virtual trip lines for distributed privacy- preserving traffic monitoring baik hoh et al. mobisys08...
TRANSCRIPT
Virtual Trip Lines for Distributed Privacy-Preserving Traffic Monitoring
Baik Hoh et al. MobiSys08
Slides based on Dr. Hoh’s MobiSys presentation
Collaborative Traffic Monitoring using Cellphone-based Probe Vehicles
Probe Vehicles
Satellite
Traffic EstimationData mining and
logging
Cellular Service
Provider
Vehicle ID | timestamp | Lon | Lat | Speed | Heading------------------------------------------------------------------254,18-oct-2006 10:11:12,-85.3452,42.4928,42.18,135372,18-oct-2006 10:11:12,-85.3427,42.4898,63.72,100182,18-oct-2006 10:11:12,-85.4092,42.4726,50.15,75254,18-oct-2006 10:12:12,-85.3462,42.4998,45.18,135372,18-oct-2006 10:12:12,-85.3512,42.4944,60.01,185182,18-oct-2006 10:12:12,-85.4102,42.4753,45.88,235
…254,18-oct-2006 10:21:12,-85.3856,42.5129,45.67,135
Location Proxy
Access Control
Anonymization
Anonymous Trace log files
Inference/Insider Attacks Compromise Location Privacy
Still insider attacks and remote break-ins possible
Re-identification of traces
through data analysis
Home Identification
[Hoh06]
Tracking algorithms recover individual trace [Hoh05] (Median trip time only 15min)
.. . .
.
.
.
. ......
. .
Anonymous Trace log
files
GPS often precise enough to identify home
Related Works: Uncertainty-Aware Path Cloaking Requires a Trustworthy Proxy Server [Hoh07]
• Time-to-confusion (TTC) criterion* measures time an adversary can track with high confidence
• Disclosure control algorithm that selectively reveals GPS samples to limit the maximum Time-to-confusion
.. . .
.
.
.
. .
.....
. ... ..
What if location proxy got compromised?
• Idea: distributed “privacy” preserving scheme (a la secret splitting) using Virtual Trip Lines (VTLs)
Probe Vehicles
Satellite
Traffic Estimation
Data mining and logging
Cellular Service
Provider
Location Proxy
Vehicle ID | timestamp | Lon | Lat | Speed | Heading------------------------------------------------------------------
254,18-oct-2006 10:11:12,-85.3452,42.4928,42.18,135372,18-oct-2006 10:11:12,-85.3427,42.4898,63.72,100
Virtual Trip Lines (VTLs) Enables Sampling in Space• Better than sampling in time (periodic reports)?• Chance of distributed architecture?• VTL has the same effect as "road side” sensor based
measurement– VTL can be strategically chosen (optimal placement in the
paper)
• Any single entity can be compromised (but no collusion)• A driver’s cellphone is trustworthy
Privacy Risks and Threat Model
My Phone
SatelliteTraffic
EstimationData mining and logging
Location Proxy
Cellular Service
Provider
Others
Probablistic Guarantee Model (Mix Zone)• Mobile generates data: VTL ID, speed, direction• Mobile encrypts data using VTL server’s public key• Privacy guarantee:
– Location proxy: can’t decrypt location data– VTL server: can’t find user’s identity (but still inference attack
is feasible, e.g., only single vehicle reporting data..)
Traffic Estimation
Location Proxy
Cell Service Provider
VTL Server
E(VTL ID, speed, dir)
Mobile’s ID,E(VTL ID, speed, dir)
Remove Mobile’s ID
E(VTL ID, speed, dir) VTL decrypts the data
Placement Privacy Constraints: Minimum Spacing
• Tracking uncertainty is dependent on the spacing between VTLs, the penetration rate, and speed variations of vehicles
Placement Privacy Constraints: Exclusion Areas
• Low speed samples are likely generated by vehicles that just entered after the ramp
• Suppress sampling on on-/off-ramps
Guaranteed Privacy Model with VTL-based k-anonymity (called Distributed VTL-Based Temporal Cloaking)
ID Proxy Traffic Server
2. Send the VTL update
1a. Nonce for area
4. Send the cloaked VTL updates
3. Forward the VTL update
Location Verifier
Handset
Temporally cloaks flow updates, limits update rate per phone, and authenticate users
Phone generates the new ID for trip line with nonce from VTL generator
VTLUpdate
Log
1b. Broadcast nonce to phones in area
5. Store the cloaked VTL updates
Coarse location verification to prevent location spoofing
VTL Generator
k=7 VTLIDnew = h (nonce, VTLIDold), h is a secure hash function
Distributed VTL-Based Temporal Cloaking• Motivated by secret splitting scheme• Traffic estimation is immune to temporal error
Entity Role Identity Location Time
Handset Sensing Yes Accurate Accurate
Location Verifier
Distributing VTL ID updates
Yes Coarse Accurate
ID proxy Anonymizing and Cloaking
Yes Not available Accurate
Traffic Server Computing Traffic Congestion
No Accurate Cloaked
Virtual Trip Lines Temporal Cloaking