research article a balance privacy-preserving data...

Research ArticleA Balance Privacy-Preserving Data Aggregation Model inWireless Sensor Networks

Changlun Zhang, Chao Li, and Yi Zhao

Science School, Beijing University of Civil Engineering and Architecture, Beijing 100044, China

Correspondence should be addressed to Changlun Zhang; [email protected]

Received 5 January 2015; Accepted 21 March 2015

Academic Editor: Qing-An Zeng

Copyright © 2015 Changlun Zhang et al. This is an open access article distributed under the Creative Commons AttributionLicense, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properlycited.

Wireless sensor networks are always deployed in remote and hostile environments to gather sensitive information, in whichsensor nodes are apt to encounter some serious leakage of sensitive data. Hence, privacy-preserving is becoming an increasinglyimportant issue in security data aggregation for wireless sensor networks. In this paper, we propose a balance privacy-preservingdata aggregation model (BPDA) based on slicing and mixing technology. Compared to fixed or random slicing, BPDAmodel givesa balance slicing mechanism to ensure that slice can be sent to the nodes which have lower privacy preservation and enhance theprivacy-preserving efficacy. Furthermore, according to the influence of the node degree and energy, three different schemes arepresented to keep the privacy-preserving data aggregation balance. Theoretical analysis and simulation show that BPDA modeldemonstrates a good performance in terms of privacy-preserving efficacy and communication overhead and prolongs the lifetimeof network.

1. Introduction

Awireless sensor network (WSN) is a typical ad hoc networkwhich is highly distributed and self-organized. It usuallyconsists of plenty of small sensor nodes which gather thedata from its monitoring physical or environment conditions(e.g., the temperature, the sound, etc.) and send their data tothe destination (base station) directly or via multihop [1, 2].WSN has many popular applications [3, 4], such as militarysurveillance, industrial process monitoring and control, airpollution monitoring, and machine health monitoring. Sen-sor node has typical weakness such as processing capability,storage capacity, and limited energy. In particular, the sensornodes are always deployed in the harsh environment, withoutbeing recharged or replaced. Therefore, energy efficiency inin-network data processing is very important for WSN.

In WSN, sensor nodes collect regional information andupload them to the base station, where the base stationdisposes these data to obtain the result. There are plenty ofredundant data in the process of uploading. For example,hundreds of sensor nodes are used to collect the temperatureof an area while the manager just wants to know the

maximum temperature. So, it is not necessary to send all thetemperature data but a derivative such as maximum to basestation. Data aggregation [5, 6] aims to aggregate redundantdata at intermediate sensor nodes applying a suitable aggre-gation function on the received data. Aggregation reducesthe amount of network traffic which helps to reduce energyconsumption on sensor nodes.

WSN is always deployed in unsecured and untrustedenvironment, which makes it exposed to all kinds of intru-sions, and encounters some serious security issue. Someworks [7–12] studied security of data aggregate in WSN.These schemes use cryptographic mechanism to establishsecure communication links for data aggregation. In somespecial scenario, the individual sensitive data should not bedisclosed to any node in the network, including parent nodeor neighboring node. This is privacy-preserving [13, 14] inWSN, which keeps private data from being intercepted andused by adversaries and untrusted nodes and maintains dataprivacy of a sensor node from other trusted neighboringnodes in the WSN. Nowadays, privacy-preserving is becom-ing an increasingly important issue for security of WSN [15–24]. SMART (Slice-Mix-AggRegaTe) [18] is a typical scheme,

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2015, Article ID 937280, 10 pageshttp://dx.doi.org/10.1155/2015/937280

2 International Journal of Distributed Sensor Networks

which slices individual sensitive data into a fixed set ofpieces and sends them to corresponding associated nodes.Afterwards, some improved approaches, such as iPDA [19],PEPDA [23] and ESPART [22], were proposed.

In this paper, we propose a balance privacy preserving-data aggregation (BPDA) model for WSN. Our work focuseson the distribution mechanism of slice for privacy data,which considers balance slices distribution based on therandomdistribution. It reduces the redundancy of the privacypreservation efficacy and prolongs the lifetime of the WSN.

The remainder of this paper is organized as follows.In Section 2, the related work is summarized. In Section 3,preliminaries of our work are described. A balanced privacy-preserving data aggregation model is proposed in Section 4.Section 5 analyzes the privacy preservation efficiency ofproposed schemes. Performance evaluation and analysis aredescribed in Section 6. Finally, the conclusion of this paper isgiven.

2. Related Work

Recently, secure data aggregation is becoming an importantissue for wireless sensor networks. Cryptograph has been anefficient mechanism to secure data aggregation. Generally,there are two typical encryptionmethods: end-to-end schemeand hot-by-hop scheme. End-to-end scheme [15–17] needs toestablish secure link between base station and each sensornode before data transmission, and then encrypted data istransmitted to base station directly. Hot-by-hop scheme [18–23] needs sensor node to encrypt data before sending anddecrypt them after receiving.The shortcoming of this schemeis that it cannot provide data confidentiality in the nodeduring the process of decryption and encryption.

Some existed works on secure data aggregation focusedon symmetric key cryptography to achieve end-to-end secu-rity. Recently, homomorphic encryption technique is intro-duced to achieve in-network aggregation, which allows theciphertext to be aggregated directly, and then the receiververifies if decrypted aggregation result matches the result ofaggregation operations performed on plaintext. Castellucciaet al. [15] proposed a homomorphic encryption schemebased on addition operation named AHE. AHE is a simpleand provably secure encryption scheme that allows efficientadditive aggregation of encrypted data. Only one modularaddition is necessary for ciphertext aggregation. CDA [16]is an approach that conceals sensitive data end-to-end butstill provides efficient and flexible in-network data aggre-gation. The aggregating intermediate nodes are not able toread the sensitive plaintext data. Ozdemir and Xiao [17]proposed a novel integrity protecting hierarchical concealeddata aggregation protocol, which employs an elliptic curvecryptography-based homomorphic encryption algorithm.The scheme can offer data integrity and confidentiality alongwith hierarchical data aggregation. In addition, during thedecryption of aggregated data, the base station is able toclassify the encrypted and aggregated data based on theencryption keys. But homomorphism based secure dataaggregation schemes need more computation overhead, and

they cannot be used in the network which is divided intoplenty of clusters. These schemes were described to dealwith addition operations in data aggregation with homo-morphic encryption, such as finding sum or average value.Homomorphic encryptionmakes it possible to aggregate datawithout doing encryption and decryption at intermediatenodes. However, it is not easy to find out operation satisfyingthe homomorphic properties.

Meanwhile, a typical slicing technology is introduced intoprivacy-preserving data aggregation in WSN. He proposedSMART scheme [18] firstly which includes three steps ofslicing, mixing, and aggregation. In slicing step, each nodeslices its private data into 𝐽 pieces randomly and keeps one ofthe 𝐽 pieces by itself while sending the remaining 𝐽 − 1 piecesto the neighbor nodes. Mixing step comes after all nodesfinished slicing their own data. In mixing step, each nodesums up all the slices which include the slices it has receivedand the one slice it kept. In the aggregation step, all nodesaggregate the data and send the result to the query server.The SMART scheme scatters the data over the neighbornodes.The attackers must eavesdrop enough communicationchannels if he wants to obtain the data collected by somenode.Thismakes the difficulty of eavesdropping increase rad-ically. In [19], He et al. improved their scheme and presentediPDA scheme which is an integrity-protecting private dataaggregation scheme. In iPDA, data privacy is still achievedthrough SMART scheme while data integrity is achievedthrough redundancy by constructing disjoint aggregationtrees to collect data of interests. But it inherits the weaknessof SMART—large communication overhead. Groat et al. [20]studied nonlinear aggregation functions instead of traditionaladditive function, and then presented 𝐾-indistinguishableprivacy-preserving data aggregation (KIPDA) scheme whichachieves the goal of privacy preserving upon MAX andMIN aggregation functions by obfuscating data being for-warded. Aiming at cutting down the large communicationoverhead, Liu et al. [21] improved the process of the slicingand proposed a high energy-efficient and privacy-preserving(HEEPP) secure data aggregation scheme. The scheme mod-ified the slicing and assembling technology by adopting arandom distribution to decide the number of sliced data.The number of data pieces that each node slices its privatedata will not be a fixed number anymore and achievesbetter preservation of privacy and saves more energy fordata aggregation. In [22], ESPART presents a novel energy-saving privacy-preserving aggregation scheme, which usescharacteristic of the data aggregation tree structure to reducecommunication overhead, assigns the random time pieces tonodes to avoid collision, and limits the scope of collusiondata to reinforce data loss resilience. Compared with theSMART, ESPART can preserve data privacy, get accurate dataaggregation results while taking the same epoch duration asTAG, and have less communication overhead.

In ESPART model, a const MinDeg is set. If the indegreeof a node is less than MinDeg, data in this node needs tobe sliced. When preserving privacy, it begins at the nodeswhose indegree equals 1 in the WSN. These nodes slice onepiece of data to their neighbor. And then do the same thingto the nodes whose indegree equals 2, till all the indegree

International Journal of Distributed Sensor Networks 3

of nodes in the WSN is not less than MinDeg, and then theprivacy-preserving process is ended. The process of mix andaggregation is the same as SMART model.

All the models based on SMART above send the slice tothe neighbors randomly. In SMART scheme, a slice increasesboth the privacy-preserving efficacy of sending node andreceiving node. But randomly slicing may lead the indegreeof some nodes to getting large which is a redundancy of theprivacy-preserving efficacy to the WSN.

The redundancy of the privacy-preserving efficiencymeans that the privacy-preservation efficacies of some nodesare far larger than other nodes. The redundancy costs morecommunication overhead which will shorten the lifetime ofWSN.

In this paper, we present a balance privacy-preservingdata aggregation model. The balance mechanism in themodel ensures that slice can be sent to the nodes whichhave lower privacy preservation and enhances the privacy-preserving efficacy. At the same time, the model has lesscommunication overhand and can prolong the lifetime ofwireless sensor networks

3. Preliminaries

In this section, we explain our network model, as well as ourassumptions and the key pre-distribution scheme used in ourmodel.

3.1. Network Model. Here, we consider a WSN networkincluding 𝑁 nodes and the network is connected. All thenodes build a graph 𝐺(𝑉, 𝐸), where 𝑉 is the set of thesensor nodes, 𝐸 is the link of the nodes, and |𝑉| = 𝑁.In the proceeding of data aggregation, sensor nodes will beorganized as a tree topology over 𝐺 according to the typicalprotocol TAG [25],

Sensor nodes collect various data from monitoring envi-ronment and send them to the base station with suitabledata aggregation schemes. In our model, we consider anadditive aggregation function. It is a basic aggregationfunction because plenty of aggregation functions, such ascount, average, and variance, can be deduced to the additiveaggregation function. Data aggregation function is usuallydefined as follows:

𝑦 (𝑡) = 𝑓 (𝑑1(𝑡) , 𝑑2(𝑡) , . . . , 𝑑

𝑁(𝑡)) , (1)

where 𝑑𝑖(𝑡) is the data which sensor node 𝑖 gathered at time t.

3.2. Key Distribution. To prevent attackers from eavesdrop-ping, some messages are usually encrypted before sendingthe data. The following is the brief review of the random keydistribution mechanism proposed in [25] which will be usedin our model.

Firstly, a large key pool of𝐾 keys and their correspondingidentities are generated. Each sensor node in WSN chooses𝑘 keys randomly from the key-pool and finds out whichneighbors share a common key with itself by exchangingdiscovery messages. A secure link exists between two neigh-boring nodes only if they share a key. If two neighboring

nodes cannot share a key but they can be connected by alink consisting of some nodes, this link can be the secure linkbetween these two nodes.

In the random key distribution mechanism mentionedabove, the probability that any pair of nodes possess at leastone common key is

𝑃connect = 1 −((𝐾 − 𝑘)!)

2

(𝐾 − 2𝑘)!𝐾!, (2)

and the probability that any other node can overhear theencrypted message by a given key is

𝑃overhear =𝑘

𝐾. (3)

Assume there are 10000 keys in the key pool, that is, 𝐾 =

10000, and each node chooses 300 keys randomly, that is 𝑘 =

300. The probability that any pair of nodes can find a sharedkey in common is 𝑃connect = 99.9% by (2).These pairs who donot share a common key can use the path-key establishmentprocedure which is described above to establish a shared key.Once a pair of nodes selects a shared key, the probability thatany other node owns the same key is 𝑃overhear = 0.3%, whichis very small.

4. Balance Privacy-Preserving DataAggregation Model

This section describes the details of the balance privacy-preserving data aggregation model (BPDA).

BPDA model considers the balance of the privacy-preserving efficacy in the wholeWSN. In BPDAmodel, whennodes slice the data and send them to the neighbors, a balancemechanism is used to ensure that these slices will be sentto the nodes which have a low privacy preservation efficacy.This mechanism holds all the nodes at a similar privacypreservation efficacy, reduces the redundancy of the privacypreservation efficacy, and prolongs the lifetime of the WSN.

Figure 1 is an example to show the difference of balanceslicing scheme and random slicing scheme. After building atag tree, nodes 1 to 6 prepare to slice the data. In randomslicing scheme (a), the minimum degree of all six nodes is 3while degrees of node 3 and 5 reach 5, so the two nodes haveprivacy-preserving redundancy. So, we can adopt balanceslicing scheme (b) which only increases the degree of thosenodes whose degree is 3. So, only the degree of node 3 is 4,while others are 3. Less degree leads to fewer slices which canreduce communication overhead.

BPDA model consists of three phases as shown inFigure 2.

(1) Preparing Phase. An aggregation tree is constructedaccording to the standard aggregation protocol TAG. Eachnode records its own degree and computes the threshold ofslice to prepare for data aggregation.


1

5

64

32

(a) Random slicing

1

5

64

32

(b) Balance slicing

Figure 1: Random and balance slicing.

Set TAG tree

Record feature data

Set threshold

Privacy-preserving

Choose the nodes

Balance slicing

Data aggregation

Data aggregation

Preparing phase:

Figure 2: The process of BPDA.

(2) Privacy-Preserving Phase. Firstly, the nodes which need tobe preserved are determined, then balance slicing scheme isused to preserve the privacy data of these nodes.

(3) Data Aggregation Phase. All nodes aggregate the dataaccording to the TAG protocol and send the data to the basestation.

4.1. Preparing Phase. In the preparing phase, after establish-ing the TAG aggregation tree, each node records its owndegree and then broadcasts the degree to its neighbors in onehop.

Next, each node prepared to utilize slicing and mixingtechnology in order to preserve data privacy. The numberof slice plays an important role for the privacy-preservation

which decides the minimum of the privacy preservationefficacy to the WSN. In the existing schemes, the numberof slice is estimated according to administrator experience.In our BPDA scheme, we will give a principle to decide theslicing number.

In many applications, the network manager may expectthat the exposed probability of the privacy data is not morethan a const 𝑄. A degree threshold MinDeg is computedaccording to the experience probability. We assume that 𝑃

𝑖

is the exposed probability of a data collected by node 𝑖, so wehave

max𝑖

𝑃𝑖≤ 𝑄. (4)

In this paper, the data collected by node 𝑖 is exposed onlyif all the messages both sent to and received from this nodeare exposed. Obviously, the sum of these messages equals thedegree of this node, so we get

𝑃𝑖= 𝑞𝑑𝑖 , (5)

where 𝑑𝑖is the degree of node 𝑖, and |𝑑

𝑖| ≥ 1 𝑞 is the

probability that onemessage is exposed. So𝑃𝑖is the increasing

function of 𝑞. In reality, 𝑞 is bounded, so the formula (4) canbe changed into

max𝑖

𝑞𝑑𝑖

max ≤ 𝑄. (6)

According to the formula (6), we can get theminimumdegreewhich satisfies the formula (6) as follows:

𝑑min = log𝑞max

𝑄. (7)

On the other hand, 𝑑min should be a integer, so formula (7)can be adjust to

𝑑min = [log𝑞max

𝑄] + 1, (8)

where [log𝑞max

𝑄] is rounded down of log𝑞max

𝑄.In BPDA model, the threshold of the degree can be set

according to the process above, so we have

MinDed = [log𝑞max

𝑄] + 1. (9)

Figure 3 shows the relationship of the degree thresholdMinDeg and the exposed probability 𝑞. Given 𝑄 = 0.0001,that is, the probability that all nodes in networks are exposed,is less than 0.01%, the value of MinDeg increases with theincreasing of probability 𝑞. When the value of 𝑞 is less than0.02, the value of MinDeg is 2. While 𝑞 increases to 0.06,MinDeg increases to 4.

4.2. Privacy-Preserving Phase. After the preparing phase, thebase station computes the whole time of privacy-preservingphase 𝑇

𝑝by estimating the slicing time 𝑡

𝑠in one round

combining with the threshold MinDeg, which satisfies thecondition as follows:

𝑇𝑝= MinDeg × 𝑡

𝑠. (10)


0 0.02 0.04 0.06 0.08 0.10

1

2

3

4

5

q: probability that link level privacy is broken

Min

Deg

: min

imum

deg

ree o

f the

nod

e

Figure 3: The relation of 𝑞 and MinDeg at 𝑄 = 0.0001.

The values of MinDeg, 𝑡𝑠and 𝑇

𝑝, are broadcasted to the

whole WSN by the base station.All of the sensor nodes begin to slice according to the time

𝑡𝑠after receiving those values from base station. In this paper,

we take node 𝑖 as an example in slicing operation.At first, node 𝑖 compares its degree

𝑖with the threshold

MinDeg.If degree

𝑖< MinDeg, node 𝑖 starts the slicing operation

and computes the connected probabilities of each neighbor todetermine the receiving node 𝑗 among them.Node 𝑖 producesa slice named slice

𝑖𝑗and sends it to the node 𝑗. Meanwhile,

Node 𝑖 subtracts slice𝑖𝑗from its data and adds up its degree

with 1 which can be expressed as follows:

data𝑖= data

𝑖− slice

𝑖𝑗,

degree𝑖= degree

𝑖+ 1,

(11)

where data𝑖is the data of node 𝑖 and degree

𝑖is the degree of

node 𝑖.This round of slicing operation is finished and next round

is ready.If node 𝑖 receives a slice from another node 𝑘 as slice

𝑘𝑖

during this round time 𝑡𝑠, it will increase its degree with 1 as

follows:

degree𝑖= degree

𝑖+ 1. (12)

If degree𝑖≥ MinDeg, node 𝑖 only increases its degree with

1when it receives a slice fromother node (assumed as node 𝑘),otherwise it did nothing until the end of this round of slicingoperation. The degree is updated as follows:

degree𝑖= degree

𝑖+ 1. (13)

Algorithm 1 shows the details of slicing.In BPDA model, the receiving node is determined by

the above balance slice algorithm instead of being selectedrandomly. In this process, the energy and the degree are themain factors to be considered.The following sections presentthree different algorithms according to the energy factor, thedegree factor, and the both factors.

4.2.1. Energy Based. In energy based algorithm, a threshold𝐸𝑟𝑖is set as the average of remaining energy in the neighbors

of node 𝑖. Meanwhile, 𝑡𝑤is the waiting time and𝐸

𝑟𝑖means the

remaining energy of node 𝑖.Firstly, a receiving node should be determined by the

connected probability. The connected probability in this partis as follows:

𝑝𝑖,𝑘

=1/𝑁𝑖

∑𝑗∈neighbours𝑘 1/𝑁𝑗

, (14)

where 𝑝𝑖,𝑘

is the probability that node 𝑘 connects to itsneighbor 𝑖.𝑁

𝑖is the remaining energy of node 𝑖. neighbours

𝑘

is the neighbor set of node 𝑘.Secondly, if 𝐸

𝑟𝑖≥ 𝐸𝑟𝑖, node 𝑖 sends one slice to the

receiving node. If 𝐸𝑟𝑖< 𝐸𝑟𝑖, node 𝑖waits for a 𝑡

𝑤time. In 𝑡

𝑤, if

node 𝑖 receives no slice, it will send one slice to the receivingnode.

This algorithm balances the energy consumption andprolongs the lifetime in the WSN, but it may cause someredundancy of the privacy preservation efficacy. The modelusing this algorithm is called E-BPDA model.

4.2.2. Degree Based. In degree based algorithm, only one ruleis considered; that is, a node with higher degree has lowerprobability to connect and to be connected. The connectedprobability is as follows:

𝑝𝑖,𝑘

=1/𝑑𝑖

∑𝑗∈neighbours𝑘 1/𝑑𝑗

, (15)

where 𝑝𝑖,𝑘

is the probability that node 𝑘 connects to itsneighbor 𝑖. 𝑑

𝑖is the degree of node 𝑖. neighbours

𝑘is the

neighbors set of node 𝑘.This algorithm reduces the redundancy of the privacy

preservation and balances the privacy preservation of thewhole WSN, but it may cause a little unbalance of the energyconsumption. The model using this algorithm is called D-BPDA model.

4.2.3. Both Energy andDegree Based. Energy based algorithmand degree based algorithm are complementary to each other.So the cooperation of these two types is considered. Firstly,similarly to energy based algorithm, 𝐸

𝑟𝑖, 𝑡𝑤, and 𝐸

𝑟𝑖should

be computed or set.Firstly, a receiving node should be determined by the

connected probability.The connected probability in this part is as follows:

𝑝𝑖,𝑘

=1/ (𝑑𝑖⋅ 𝑁𝑖)

∑𝑗∈neighbours𝑘 (1/ (𝑑𝑗 ⋅ 𝑁𝑗))

, (16)

where 𝑝𝑖,𝑘

is the probability that node 𝑘 connects to itsneighbor 𝑖. 𝑁

𝑖is the remaining energy of node i. 𝑑

𝑖is the

degree of node 𝑖. neibhbours𝑘is the neighbor set of node 𝑘.

Secondly, if 𝐸𝑟𝑖

≥ 𝐸𝑟𝑖, node 𝑖 sends one slice to the

receiving node. If 𝐸𝑟𝑖< 𝐸𝑟𝑖, node 𝑖 waits for a 𝑡

𝑤time. By the


Base stationEstimate the time 𝑡

𝑠that a round of slicing in whole WSN

Compute the whole slicing time 𝑇𝑝, s.t.

𝑇𝑝= MinDeg × 𝑡

𝑠

Broadcast the values MinDeg, 𝑇𝑝and 𝑡𝑠to the whole sensor nodes

Sensor node iReceive the values MinDeg, 𝑇

𝑝and 𝑡𝑠from the base station

degree𝑖is the degree of node 𝑖

data𝑖is the data of node 𝑖

In one round of slicing timeIf degree

𝑖< MinDeg

Find the neighbors of node 𝑖

Compute the connected probability of each neighborConfirm the receiving node (assume that is node 𝑖)Produce a slice slice

𝑖𝑗in node 𝑖

Send the slice𝑖𝑗to node 𝑗

Update the data𝑖, s.t.

data𝑖= data

𝑖− slice

𝑖𝑗

Update the degree𝑖, s.t.

degree𝑖= degree

𝑖+ 1

If receive a slice𝑘𝑖from node 𝑘

Receive slice𝑘𝑖


degree𝑖= degree

𝑖+ 1

End IfElseIf receive a slice

𝑘𝑖from node 𝑘

Receive slice𝑘𝑖


degree𝑖= degree

𝑖+ 1

End IfEnd If

Algorithm 1: Algorithm of slicing.

end of time 𝑡𝑤, if node 𝑖 receives no slice, it sends one slice to

the receiving node.This algorithm reduces the redundancy of the privacy

preservation efficacy and balances the energy consumptionat the same time. The model using this algorithm is called C-BPDA model.

4.3. Data Aggregation Phase. In this phase, each node sendsits data to the base station along the aggregation tree.

5. Analysis of Privacy Preservation Efficacy

An evaluation method is necessary to compare differentprivacy-preserving schemes. One of such methods is pro-posed in [13] and is used by many other papers which canbe described as follows.

Firstly, it assumes that 𝑃overhear is the probability thatany node is eavesdropped. And the probability that any twonodes collude is 𝑃collude. Moreover, the probability that thesetwo probabilities are equal to each other is assumed in thismethod. So the formula is as follows:

𝑃overhear = 𝑃collude = 𝑞. (17)

Then, the probability that the private data of node 𝑠 isexposed for a given 𝑞 under either condition above in SMARTalgorithm is as follows:

𝑃 (𝑞) = 𝑞𝐽−1

𝑑max

∑

𝑘=1

𝑃 (in degree = 𝑘) ⋅ 𝑞𝑘, (18)

where 𝐽 is the number of the slices, 𝑑max is the maximumof the indegree in the WSN, and 𝑃 (in degree = 𝑘) is theprobability that the indegree of the node equals 𝑘.

Obviously, 𝐽−1 is the outdegree of the node. So, 𝑃(𝑞) canbe expressed generally as follows:

𝑃 (𝑞) =

𝑑max

∑

𝑘=𝑑min

𝑃 (degree = 𝑘) ⋅ 𝑞𝑘. (19)

Actually, this evaluation considers the privacy preserva-tion of the whole network instead of some certain node. Asshown in Table 1, there are two networks, NW1 and NW2.Each of them has 8 nodes. Nodes in NW1 are not of the samedegree, but in NW2 every node has the same degree of 3.


Table 1: The degree distributions of two networks.

Nodes 1 2 3 4 5 6 7 8Degree

NW1 4 6 2 6 6 4 4 6NW2 3 3 3 3 3 3 3 3

According to the Table 1 and formula (18), we have

𝑃NW1 (𝑞) =

𝑑max∑

𝑘=𝑑min𝑃 (dgree = 𝑘) ⋅ 𝑞

𝑘

=1

8𝑞2+

3

8𝑞4+

1

2𝑞6,

𝑃NW2 (𝑞) =

𝑑max∑

𝑘=𝑑min𝑃 (dgree = 𝑘) ⋅ 𝑞

𝑘= 𝑞3.

(20)

If 𝑞 = 0.2, we get 𝑃NW1 = 0.0056 and 𝑃NW2 = 0.008.Obviously, NW1 is more robust than NW2 as 𝑃NW1 < 𝑃NW2.However, as shown in Table 1, there is a node whose degreeis 2 in NW1 which is the most easily to be disclosed bothin NW1 and NW2. So this evaluation method describes theglobal privacy preservation efficacy instead of focusing on aspecific node’s privacy preservation which is of more concernin practical application.

6. Simulation

In this section, a wireless sensor network with 800 nodes isconsidered, and these nodes are randomly deployed over 400× 400 areas. The energy of each node is 0.5 J. We apply TAGscheme [25] which is a typical data aggregation scheme in thesimulation. We study the performances of BPDA model infour aspects with simulation which are degree distribution,privacy preservation efficacy, communication overhead, andlifetime. BPDAmodels will be comparedwith SMARTmodeland ESPART model in these performances.

6.1. Degree Distribution. In this section, a node with degreeof 2 is regarded as privacy-preserved enough.

Figure 4 shows degree distribution in different models.TAG is a data aggregation scheme without privacy consider-ation and the basis of the other models. In TAG model, theminimum degree is 1 and the maximum degree is 9 while 80percent of nodes in network take the minimum degree. Afterprivacy preserving, all the schemes increase the minimumdegree to 2 and the maximum degree is increased too. Inthree BPDAmodels, the D-BPDA andC-BPDA only increasethe maximum degree from 9 to 10. In the E-BPDA model,the maximum degree increases to 11 which is the same inthe ESPARTmodel. Meanwhile, the SMARTmodel increasesthe maximum degree to 16. The increasing of maximumdegree means that some nodes which need not to be privacypreserved are preserved.This is a main reason that causes theredundancy of the privacy preservation.

0 2 4 6 8 10 12 140

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Degree of nodes

The p

erce

ntag

e in

the n

etw

ork

TAGE-BPDAD-BPDA

C-BPDASMARTESPART

Figure 4: The degree distribution in different models.

On the other hand, the degree of more than 50 percent ofnodes in three BPDAmodels is 2 while ESPART and SMARTschemes increasemore nodes’ degrees which are redundancy.

In three BPDA models, E-BPDA considers so manyenergy balances that its redundancy is themost. D-BPDA hasthe less redundancy by considering how to reduce it. The C-BPDAwhich combines bothD-BPDA and E-BPDA leads lessredundancy than the E-BPDA.

6.2. Privacy Preservation Efficacy. Here, the evaluationmethod of the privacy preservation efficacy in [22] is adopted.

Figure 5 shows the exposed probability of nodes indifferent models. In Figure 5, the exposed probability ofnodes in BPDA models is higher than that of SMART andESPART models because this evaluation method works froma global view of the whole WSN. In many cases, the largerthe sum of degrees is, the lower exposed probability themodel has. It seems that SMART and ESPART models havemore ability on privacy preservation because they pay muchmore on the redundancy when some nodes have high privacypreservation with rather high degree after the operation. TheBPDAmodels consider the redundancy problem and put thealgorithms only effect on the nodes with minimum degree.Although their exposed probabilities are higher than others’,they are still kept in the similar level.

6.3. Communication Overhead. As to the communicationoverhead, the amount of the sending data in slicing step isconsidered. Tables 2 and 3 show the amount of sending dataof different schemes SMART, ESPART,D-BPDA, E-BPDA,C-BPDA, and their percentage to SMART at conditions 𝐽 = 2,MinDeg = 2 and 𝐽 = 3, MinDeg = 3.

In both Tables 2 and 3, all of the sending data in threeBPDA models are less than those in the other two models.


0 0.02 0.04 0.06 0.08 0.10

0.01

0.02

0.03

0.04

0.05

0.06

0.07

q: probability that link level privacy is broken

Perc

enta

ge th

at p

rivat

e dat

a is d

isclo

sed

E-BPDAD-BPDAC-BPDA

SMARTESPART

Figure 5: The exposed probability of nodes in different algorithms.

Table 2: The communication overhead and percentage to SMART,at 𝐽 = 2, MinDeg = 2.

Schemes Sending data Percentage to SMARTSMART 800ESPART 621 77.63%D-BPDA 440 55%E-BPDA 494 61.75%C-BPDA 429 53.63%

Table 3: The communication overhead and percentage to SMART,at 𝐽 = 3, MinDeg = 3.

Schemes 𝐽 = 3, MinDeg = 3 Percentage to SMARTSMART 1600ESPART 924 57.75%D-BPDA 805 50.31%E-BPDA 896 56%C-BPDA 800 50%

So the BPDA models reduce the communication overheadobviously.

When 𝐽 = 2, comparing with SMART scheme which hasthe largest amount of sending data 800, ESPART scheme is621 and 77.63% to the SMART scheme, D-BPDA is 55%, E-BPDA is 61.75%, and C-BPDA is 53.63%.

Similar to 𝐽 = 2, when 𝐽 = 3, the communicationoverhead of SMART is still the largest, and it reaches 1600which is twice to the value of 𝐽 = 2. ESPART scheme is 57.75%to the SMART scheme, D-BPDA is 50.31%, E-BPDA is 56%,and C-BPDA is 50%.

From the data of Tables 2 and 3, we can see that heBPDA models send less data which means they have a lowercommunication overhead. The ESPART model and BPDAmodels are closer in sending data with the increasing 𝐽. As a

general rule, the BPDAmodels can preserve the data privacywell while using slice with 𝐽 = 2 or 𝐽 = 3 as well as reducingthe communication overhead.

In three BPDA models, the E-BPDA model considersmore of the energy balance of the whole network, so itcauses the higher communication overhead. Other twomod-els both consider the degree balance which causes lowercommunication overhead. And inD-BPDAandC-BPDA, thecommunication overheads are at the same level.

6.4. Lifetime. In the simulation of lifetime, we assume that allsensor nodes have an initial energy which is 0.5 J. The datapacket size is 1000 bits. The minimum degree in the networkis 2 after privacy preservation. A WSN cannot operate whenmore than 20% of the sensor nodes are out of work. And thenumber of nodes in network is 800. Therefore, the networklifetime is defined as the time when 160 sensor nodes aredischarged.

Nodes consume energy both in sending and receivingdata according to [26, 27]. In this paper, we use the modelthat the pass loss exponent is 2. The model is as follows.

A 𝑘-bit data packet is transmitted and the energy con-sumption of sending node is given by

𝐸𝑡= 𝜀1× 𝑘 + 𝜀

2× 𝑑2× 𝑘, (21)

where𝑑 is the distance between the two sensor nodes and 𝜀1=

50 nJ/bit, 𝜀2= 100 pJ/bit⋅m2.

A 𝑘-bit data packet is transmitted, and the energy con-sumption of receiving node is given by

𝐸𝑟= 𝜀1× 𝑘. (22)

Figure 6 shows that the drained nodes appear in about700th round in the three BPDA schemes. And there isa bifurcation point at about the 900th round. Before thedemarcation point, the increasing of the drained nodes in allmodels is at the same trace. After the point, the drained nodesin D-BPDA models increase to 160 in about 200 rounds, andthen the lifetime is up. In the E-BPDA and C-BPDA models,the increasing of drained nodes is slower than D-BPDAmodel. So it can prolong the lifetime when considering theenergy balance which can balance the energy consumptionof the network.

7. Conclusion

In wireless sensor networks, sensitive information that sen-sor nodes gathered is prone to be leaked for the hostileenvironment. Privacy-preserving has become an importantissue in data aggregation. A balance privacy-preserving dataaggregation model based on slicing and mixing technologyis proposed in this paper. Firstly, a degree threshold iscomputed according to security requirement of the WSN.Compare with fixed or random slicing, the proposed slicingmethod emphasizes that sensor node sends the slices to itsneighbors refer to the degree threshold and ensures that theslices can be sent to the nodes which have lower privacypreservation. So, it reduces the redundancy and increases the


0 20 40 60 80 100 120 140 160 1800

200

400

600

800

1000

1200

1400

The number of drained nodes

The l

ifetim

e

C-BPDAD-BPDA

E-BPDA

Figure 6: The lifetime in different algorithms.

privacy-preservation efficacy. Furthermore, according to theinfluence factor in real application, energy based E-BPDA,degree based D-BPDA, and both energy and degree C-BPDAthree different schemes are presented to keep the privacy-preserving data aggregation balance. Simulation shows thatE-BPDA model has a longer lifetime, D-BPDA model has alower communication overhead, and the C-BPDA combinesthe advantage of the E-BPDA and D-BPDA.

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper.

Acknowledgments

This work is supported by the National Natural ScienceFoundation of China under Grant 61201159, the BeijingNatural Science Foundation under Grant (4132057), andthe Beijing Municipal Education Commission on Projects(SQKM201510016013).

References

[1] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “Asurvey on sensor networks,” IEEE Communications Magazine,vol. 40, no. 8, pp. 102–114, 2002.

[2] D. Culler, D. Estrin, and M. Srivastava, “Overview of sensornetworks,” IEEE Computer, vol. 37, no. 8, pp. 41–49, 2004.

[3] A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, and J.Anderson, “Wireless sensor networks for habitat monitoring,”in Proceedings of the 1st ACM International Workshop onWireless Sensor Networks and Applications (WSNA’02), pp. 88–97, Atlanta, Ga, USA, September 2002.

[4] N. Xu, S. Rangwala, K. K. Chintalapudi et al., “A wirelesssensor network for structural monitoring,” in Proceedings of the

2nd International Conference on Embedded Networked SensorSystems (SenSys ’04), pp. 13–24, ACM, November 2004.

[5] B. Krishnamachari, D. Estrin, and S. Wicker, “The impact ofdata aggregation in wireless sensor networks,” in Proceedingsof the 22nd International Conference on Distributed ComputingSystems Workshops, pp. 575–578, IEEE, Vienna, Austria, 2002.

[6] J. Yick, B. Mukherjee, and D. Ghosal, “Wireless sensor networksurvey,”ComputerNetworks, vol. 52, no. 12, pp. 2292–2330, 2008.

[7] H. Cam, S. Ozdemir, P. Nair, and D. Muthuavinashiappan,“ESPDA: energy-efficient and secure pattern-based data aggre-gation for wireless sensor networks,” in Proceedings of the IEEEConference on Sensors, pp. 732–736, IEEE, Piscataway, NJ, USA,October 2003.

[8] L. Hu and D. Evans, “Secure aggregation for wireless networks,”in Proceedings of the Symposium onApplications and the InternetWorkshops, pp. 384–391, IEEE Press, 2003.

[9] B. Przydatek, D. Song, and A. Perrig, “SIA: secure informationaggregation in sensor networks,” in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys ’03), pp. 255–265, Los Angeles, Calif, USA, November2003.

[10] S. Ozdemir and Y. Xiao, “Secure data aggregation in wirelesssensor networks: a comprehensive overview,” Computer Net-works, vol. 53, no. 12, pp. 2022–2037, 2009.

[11] H. Alzaid, E. Foo, and J. G. Nieto, “Secure data aggregationin wireless sensor network: a survey,” in Proceedings of the 6thAustralasian Information Security Conference (AISC ’08), pp.93–105, January 2008.

[12] H. O. Sanli, S. Ozdemir, and H. Cam, “SRDA: secure reference-based data aggregation protocol for wireless sensor networks,”in Proceedings of the IEEE VTC Fall Conference, pp. 4650–4654,Los Angeles, Calif, USA, September 2004.

[13] N. Li, N. Zhang, S. K. Das, and B. Thuraisingham, “Privacypreservation in wireless sensor networks: a state-of-the-artsurvey,” Ad Hoc Networks, vol. 7, no. 8, pp. 1501–1514, 2009.

[14] R. Bista and J.-W. Chang, “Privacy-preserving data aggregationprotocols for wireless sensor networks: a survey,” Sensors, vol.10, no. 5, pp. 4577–4601, 2010.

[15] C. Castelluccia, E. Mykletun, and G. Tsudik, “Efficient aggre-gation of encrypted data in wireless sensor networks,” inProceedings of the 2nd Annual International Conference onMobile and Ubiquitous Systems: Computing, Networking andServices, pp. 109–117, July 2005.

[16] J. Girao, D. Westhoff, and M. Schneider, “CDA: concealeddata aggregation for reverse multicast traffic in wireless sensornetworks,” in Proceedings of the IEEE International Conferenceon Communications (ICC ’05), vol. 5, pp. 3044–3049, IEEE,May2005.

[17] S. Ozdemir and Y. Xiao, “Integrity protecting hierarchical con-cealed data aggregation forwireless sensor networks,”ComputerNetworks, vol. 55, no. 8, pp. 1735–1746, 2011.

[18] W. B. He, X. Liu, H. Nguyen, K. Nahrstedt, and T. Abdelzaher,“PDA: privacy-preserving data aggregation in wireless sensornetworks,” in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (IEEE INFOCOM '07), pp.2045–2053, Anchorage, Alaska, USA, May 2007.

[19] W.-B. He, N. Hoang, X. Liu, K. Nahrstedt, and T. Abdelzaher,“iPDA: an integrity-protecting private data aggregation schemeforwireless sensor networks,” inProceedings of the IEEEMilitaryCommunications Conference (MILCOM ’08), pp. 1–7, San Diego,Calif, USA, November 2008.


[20] M.M.Groat,W.Hey, and S. Forrest, “KIPDA:K-indistinguisha-ble privacy-preserving data aggregation in wireless sensor net-works,” in Proceedings of the 30th IEEE International Conferenceon Computer Communications (INFOCOM ’11), pp. 2024–2032,April 2011.

[21] C.-X. Liu, Y. Liu, Z.-J. Zhang, and Z.-Y. Cheng, “High energy-efficient and privacy-preserving secure data aggregation forwireless sensor networks,” International Journal of Communica-tion Systems, vol. 26, no. 3, pp. 380–394, 2013.

[22] G. Yang, A.-Q. Wang, Z.-Y. Chen, J. Xu, and H.-Y. Wang, “Anenergy-saving privacy-preserving data aggregation algorithm,”Chinese Journal of Computers, vol. 34, no. 5, pp. 792–800, 2011.

[23] G. Yang, S. Li, X. Xu, H. Dai, and Z. Yang, “Precision-enhancedand encryption-mixed privacy-preserving data aggregation inwireless sensor networks,” International Journal of DistributedSensor Networks, vol. 2013, Article ID 427275, 12 pages, 2013.

[24] S. Madden, M. J. Franklin, and J. M. Hellerstein, “TAG: aTiny AGgregation service for Ad-hoc sensor networks,” inProceedings of the 5th Symposium on Operating Systems Designand Implementation (OSDI ’02), Boston, Mass, USA, December2002.

[25] L. Eschenauer and V. D. Gligor, “A key-management schemefor distributed sensor networks,” in Proceedings of the 9th ACMConference on Computer and Communications Security, pp. 41–47, November 2002.

[26] M. Hussaini, H. Bello-Salau, A. F. Salami, F. Anwar, A. H.Abdalla, and M. R. Islam, “Enhanced clustering routing pro-tocol for power-efficient gathering in wireless sensor network,”International Journal of Communication Networks and Informa-tion Security, vol. 4, no. 1, pp. 18–28, 2012.

[27] W. Qin, M. Hempstead, and Y. Woodward, “A realistic powerconsumption model for wireless sensor network devices,” inProceedings of the 3rd Annual IEEE Communications Society onSensor andAdHocCommunications andNetworks, pp. 286–295,September 2006.

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttp://www.hindawi.com Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation http://www.hindawi.com

Journal ofEngineeringVolume 2014

Submit your manuscripts athttp://www.hindawi.com

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

The Scientific World JournalHindawi Publishing Corporation http://www.hindawi.com Volume 2014

SensorsJournal of


Modelling & Simulation in EngineeringHindawi Publishing Corporation http://www.hindawi.com Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks


research article a balance privacy-preserving data...

Documents