Privacy
and Anonymity in
Summary:
The privacy and anonymity issue in mobile and wireless networks is
extremely challenged from multiple dimensions: (1) stronger attacks due to network
vulnerability and novel attacking techniques; (2) new privacy concerns
including identity, sender/receiver relationship, location, motion pattern,
active route, and topology; and (3) dynamic user group and a lack of an
available and low cost security and trust infrastructure. With our collaborators, we were the first to
identify a series privacy concerns and possible attacks in connecting to routing protocols and data packets,
named as mobile anonymity. We pointed
out that multihop routing can reveal motion pattern, sender/receiver
relationship, active route and topology information as well as traditional
identities. We also developed the first anonymous routing protocol ANODR for MANETs
(MobiHoc’03). ANODR achieves the goals of
building the routing path efficiently while preserving mobile anonymity. The
protocol has been widely cited since it was published in 2003. More recent research in this area
has focused on developing more threat
models, new anonymous routing protocols,
metrics, critical performance
tradeoffs, and strategies exploiting
mobility. They are briefly summarized below.
Part of these work were funded with NSF award
#0627147.
1 Privacy
threats and anonymous routing protocols
Our early study has
shown that resistance to privacy attacks like traffic analysis is very
expensive for MANET. When cryptography is an inevitable component, the overhead
on computation and communication must be considered. In addition, well adopted routing policy can
be potential harmful as well. GPS
location information helps MANET routing, but it could pose significant threats
to the location privacy. Moreover, the
attack models can be different for different applications and can influence the
design choices. To address these
challenges, we have developed several
anonymous routing protocols. Our
contributions are listed below:
(a) Overhead on computation and communication affects the scalability of
anonymous routing. In fact, scalability is challenging in MANET by itself even
without any cryptography operations. We used a hierarchical approach exploiting
network cooperative behaviors in mobility for needed efficiency, and we also
addressed additional anonymity problems in terms of the hierarchical network
structure. We developed HANOR (Hierarchical Anonymous On-demand Routing). HANOR
achieves scalability through dramatically reducing cryptography operation
overhead in the inter-group routing and minimizing it in the intra-group
routing. In addition, HANOR ensures
additional anonymity protection for the network hierarchy, i.e., the group boundaries and topology.
(b) The broadcast nature of wireless media helps a node to hide within the
radio transmission range. By giving a
pseudo location, a node could deal with the location privacy. Our Anonymous Geo-Forwarding protocol extends
this basic idea into stronger protection strategies. We proposed additional
zone-based and route-based schemes to help the destination to hide while still
receiving messages. These schemes differ to reflect the need for balancing the
degree of the anonymity protection and routing overhead. Our analysis and simulation have shown that
the new strategies make a large improvement on the anonymity and the overhead.
(c) The shortest path is a commonly used routing strategy. However it
reveals traffic tendency towards the destination and the source, violating the “untraceability”. We tackled the problem
by developing an anonymous routing protocol to obfuscate the data traffic
tendency through controlled random
forwarding. Since normal random
forwarding can lead to no-delivery, our directed forwarding component is used
to force the delivery. Trade-off for the
protocol is the randomness, path length,
attack success possibility, and delivery ratio.
Our evaluation shows that reasonable overhead can yield acceptable high
delivery ratio.
(d) Further, we found that anonymous
routing protocols can potentially entail significant performance degradation
due to the cryptographic operation overhead in computation and bandwidth used
to achieve high privacy protection. Thus, it is critical to investigate the impact from
extreme network conditions, including node capacity, network size,
communication load and mobility and decide the tradeoff points where anonymity
is preserved and performance can also be guaranteed. We performed extensive simulation to investigate the tradeoffs in methods,
performance and protection. We also developed new metrics such as “(un)traceable ratio”,
“path capture probability” to measure the new anonymity properties we
identified in threats analysis. Our
study enhances the understanding of the components of the protocols with the cryptographic
operations, and their joint impact on the performance. For example, the control
packet size and processing delay, influence the overall data delivery for
various network situations.
Jun Liu*
(Aug 2007), dissertation: “Anonymous
Communication in Wireless Mobile Networks.”
University of Alabama.
Xiaoxin Wu, Jun Liu*, Xiaoyan Hong and Elisa
Bertino, "Anonymous Geo-Forwarding in MANETs through Location
Cloaking", IEEE Transactions on
Parallel and Distributed Systems, 11 Feb., 2008.
Jiejun Kong, Xiaoyan Hong,
Mario Gerla, “An Identity-free and On Demand Routing Scheme against Anonymity
Threats in Mobile Ad-hoc Networks”, IEEE
Transaction on Mobile Computing, Vol. 6, No. 8, August 2007, pp. 888-902, 2007
Jun
Liu*, Xiaoyan
Hong, Marcus
Brown, “ARCoRF: Anonymous Routing with Controlled Random Forwarding in
Wireless Ad-hoc Networks”, International
Conference on the Latest Advances in Networks (ICLAN07), Paris, France,
Dec. 2007.
Xiaoyan Hong, Jiejun Kong, Mario Gerla,
“Mobility Changes Anonymity: New Passive Threats in Mobile Ad Hoc Networks”, Wireless Communications & Mobile
Computing (WCMC), Special Issue of Wireless Network Security, Vol. 6,
Issue 3, May 2006, Page(s):281 - 293.
Xiaoxin Wu, Jun Liu*, Xiaoyan Hong and Elisa
Bertino, “Achieving Anonymity in Mobile Ad Hoc Networks using Fuzzy Position
Information”, in Proceedings of 2nd International Conference on Mobile Ad-hoc and
Sensor Networks (MSN 2006), Hong
Kong, China, Dec 2006.
Jun Liu*, Xiaoyan Hong, Jiejun Kong, Qunwei Zheng*, Ning Hu, Phillip G.
Bradford, “A Hierarchical Anonymous Routing Scheme for Mobile Ad-Hoc Networks”,
in Proceedings of IEEE Military
Communications Conference (Milcom06), Washington D.C., Oct. 2006.
Jiejun Kong, Jun Liu*, Xiaoyan Hong, Mario Gerla,
“Toward Efficient Solutions to Resist Mobile Traffic Sensors: How Much
Performance Cost is Paid by On-demand Anonymous Routing Protocols,” International
Workshop on Research Challenges in Security and Privacy for Mobile and Wireless
Networks (WSPWN 06), Miami, Florida,
March 15-16, 2006.
Jun Liu*,
Jiejun Kong, Xiaoyan Hong, Mario
Gerla ,'Performance Evaluation of Anonymous Routing Protocols in MANETs', IEEE
Wireless Communications and Networking Conference 2006 (WCNC06), Las Vegas, April 2006.
Jiejun Kong, Xiaoyan Hong,
and Mario Gerla, “A New Set of Passive Routing Attacks in Mobile Ad Hoc
Networks,” in Proceedings of IEEE
Military Communications Conference (MILCOM'03), Boston, MA, October 13-16,
2003.
Jiejun Kong, Xiaoyan Hong,
and Mario Gerla, “ANODR: ANonymous On Demand Routing with Untraceable Routes
for Mobile Ad-hoc Networks,” in
Proceedings of ACM International Symposium on Mobile Ad Hoc Networking &
Computing (MobiHoc 2003), Annapolis, MD, June 2003.
2
Mobility strategies to anonymity
For the first time, we
take a novel approach to exploit the salient nature of MANET, mobility, to
design anonymity strategies. Our research in this thrust has a few focuses, e.g., how mobility
influences the anonymous system, what
requirements and strategies can be used for network protocols to enhance
anonymity, and how mobility can be
explored to mitigate the threats. We
have made the following contributions.
(a) We have developed a unified
threat and countermeasure model “Motion-Mix” as a tool to model the mixing
ability of mobility. The MMix is defined based on the effective eavesdropping
area of an attacker and the mobility of a node. The concept introduces
movements and dummy transmissions as countermeasures to increase the size of
the area and to enhance the protection of privacy. Mobile nodes will be able to mingle around
when transmissions are indistinguishable using the anonymizing techniques. This model also generates design principles
for all the layers in the protocols stacks to ensure mobile anonymity. Using
the model we were about to obtain analytic results on key privacy properties of
ransom walk style mobility.
(b) We identified the itinerary
attack -- the adversary explores the advances in wireless localization and
signal print techniques to discover wireless users’ routine motions. We propose to use mobility to mitigate the
threats, namely, let nodes deliberately add camouflaged motions to their
regular behaviors. We developed the
\Delta – mobility algorithm, which randomly adds a midpoint to a straight line
motion segment. Our analysis and simulation show that this algorithm generates
several advantages: it significantly increases the number of possible motion
traces; the motion traces of many nodes are scattered and “mixed” so each
becomes less distractible; and furthermore, it reduces the probability of
itinerary exposure through generating less traceable wireless transmissions
with a small travel overhead. In addition the algorithm can be applied to any
mobility models by changing the original motion segments into more camouflaging
paths. We are working on more algorithms
along the line.
Jiejun Kong, Dapeng Wu, Xiaoyan
Hong, Mario Gerla, "Mobile
Traffic Sensor Network versus Motion-MIX: Tracing and Protecting Mobile
Wireless Nodes", ACM Security of Ad-hoc & Sensor
Networks (SASN) 2005, Alexandria, Virginia, USA, November 7,
2005.
Lai Tang*, Xiaoyan Hong, Susan Vrbsky,
“Camouflaging Mobility for Itinerary Privacy in Mobile Ad-hoc Networks”, IEEE
WoWMoM 08, Workshop on Security, Privacy and Authentication in Wireless
Networks, Newport Beach, CA, June 23-27 2008.