofAPPLAUS such as defending against traffic analysis andstatistical test.
With our scheme, we consider what the attacker can doto detect real events. Clearly, we cannot prevent the attackerfrom using any statistical analysis tool, so what we showbelow are based on the general techniques that can be usedby the attacker. We believe other statistic testing methodswill render similar results.
We assume that the attacker has enough resources(e.g., storage and computation ability) to collect andanalyze location proof updating time by traffic monitoringor by compromising the location proof server. Then, theattacker will try to infer that two pseudonyms belong tothe same ID if the distributions of their location proofupdating time intervals are identical. To achieve this, theattacker can first conduct some goodness of fit tests such asthe Kolmogorov-Simirnov (K-S) test [25] to check whetherthe probabilistic distributions of the location proof updat-ing time intervals from every pseudonym follow the samePoisson distribution. The attacker then performs the meantest such as Sequential Probability Ratio Test (SPRT) [29] ifthe distributions can pass the goodness of fit test. Thosedistributions whose sample means deviate from the truemean beyond a certain degree will be marked as potentialabnormal pseudonyms.
To detect if two pseudonyms belong to the same source,the attacker can check whether the two probabilisticdistributions of location proof updating time intervals fromthe two pseudonyms are identical. For the attacker, thehypotheses of the test are:
. H0—the two pseudonyms belong to the same source.
. H1—the two pseudonyms belong to different source.
When the attacker makes a decision, there are somerisks to get wrong decision. The decision is called adetection, if H0 is accepted when it is actually true. If H0 isin fact true, accepting H1 is a false negative. On the otherhand, if H1 is in fact true, accepting H0 is a false positive.False positive has no negative effect on privacy sincetaking two different pseudonyms as the same would nothelp identifying the real source. We focus on false negativewhich indicates the percentage of cases that has not beendetected by the attackers.
Fig. 8. Performance under different ratio of ! ¼ Tproof=Tcontact.
To evaluate false negative, we use the same simulationsetup as previous section and repeatedly perform K-S test[22] on the distributions under different standard deviation� (ranging from 0.2 to 1) and threshold � (ranging from0.02 to 0.1). Based on the test results, we get the falsenegative rate as shown in Fig. 9. The x-axis is the threshold� of each user. The smaller � is, the less likely a locationproof exchange request will be accepted. The y-axisrepresents the standard deviation � of two Poissondistribution means. Obviously, larger � indicates widerdifference between the two Poisson distributions, which isharder for attackers to differentiate. We can observe fromthe figure that the false negative rate of the attacker’s testis high (above 90 percent), especially when � > 0:04 and� > 0:5, which indicates that as long as the parameters of �and � are appropriately selected, the privacy of our systemcan be preserved.
6.4 Collusion Detection
In this section, we evaluate the performance of collusiondetection based on betweenness ranking and correlationclustering approaches. We consider three data sets: besidesthe above mentioned synthetic trace and the MIT realitytrace [8], we also crawl live data from Foursquare, one ofthe most popular location-based social networking ser-vices. The data crawling task is to collect correlated userand location data. We select well-connected users (whohave hundreds of friends) as seeds to start the crawling.After aggregating the user and location data, we obtain a
data set of 58,659 users and 96,219 locations. Note that eachuser and location in the data set are associated with anaddress which can be converted to a geographical location(i.e., latitude and longitude) via Google map service.
The quality of betweenness ranking is measured by theranking score, where we use Mean Average Precision(MAP), to measure the ranking performance of thecalculated betweenness. MAP is the most frequentlyused summary measure of a ranked retrieval run. In ourscenario, it stands for the mean of the precision score aftereach betweenness is generated:
MAP ¼PB
b¼1 AveP ðbÞB
; ð20Þ
where B is the number of betweenness. Fig. 10a shows theranking score of the betweenness ranking method.
The quality of correlation clustering is measured by theseparation score, which is calculated as a weighted averagedistance between cluster centers:
Sep ¼1P
i6¼j NiNj
X
i 6¼jNiNjDðCi; CjÞ; ð21Þ
where Ci and Cj are the centers of the ith and jth clusters,Ni and Nj are the number of vetices in the ith andjth clusters, and D is the distance function. Thus, Sepreflects the overall distance between clusters. Higher Sepmeans better results. Fig. 10b shows the separation score ofour temporal-weighted correlation clustering results. Worthto mention, when the threshold of the time delay betweenlocation proofs is around 1 hour, our solution achieves thebest clustering quality.
In order to evaluate the performance of these twoapproaches on detecting colluding nodes, we use compu-tation time and successful detection ratio to measure theefficiency and effectiveness, respectively. We also comparethese two approaches with a standard algorithm, in whichevery location proof or pseudonym is verified individu-ally. All approaches are evaluated based on the Four-square data set. As shown in Fig. 11, the correlationclustering approach runs faster than the betweennessranking approach, and both are much faster than thestandard algorithm. Even though the detection ratio of theclustering approach and the ranking approach is a little bitlower than the standard algorithm, the big difference incomputation time is worth the cost.
Fig. 9. False negative rate under different parameter of � and �.
Fig. 10. Metrics of quality evaluation for two approaches.
7 RELATED WORK
Recently, several systems have been proposed to provideend users the ability to prove that they were in a particularplace at a particular time. The solution in [3] relies on thefact that nothing is faster than the speed of light in order tocompute an upper bound of a user’s distance. Capkun andHubax [5] propose challenge-response schemes, which usemultiple receivers to accurately estimate a wireless nodelocation using RF propagation characteristics. In [15],the authors describe a secure localization service that canbe used to generate unforgeable geotags for mobile contentsuch as photos and video. However dedicated measuringhardware or high-cost trusted computing module arerequired. Saroiu and Wolman [26] propose a solutionsuitable for third-party attestation, but it relies on a PKI andthe wide deployment of WiFi infrastructure. Different fromthese solutions, APPLAUS uses a peer-to-peer approachand does not require any change to the existing infra-structure. SmokeScreen [6] introduces a presence sharingmobile social service between colocated users which relieson centralized, trusted brokers to coordinate anonymouscommunication between strangers. SMILE [20], [21] allowsusers to establish missed connections and utilizes similarwireless techniques to prove if a physical encounteroccurred. However, this service does not reveal the actuallocation information to the service provider thus can onlyprovide location proofs between two users who haveactually encountered. APPLAUS can provide locationproofs to third-party by uploading real encounter locationto the untrusted server while maintaining location privacy.
There are lots of existing works on location privacy inwireless networks. In [11], the authors propose to reduce theaccuracy of location information along spatial and/ortemporal dimensions. This basic concept has been improvedby a series of works [10], [13]. All the above techniques cloaka node’s locations with its current neighbors by trustedcentral servers which is vulnerable to DoS attacks or to becompromised. Different from them, our approach does notrequire the location proof server to be trustworthy. Xu andCai [30] propose a feeling-based model which allows a userto express his privacy requirement. One important concernhere is that the spatial and temporal correlation betweensuccessive locations of mobile nodes must be carefullyeliminated to prevent external parties from compromisingtheir location privacy. The techniques in [1], [9] achieve
location privacy by changing pseudonyms in regions calledmix zones. In this paper, pseudonyms of each node arechanged by the node itself periodically following a Poissondistribution, rather than being exchanged between twountrusted nodes. Identifying a fundamental tradeoff be-tween performance and privacy, Shao et al. [27], [31]propose a notion of statistically strong source anonymityin wireless sensor networks for the first time, while Li andRen [18] and Zhang et al. [32] tried to provide source locationprivacy against traffic analysis attacks through dynamicrouting or anonymous authentication. Our scheme usessimilar source location unobservability concept in which thereal location proof message is scheduled through statisticalalgorithms. However, their focus is to generate identicaldistributions between different nodes to hide the real eventsource, while our focus is to design distinct distributionsbetween different pseudonyms to protect the real identity.
8 CONCLUSIONS
In this paper, we proposed a privacy-preserving locationproof updating system called APPLAUS, where colocatedBluetooth enabled mobile devices mutually generate loca-tion proofs and upload to the location proof server. We usestatistically changed pseudonyms for each device to protectsource location privacy from each other, and from theuntrusted location proof server. We also develop a user-centric location privacy model in which individual usersevaluate their location privacy levels in real time and decidewhether and when to accept a location proof exchangerequest based on their location privacy levels. To the best ofour knowledge, this is the first work to address the jointproblem of location proof and location privacy. To dealwith colluding attacks, we proposed betweenness rankingbased and correlation clustering-based approaches foroutlier detection. Extensive experimental and simulationresults show that APPLAUS can provide real-time locationproofs effectively. Moreover, it preserves source locationprivacy and it is collusion resistant.
REFERENCES
[1] A.R. Beresford and F. Stajano, “Location Privacy in PervasiveComputing,” IEEE Security and Privacy, 2003.
[2] U. Brandes, “A Faster Algorithm for Betweenness Centrality,”J. Math. Sociology, vol. 25, no. 2, pp. 163-177, 2001.
Fig. 11. Performance of colluding detection for two approaches.
[3] S. Brands and D. Chaum, “Distance-Bounding Protocols,” Proc.Workshop Theory and Application of Cryptographic Techniques onAdvances in Cryptology (EUROCRYPT ’93), 1994.
[4] L. Buttyan, T. Holczer, and I. Vajda, “On the Effectiveness ofChanging Pseudonyms to Provide Location Privacy in VANETs,”Proc. Fourth European Conf. Security and Privacy in Ad-Hoc andSensor Networks, 2007.
[5] S. Capkun and J.-P. Hubaux, “Secure Positioning of WirelessDevices with Application to Sensor Networks,” Proc. IEEEINFOCOM, 2005.
[6] L.P. Cox, A. Dalton, and V. Marupadi, “SmokeScreen: FlexiblePrivacy Controls for Presence-Sharing,” Proc. ACM MobiSys, 2007.
[7] E.D. Demaine, D. Emanuel, A. Fiat, and N. Immorlica, “Correla-tion Clustering in General Weighted Graphs,” Theoretical ComputerScience, vol. 361, nos. 2/3, pp. 172-187, 2006.
[8] N. Eagle and A. Pentland, “CRAWDAD Data Set mit/reality(v. 2005-07-01),” http://crawdad.cs.dartmouth.edu/mit/reality,July 2005.
[9] J. Freudiger, M.H. Manshaei, J.P. Hubaux, and D.C. Parkes, “OnNon-Cooperative Location Privacy: A Game-Theoretic Analysis,”Proc. 16th ACM Conf. Computer and Comm. Security (CCS), 2009.
[10] B. Gedik and L. Liu, “A Customizable K-Anonymity Model forProtecting Location Privacy,” Proc. IEEE Int’l Conf. DistributedComputing Systems (ICDCS), 2005.
[11] M. Gruteser and D. Grunwald, “Anonymous Usage of Location-Based Services through Spatial and Temporal Cloaking,” Proc.ACM MobiSys, 2003.
[12] B. Hoh, M. Gruteser, R. Herring, J. Ban, D. Work, J.C. Herrera,A.M. Bayen, M. Annavaram, and Q. Jacobson, “Virtual Trip Linesfor Distributed Privacy-Preserving Traffic Monitoring,” Proc.ACM MobiSys, 2008.
[13] T. Jiang, H.J. Wang, and Y.-C. Hu, “Location Privacy in WirelessNetworks,” Proc. ACM MobiSys, 2007.
[14] V. Kostakos, “Experiences with Urban Deployment of Bluetooth,”presentation given at the Univ. of California, San Diego, Mar.2007.
[15] V. Lenders, E. Koukoumidis, P. Zhang, and M. Martonosi,“Location-Based Trust for Mobile User-Generated Content:Applications Challenges and Implementations,” Proc. Ninth Work-shop Mobile Computing Systems and Applications, 2008.
[16] M. Li, R. Poovendran, K. Sampigethaya, and L. Huang, “Caravan:Providing Location Privacy for VANET,” Proc. Embedded Securityin Cars (ESCAR) Workshop, 2005.
[17] M. Li, K. Sampigethaya, L. Huang, and R. Poovendran, “Swing &Swap: User-Centric Approaches Towards Maximizing LocationPrivacy,” Proc. Fifth ACM Workshop Privacy in Electronic Soc., 2006.
[18] Y. Li and J. Ren, “Source-Location Privacy Through DynamicRouting in Wireless Sensor Networks,” Proc. IEEE INFOCOM,2010.
[19] W. Luo and U. Hengartner, “Proving Your Location WithoutGiving Up Your Privacy,” Proc. ACM 11th Workshop MobileComputing Systems and Applications (HotMobile ’10), 2010.
[20] J. Manweiler, R. Scudellari, Z. Cancio, and L.P. Cox, “We SawEach Other on the Subway: Secure Anonymous Proximity-BasedMissed Connections,” Proc. ACM 10th Workshop Mobile ComputingSystems and Applications (HotMobile ’09), 2009.
[21] J. Manweiler, R. Scudellari, and L.P. Cox, “SMILE: Encounter-Based Trust for Mobile Social Services,” Proc. ACM Conf. Computerand Comm. Security (CCS), 2009.
[22] F.J. Massey Jr., “The Kolmogorov-Smirnov Test for Goodness ofFit,” J. Am. Statistical Assoc., vol. 46, no. 253, pp. 68-78, 1951.
[23] A. Pfitzmann and M. Hansen, “Anonymity, Unlinkability,Undetectability, Unobservability, Pseudonymity, and IdentityManagement—A Consolidated Proposal for Terminology” (Ver-sion v0.31 Feb. 15, 2008), http://dud.inf.tu-dresden.de/literatur,2008.
[24] I. Rhee, M. Shin, K. Lee, and S. Chong, “On the Levy-Walk Natureof Human Mobility,” Proc. IEEE INFOCOM, 2007.
[25] J.L. Romeu, “Kolmogorov-Simirnov: A Goodness of Fit Test forSmall Samples,” START: Selected Topics in Assurance RelatedTechnologies, 2003.
[26] S. Saroiu and A. Wolman, “Enabling New Mobile Applicationswith Location Proofs,” Proc. ACM 10th Workshop Mobile ComputingSystems and Applications (HotMobile ’09), 2009.
[27] M. Shao, Y. Yang, S. Zhu, and G. Cao, “Towards StatisticallyStrong Source Anonymity for Sensor Networks,” Proc. IEEEINFOCOM, 2008.
[28] N. Smart et al., “Ecrypt II Yearly Report on Algorithms and KeyLengths (2009-2010),” ICT-2007-216676, Revision 1.0, 2010.
[29] A. Wald, Sequential Analysis. Dover, 2004.[30] T. Xu and Y. Cai, “Feeling-Based Location Privacy Protection for
Location-Based Services,” Proc. 16th ACM Conf. Computer Comm.Security (CCS), 2009.
[31] Y. Yang, M. Shao, S. Zhu, B. Urgaonkar, and G. Cao, “TowardsEvent Source Unobservability with Minimum Network Traffic inSensor Networks,” Proc. First ACM Conf. Wireless Network Security(WiSec), 2008.
[32] Y. Zhang, W. Liu, and W. Lou, “Anonymous Communications inMobile Ad Hoc Networks,” Proc. IEEE INFOCOM, 2005.
[33] Z. Zhu and G. Cao, “APPLAUS: A Privacy-Preserving LocationProof Updating System for Location-Based Services,” Proc. IEEEINFOCOM, 2011.
[34] Z. Zhu, G. Cao, S. Zhu, S. Ranjan, and A. Nucci, “A SocialNetwork Based Patching Scheme for Worm Containment inCellular Networks,” Proc. IEEE INFOCOM, 2009.
Zhichao Zhu received the BS degree from theUniversity of Science and Technology of Chinain computer science in 2006. He is workingtoward the PhD degree in the Department ofComputer Science and Engineering, Pennsylva-nia State University. His research interestsinclude the areas of security and privacy inwireless mobile networks, data measurement,social computing, and location sensitive ser-vices. He is a student member of the IEEE.
Guohong Cao received the BS degree fromXian Jiaotong University, China, and the MS andPhD degrees in computer science from the OhioState University in 1997 and 1999, respectively.Since then, he has been with the Department ofComputer Science and Engineering at thePennsylvania State University, where he iscurrently a professor. His research interests arein wireless networks and mobile computing. Hehas published more than 150 papers in the areas
of wireless network security, wireless sensor networks, vehicular ad hocnetworks, cache management, data access and dissemination, anddistributed fault tolerant computing. He has served on the editorialboards of the IEEE Transactions on Mobile Computing, the IEEETransactions on Wireless Communications, and the IEEE Transactionson Vehicular Technology, and has served on the organizing andtechnical program committees of many conferences. He was a recipientof the US National Science Foundation CAREER award in 2001. He is afellow of the IEEE.
. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.