on the age of pseudonyms in mobile ad hoc networks

On the Age of Pseudonyms in Mobile Ad Hoc Networks

Julien Freudiger, Mohammad Hossein Manshaei, Jean-Yves Le Boudec and Jean-Pierre Hubaux

Infocom 2010

2

Get LocationCellular networks

GPS

Wifi

IP

Share locationTwitterFlickrGoogle searchFoursquareLooptGoogle LatitudeOvi…

Location-based Applications

3

Context-based Applications

Sense neighborhood

Ad hoc communications

RFID

Communicate

Vehicular Networks

Proximity-based Social Networks

Opportunistic communications

Delay-tolerant networks

…

4

Locality is one contextual informationmost useful when combined with others

Hyper-connected World

5SPOTRANK by Skyhook wireless

• Provides insight into human behavior• Enables localized services• Helps city planners

Location

6

“Understand urban construct through the interaction of its parts”

Petra Kempf, Architect and Urban Designer

You Are the City

7

Privacy Threat

Human movement is highly predictable and follows simple reproducible patterns

Visited locations reveal– Personal activities– Professional activities– Social activities

C. Song, Z. Qu, N. Blumm and A.-L.Barabasi. Limits of Predictability in Human Mobility. Science 2010

8

Location is identity

9

“It’s not where you are, it’s where you have been”

Gary Gale, Yahoo

10

GOALControl location disclosure

11

This Paper

Consider– Context-based applications– Ad hoc wireless communications– Mix zones to prevent tracking of users

Contribution– Measure achieved location privacy

using the distribution of age of pseudonyms

12

Ad Hoc Networks(Peer-to-Peer Wireless Communications)

1 2

Message Signature + certificateIdentifierPseudonym

Assumptions

N mobile nodes

WiFi/Bluetooth enabled

Ad hoc communications

13

3

2

1

5

4

6Certification authority (CA)

14

Threat: Tracking

21

Global passive eavesdroppertracks location of mobile nodes

15

Solution: Mix Zones

Mix zone

2121

xy?

A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. Percom, 2004M. Li et al. Swing and Swap: User-centric approaches towards maximizing location privacy . WPES, 2006

Temporal decorrelation: Change pseudonymSpatial decorrelation: Remain silent

Gain and Cost

16

Gain• Tracking uncertainty of adversary (entropy)• Depends on number of nodes in mix zone and trajectory

Cost γ • Obtain new pseudonym• Update routing tables• Silent period

17

Mix ZonesMix network

Mix networks vs Mix zones

Mixnode

Mixnode

Mixnode

Alice Bob

Alice source

Alice destination

18

The Problem

Can we measure the location privacy achieved with a network of mix zones?

19

Outline

1. Age of Pseudonym: A Metric for Location Privacy

2. Dynamical System: Mean Field Equations

3. Analytical Results

4. Numerical Results

20

Age of Pseudonym

• Adversary can track nodes between mix zones• Mix zone = confusion point

Mix zone 1

Mix zone 2

TRACEABLE

Older age of pseudonym results in lower location privacy

Age of Pseudonym Location Privacy

Evolution of Age of Pseudonym

21

2

E2

1

E1

E2 :SuccessE1: Success1t 2t

t

( )iZ t

E3:Failure3t

3E3

t

0

Age:

A

22

Outline





23

Mean Field Theory

Replace interactions between nodes with average interaction

M. Benaım and J.-Y. Le Boudec. A class of mean field interaction models for computer and communication systems. Performance Evaluation, 65(11-12):823–838, 2008

24

Goal

• Measure probability distribution of a certain state– CDF of the age of pseudonym

• Mean field theory says“CDF is known to satisfy ordinary differential

equations when N goes to infinity”

25

Model Parameters

Communication model– : Communication rate

Mobility Model– η: Rate of meetings– : Average number of nodes in meetings

Cooperation model– c(z): Probability of cooperation at age z

26

Mean Field Equations: Drift Process

Fz

At each time step, the age of pseudonym is incremented with rate

26

1tt

( )iZ t

0: iu Z

z

01 : ju Z

z

Mean Field Equations: Jump Process (1)can successfully change its pseudonym

2tt

( )iZ t

ju

1t

1 { }0

( ) ( )(1 1 ) ( , )x z

Fc x q t x t dxx

c(z): Probability of cooperation of node with age zq(t): Probability of finding at least one cooperative node: Rate of meetings

27

28

02 :

z

Zz

2 ( )(1 ( )) ( , )z

z

Fc x q t x t dxx

Mean Field Equations: Jump Process (2)

ku

t

( )iZ t

1t

2t

cannot find a cooperative partnerku

29

1 2

Ft

Mean Field Equations

( , ) 1,F t t

Fz

2 ( )(1 ( )) ( , )z

z

Fc x q t x t dxx

1 { }0

( ) ( )(1 1 ) ( , )x z

Fc x q t x t dxx

30

Outline





31

Stationary mode (t goes to infinity)

Cooperation is a threshold function

( )c z

z

10c

( , ) 0F z tt

32

Mean Field Equation

0

( ) ( ) (1 ) ( ) ( ) 0

( ) 1

df c z f z q c z f zdz

f z dz

33

Solution: PDF of the Age of Pseudonyms

( 1)m z m

34

Outline





35

GammaCost of Pseudonym change

Constant -- f(0)

Exponential

Exponential X Polynomial

Result 1: High results in older pseudonym distribution because of second jump process

= 5, =1, c0=1

36

ThetaCooperation Threshold

Result 2: High results in older pseudonym distribution because there is less cooperation.

= 5, =1, c0=1

37

LambdaCommunication rate

Result 3: High results in older pseudonym distribution because pseudonym ages faster.

= 1, =5, c0=1

38

Average number of nodes in meeting

Result 4: High N results in younger pseudonym distribution because it is easier to find cooperative nodes.

= 1, =5, c0=1, =1

39

Model Validation

• Random walk model• 10km X 10km• Transmission range: 100 meters• Run simulation until convergence

Conclusion

• Developed a framework to measure the distribution of age of pseudonyms

• Main result: Possible to design system with low distribution of age of pseudonym

• Obtained a fundamental building block of location-privacy-preserving systems

40

lca.epfl.ch/privacytwitter.com/jfreudiger

on the age of pseudonyms in mobile ad hoc networks

Documents

location of nodes

location aware services

user privacy

human mobility

mix zones15mix zone2121xy

privacy threathuman

number of nodes

peer wireless networkwifi