Preserving Location Privacy in Wireless LANs - PowerPoint PPT Presentation

Loading...

PPT – Preserving Location Privacy in Wireless LANs PowerPoint presentation | free to view - id: 4a8fe-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Preserving Location Privacy in Wireless LANs

Description:

... Privacy ... Location privacy is the ability to prevent other parties from ... Technical Journal, 27:379 423, 623 656 Entropy ( metric of privacy level ) ... – PowerPoint PPT presentation

Number of Views:96
Avg rating:3.0/5.0
Slides: 58
Provided by: abc776
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Preserving Location Privacy in Wireless LANs


1
Preserving Location Privacy in Wireless LANs
  • Presented by
  • Alvin Yonggang Yun
  • April 9, 2008

CSCI 388 - Wireless and Mobile Security
2
Authors
  • Tao Jiang University of Maryland
  • Helen J. Wang Microsoft Research
  • Yih-Chun Hu University of Illinois
  • Presented MobiSys07,
  • June 1113, 2007,
  • San Juan, Puerto Rico, USA

3
Do you care someone know where you are?
4
Someone does care location privacy
5
220,000 Cell Towers Can Find You
6
Location-based Services
Location-based Networking (Always connected
Continuous services)
Location-based Fitness Assistant and Shopping
Assistant
7
Location and Location Privacy
  • Location Information can be obtained through
    direct communication with the respective entity
    or through indirect means such as observation and
    inference.
  • The claim/right of individuals, groups and
    institutions to determine for themselves, when,
    how and to what extent location information about
    them is communicated to others.
  • Location privacy is the ability to prevent other
    parties from learning ones current or past
    location

8
Problem
  • Broadcast nature of wireless networks and
    widespread deployment of Wi-Fi hotspots makes it
    easy to remotely locate a user by observing
    wireless signals.
  • Location information can be used by malicious
    individuals for blackmail, stalking, and other
    privacy violations.

9
  • Balance

Location Privacy
Location-based Services
Whats NEW? Adjustable Privacy Entropy More
detail below
Privacy
10
Paper Overview
  • So, how to improve location privacy?
  • Obfuscate 3 types of privacy-compromising
    information
  • Sender identity
  • Time of transmission
  • Signal strength

11
Paper Overview
  • Why? Because of 5 types of leakage of location
    information in the course of wireless
    communications
  • Sender node identity
  • Time
  • Location
  • Receiver node identity -- resolved MIX-net or
    Crowd
  • Content -- resolved encryption

12
FOCUS
  • Anonymize the user or node identity with
    frequently changing pseudonyms MAC address in
    this paper
  • Unlink different pseudonyms of the same user with
    silent periods optimal model
  • Reduce the transmission range through transmit
    power control

13
Design Overview
  • Driven by real-system implementation and field
    experiments along with analysis and simulations
  • Privacy level available to choose, for both
    privacy-sensitive users and non-
    privacy-sensitive users.
  • Evaluate system based on real-life mobility data
    and wireless LAN coverage

14
Research Background
  • Y.-C. Hu and H. J. Wang. Location privacy in
    wireless networks. In Proceedings of the ACM
    SIGCOMM Asia Workshop, Beijing, 2005. extension
    and improvement
  • M. Gruteser and D. Grunwald. Enhancing location
    privacy in wireless LAN through disposable
    interface identifiers a quantitative analysis.
    In WMASH 03
  • L. Huang, K. Matsuura, H. Yamane, and K. Sezaki.
    Enhancing wireless location privacy using silent
    period.
  • C. Shannon. A mathematical theory of
    communication. Bell Systems Technical Journal,
    27379423, 623656 Entropy ( metric of privacy
    level )

15
Related Work
  • Location technologies RF-based
  • Application-Level Location Privacy
  • Network-Level Location Privacy
  • RF Fingerprinting

16
Related WorkLocation technologies
  • Only consider RF-based localization systems
  • Location accuracy achievement
  • Indoor --- lt 1 meter in 50 time
  • Outdoor --- 15-30 meters as median
  • Two phases
  • Training phase war-driving to collect a
    large amount of signal data
  • Positioning phase compare to the radio map

17
Related WorkApplication-Level Location Privacy
  • Anonymous usage of location-based services
    through spatial and temporal
  • Design protocols and APIs that consider the
    privacy issues in the transfer of location
    information to external services
  • Target location information provided by
    applications
  • This paper Privacy of location information that
    can be inferred from the wireless transmissions
    of network users

18
Related WorkNetwork-Level Location Privacy
  • Frequently changing user pseudonyms blind
    signatures for anonymous communication
  • Silent periods
  • Pseudo-randomly chosen channel assume AP
    operator is trusted

19
Related WorkNetwork-Level Location Privacy
  • Frequently changing user pseudonyms blind
    signatures for anonymous communication vs
    Sender identity with MAC changing
  • Silent periods vs Opportunistic Silent
    periods
  • Pseudo-randomly chosen channel vs Reduce
    transmission power less APs in range -- even AP
    cannot be trusted

20
Anonymous Communication
  • Bob and the Server want to prevent outsiders from
    knowing the fact that they are communicating -
    Unlinkablility
  • Bob wants to prevent the server from knowing its
    identity - Sender (Source) anonymity

21
Related WorkNetwork-Level Location Privacy
  • Definition
  • Silent period The time when privacy-sensitive
    users intentionally do not transmit, in order to
    reduce the effectiveness of correlation based on
    mobility pattern of users
  • Opportunistic silent period Optimal silent
    period calculation methodology

22
Related WorkNetwork-Level Location Privacy
  • Again
  • Obfuscate 3 types of privacy-compromising
    information
  • Sender identity
  • Time of transmission
  • Signal strength

23
Related WorkRF Fingerprinting
  • Requires high speed and high resolution
    Analog-to-Digital Converter Expensive to deploy
  • Prevented by intentionally adding strong noise
  • The paper cant resolve this, important future
    work

24
Attacker Model
  • Silent attackers sniffer, do not emit any
    signals, only listen and localize mobile users
  • Exposed attackers network providers,
    trustworthy? How about accidentally leak
  • Active attackers adjust base station
    transmission power
  • Passive attackers no change on base station

25
Measure of Privacy
  • How good we can preserve location privacy?
  • We need to quantify
  • Privacy Entropy

Given an attacker and the set of all mobile users
U, let be the bservation of the attacker about
the user at some location L. Given observation
, the attacker computes a probability
distribution P over users Entropy is the number
of bits of additional information the attacker
needs to definitively identify the
user. Probability () 1 ? enough information
to identify the user
26
Ways to go
  • Pseudonym for sender identity
  • Opportunistic Silent Period for transmission time
  • Transmit power control for signal strength

27
Pseudonym
  • Anonymity is a prerequisite for location privacy
  • User must use frequently chahging pseudonyms for
    communications
  • Pseudonyms MAC address, IP address

28
How to choose pseudonym?
  • Important! Avoid address collisions
  • Let AP assign MAC addresses to users/clients
  • Join Address(well known address) is used to avoid
    MAC conflicts
  • MAC Address is got from the MAC address pool
  • Nonce Cryptographic nonce, a 128-bit string
    used only once for multiple simultaneous requests

29
How to choose pseudonym?
  • Why not choose IP address?
  • MAC is enough, we do not need to extract and
    obfuscate application layer user identities
  • Sources cannot easily communicate with AP during
    IP changes ( trusted anonymous bulletin boards
    with cryptographic mechanisms is used )

30
When to change pseudonym?
  • Opportunistic Silent Period
  • ONLY allows address changes just before the start
    of a new association ( between client and AP )
  • H (N)
  • Attacker can attempt to correlate different
    pseudonyms with the same user. Silent period can
    reduce such correlations.

31
Opportunistic Silent Period
  • During silent period, a user does not send any
    wireless transmissions
  • The effectiveness of silent periods depends
    heavily on user density. ( higher ? better )
  • Forced silent periods can disrupt communications.
    Opportunistic silent period minimizes disruption,
    which takes place during idle time between
    communications

32
Opportunistic Silent Period
  • Data shows opportunistic silent periods are quite
    suitable for WLAN

CDF of session duration from Dartmouth
campus-wide WLAN trace
CDF of Duration between Sessions from Dartmouth
campus-wide WLAN trace
33
Methodology for choosing a Silent Period
  • Efficacy of silent period depends on user density
  • Mobility pattern data consists lt time,
    pseudonym, location gt
  • Probability that user i is linked to the new
    pseudonym among the Candidate
  • Pi is the probability distribution used for
    privacy entropy

34
Maximize privacy entropy
  • Previous work shows the silent periods must be
    randomized ( no detail in this paper )
  • Random silent period Td Tr
  • Td deterministic silent periods ( previous
    work )
  • Tr between 0 and
  • So, larger offers better possible
    privacy?
  • Not necessary

35
Case Study
  • Mobility data of Seattle bus system
  • 5-days training set and 8-hour test set

36
Case Study
  • Mobility data of Seattle bus system
  • 5-days training set and 8-hour test set

37
Maximize privacy entropy
  • Choose
  • close to but not greater than 12 minutes

38
  • Balance

Location Privacy
Service Quality
Optimal silent period upper bound on the
necessary silent period
Privacy
39
Control Signal Strength
  • Reduce Location Precision number of APs within
    the users communication range
  • Transmit power control(TPC) minimize the number
    of APs in the range while ensuring at least one
    AP for connectivity ( assume APs do not adjust
    transmit power )
  • TPC scheme hold transmit power to the lowest
    possible productive level to minimize imposed
    interference

40
RSS-based Silent TPC
  • Mobile station must perform TPC silently
  • The only information available to mobile station
    is the received signal strength(RSS) from APs
    within range
  • Challenging due to reflection, scattering,
    multipath fading and absorption of radio waves

41
Asymmetry and Variations of Channels
  • Goal determine the relationship between the two
    directions of a channel and use the path loss in
    one direction to infer the loss in the other
    direction
  • Two scenarios
  • corner of an office
  • open outdoor space

42
Asymmetry of 802.11 channels
  • RSSI reading for both directions are strongly
    correlated

43
Path loss margin (PLM)
  • Definition PLM is the magnitude of the maximum
    difference between path losses in opposite
    directions that result from environmental
    influences and wireless channel asymmetry

44
PLM calculation
45
PLM calculation
46
PLM calculation
  • From the experimental results on path asymmetry
    and variation above, we choose PLM
  • 11.3dB for indoor
  • 10.5dB for outdoor
  • So, PLM 10 dB

47
Silent TPC Design
  • Design Goal adjust transmit power of mobile
    station(no AP), to reduce the numbers of Aps in
    range by only using the path loss observed from
    the opposite direction of the path, from the
    in-range Aps to the mobile station
  • The minimum signal strength reaches AP must be
    greater than RS

48
TPC vs RSSI
Transmission power is controlled by configuration
parameters provided by Atheros drivers
49
Silent TPC Scheme
  • TPC scheme can work only when receive signal
    strength of two APs differs by at least 20 dB

50
Effectiveness of Silent TPC
  • More than 73 of the sports(356) have RSS
    difference more than 20dB, and can use TPC to
    improve privacy

51
APs in range between TPC
52
Operational Model
Alert Message
User Interface Privacy Mode
53
Operational Model
54
Contributions
  • Solution to preserve better location privacy
  • Solution can be applied to cellular networks
  • Frequently change pseudonyms (MAC)
  • Pause opportunistically for silent period
  • Perform silent TPC to reduce the location
    precision

55
Future work
  • The system sacrifice service quality, not good
    for real-time application
  • Silent TPC scheme reduces the signal-to-noise
    ratio received at AP, and reduces the
    transmission data rate
  • Wireless card rate control

56
My thoughts
  • MAC address selection model is vulnerable to
    Man-in-the-middle attack and DoS attack
  • Tr(max) should be different from various
    scenarios/conditions, hard to implement TPC in
    reality
  • TPC scheme has 20dB limit, big concern for better
    AP deployment
  • Not all wireless drivers support TPC

57
(No Transcript)
About PowerShow.com