preserving location privacy in wireless lans
DESCRIPTION
Preserving Location Privacy in Wireless LANs. Jiang, Wang and Hu MobiSys 2007 Presenter: Bibudh Lahiri. Organization. Problem Definition Existing Solutions and Their Shortcomings Preliminaries Proposed Solutions Results Limitations of the Proposed Solutions. Problem Definition. - PowerPoint PPT PresentationTRANSCRIPT
Preserving Location Preserving Location Privacy in Wireless LANsPrivacy in Wireless LANs
Jiang, Wang and HuJiang, Wang and HuMobiSys 2007MobiSys 2007
Presenter: Bibudh LahiriPresenter: Bibudh Lahiri
OrganizationOrganization
Problem DefinitionProblem Definition Existing Solutions and Their Existing Solutions and Their
ShortcomingsShortcomings PreliminariesPreliminaries Proposed SolutionsProposed Solutions ResultsResults Limitations of the Proposed Limitations of the Proposed
SolutionsSolutions
Problem DefinitionProblem Definition
To preserve the location To preserve the location information of a mobile wireless information of a mobile wireless stationstation
Location data in wrong hands Location data in wrong hands can be seriously abusedcan be seriously abused
RF-based localization systemsRF-based localization systems
Existing Solutions and Their Existing Solutions and Their ShortcomingsShortcomings Privacy of location data is at risk Privacy of location data is at risk
when transmitted for location-based when transmitted for location-based servicesservices
Gruteser, Grunwald (Mobisys ‘03)Gruteser, Grunwald (Mobisys ‘03) RReduce spatial and temporal precision educe spatial and temporal precision
of location dataof location data Works for application-provided location Works for application-provided location
data data This paper addresses location tracked This paper addresses location tracked
from from anyany wireless transmission wireless transmission
Existing Solutions…Existing Solutions…
Gruteser, Grunwald (WMASH ‘03)Gruteser, Grunwald (WMASH ‘03) Adversary can be outsmarted with Adversary can be outsmarted with
frequently-changing pseudonymsfrequently-changing pseudonyms Does not work if adversary has enough Does not work if adversary has enough
knowledge of user’s mobility patternknowledge of user’s mobility pattern Can Can correlatecorrelate the packets coming from the packets coming from
the same mobile userthe same mobile user
Existing Solutions…Existing Solutions…
Silent PeriodsSilent Periods User stops transmission for some User stops transmission for some
time time Outwits an adversary that can Outwits an adversary that can
correlate different pseudonymscorrelate different pseudonyms Optimal length of the silent period Optimal length of the silent period
was not knownwas not known
Existing Solutions…Existing Solutions…
Mix ZonesMix Zones Spatial version of silent periodSpatial version of silent period Nodes should know their own Nodes should know their own
locations preciselylocations precisely
PreliminariesPreliminaries
Attacker modelAttacker model Silent: Does not emit any signalsSilent: Does not emit any signals Exposed: Provides wireless servicesExposed: Provides wireless services
Active: Adjusts base station’s transmission Active: Adjusts base station’s transmission power power
Passive: No change in base station’s Passive: No change in base station’s behaviorbehavior
Privacy EntropyPrivacy Entropy Uncertainty or randomness in the Uncertainty or randomness in the
location inference drawn by attackerlocation inference drawn by attacker Goal is to increase privacy entropyGoal is to increase privacy entropy
Proposed Solutions: Use of Proposed Solutions: Use of PseudonymsPseudonyms MAC and IP MAC and IP
addresses must be addresses must be protected with protected with pseudonymspseudonyms
Association with APAssociation with AP Unique MAC address Unique MAC address
reveals identity reveals identity Random MAC may Random MAC may
collidecollide Solution: Use Solution: Use join join
addressaddress AP distinguishes AP distinguishes
requests by an 128-requests by an 128-bit noncebit nonce
Proposed Solutions: Use of Proposed Solutions: Use of PseudonymsPseudonyms Attacker cannot trivially identify Attacker cannot trivially identify
a user a user at a particular locationat a particular location Different pseudonyms of same Different pseudonyms of same
user user cancan be correlated be correlated With knowledge of mobility patternWith knowledge of mobility pattern If location data for If location data for allall packets in packets in
network is gatherednetwork is gathered Correletion can be reduced with Correletion can be reduced with
silent periodssilent periods
Proposed Solutions: Proposed Solutions: Opportunistic Silent PeriodOpportunistic Silent Period Goal: To find the Goal: To find the optimaloptimal duration of the duration of the
silent periodsilent period MaximizesMaximizes privacy entropy privacy entropy for a given mobility for a given mobility
patternpattern Length of silent periods must be Length of silent periods must be
randomizedrandomized Pseudonyms used after same duration can Pseudonyms used after same duration can
belong to the same user w.h.p.belong to the same user w.h.p. Make length = TMake length = Tdd + T + Trr TTdd is deterministic is deterministic TTrr is chosen from is chosen from uniformlyuniformly at at
randomrandom
Proposed Solutions: Proposed Solutions: Opportunistic Silent PeriodOpportunistic Silent Period When TWhen Tdd is small, increasing T is small, increasing Tdd
increases the entropyincreases the entropy Entropy is Entropy is periodicperiodic
Increasing silent period increases Increasing silent period increases fraction of mobile users in silent periodfraction of mobile users in silent period
Fewer mobile users transit from Fewer mobile users transit from communicating to silencecommunicating to silence
Privacy entropy Privacy entropy monotonically monotonically increases with increasing Tincreases with increasing Trr Increasing TIncreasing Trr increases total length of increases total length of
silent period silent period Includes more candidate usersIncludes more candidate users
Proposed Solutions: Proposed Solutions: Opportunistic Silent PeriodOpportunistic Silent Period
For TFor Trr = 4 mins, = 4 mins,
entropy entropy maximizes for maximizes for TTdd = 19 mins 20 = 19 mins 20
secssecs For TFor Tdd = 19 = 19
mins 20 secs, mins 20 secs, entropy entropy maximizes for maximizes for TTrr
maxmax = 12 mins = 12 mins
Proposed Solutions: Proposed Solutions: Reducing Reducing Location Precision by TPCLocation Precision by TPC
Precision of localization Precision of localization depends on number of APs depends on number of APs within range of mobile userwithin range of mobile user
Transmission Power ControlTransmission Power Control RReduce transmission power educe transmission power
of a userof a user Decrease the number of APs Decrease the number of APs
within its reachwithin its reach
Proposed Solutions: Proposed Solutions: Reducing Reducing Location Precision by TPCLocation Precision by TPC
User concerned with location User concerned with location privacy should do TPC privacy should do TPC silentlysilently SSignal emitted from a mobile ignal emitted from a mobile
station exposes its locationstation exposes its location Silent TPC is difficultSilent TPC is difficult
Unpredictability in temporal Unpredictability in temporal variation of RSSvariation of RSS
AsymmetryAsymmetry
Proposed Solutions: Proposed Solutions: Reducing Reducing Location Precision by TPCLocation Precision by TPC
GoalGoal To determine relationship between To determine relationship between
two directions of a channeltwo directions of a channel Use the path loss in one direction Use the path loss in one direction
(AP-station) to estimate the loss in (AP-station) to estimate the loss in the other direction (station-AP) the other direction (station-AP)
Use the relationship to do TPC to Use the relationship to do TPC to reduce number of APs in rangereduce number of APs in range
Proposed Solutions: Proposed Solutions: Reducing Reducing Location Precision by TPCLocation Precision by TPC ObservationsObservations
RSSI readings for both directions RSSI readings for both directions are strongly correlatedare strongly correlated despitedespite
path asymmetrypath asymmetry ResultsResults
APAP11, AP, AP22, …, AP, …, APi-1i-1 can be kept can be kept within reachwithin reach
APAPi+1i+1,…, AP,…, APnn can be kept out can be kept out of reachof reach
ResultsResults
Transmission radius Transmission radius rr is about is about 10 m at the minimum transmit 10 m at the minimum transmit powerpower
A silent attacker needs attacker A silent attacker needs attacker density of 1 sniffer/100 mdensity of 1 sniffer/100 m22
Five times as high as a regular Five times as high as a regular AP deploymentAP deployment
ResultsResults
Mix Area: MMix Area: Maximum area covered by aximum area covered by an APan AP
Larger mix area makes attacks more Larger mix area makes attacks more difficultdifficult
Silent TPC enlarges the mix area 12 Silent TPC enlarges the mix area 12 times compared to the typicaltimes compared to the typical
Number of candidates for a new Number of candidates for a new pseudonym is 12 times greater when pseudonym is 12 times greater when using TPCusing TPC
Limitations of the Proposed Limitations of the Proposed SolutionsSolutions Use of pseudonyms: Man-in-the-Use of pseudonyms: Man-in-the-
middle attackmiddle attack AAttacker positioned between mobile ttacker positioned between mobile
user and APuser and AP Captures request from user for new Captures request from user for new
MAC addressMAC address Assigns a MAC address from its own Assigns a MAC address from its own
poolpool Mobile user starts operating with a MAC Mobile user starts operating with a MAC
address known to the attackeraddress known to the attacker
Limitations…Limitations…
Opportunistic Silent Period: Lack of Opportunistic Silent Period: Lack of GeneralityGenerality No rigorous mathematical formulation of No rigorous mathematical formulation of
the problemthe problem Values of TValues of Tdd and and TTrr
maxmax that maximize that maximize entropy are results of particular entropy are results of particular experimental set-upexperimental set-up
Optimal length of silent period should be Optimal length of silent period should be a function of some relevant parametersa function of some relevant parameters
Results are not useful under different Results are not useful under different scenariosscenarios
Limitations…Limitations…
TPC - Inadequate Probabilistic TPC - Inadequate Probabilistic AnalysisAnalysis Probability distributions of channel Probability distributions of channel
asymmetry and RSS are based on asymmetry and RSS are based on experimental findingsexperimental findings
No discussion of how experimental No discussion of how experimental parameters influence the pdfparameters influence the pdf
Does not explain how the probabilities Does not explain how the probabilities are calculatedare calculated
What is the estimator usedWhat is the estimator used Whether estimator is unbiased and low-Whether estimator is unbiased and low-
variancevariance
Thank YouThank You