1

Secure and Efficient Source Location PrivacyPreserving Scheme for Wireless Sensor Networks
Mohamed Elsalih Mahmoud and Xuemin (Sherman) Shen Department of Electrical and Computer Engineering University of Waterloo, Waterloo, Ontario, Canada, N2L 3G1
AbstractIn this paper, we propose a novel scheme for efficiently and securely preserving source nodes location privacy. Our scheme uses efficient cryptographic operations to change the packets appearance at each hop to prevent packet correlation. It also creates a cloud with irregular shape of fake traffic to enable the real source node to send its data anonymously to a fake source node to send to the sink and to camouflage the real source node in the nodes creating the cloud. To reduce the energy cost, clouds are active only during data transmission and the intersection of clouds creates a larger merged cloud to reduce the number of fake packets and boost privacy preservation. Simulation and analytical results demonstrate that our scheme can provide stronger privacy preservation than routing-based schemes and requires much less energy cost than global-adversary-based schemes.
Index TermsWireless sensor network privacy, source location privacy preserving schemes, context privacy, and anonymity.

I. INTRODUCTION Wireless sensor networks (WSNs) can be deployed for habitat monitoring and military surveillance [1]. When a sensor node detects an event, e.g., an endangered animal, it reports the event probably through multihop transmission to a data collector unit called the sink. However, since WSNs are usually deployed at unattended and open areas, the adversaries will make use of the traffic information to locate source nodes, e.g., to kill soldiers or hunt endangered animals. Global-adversarybased and routing-based privacy preserving schemes have been proposed to preserve the source nodes location privacy. The global-adversary-based schemes [2] assume that the adversary can monitor the data transmissions of the entire network, and the nodes send packets periodically, e.g., at fixed time slots, by sending dummy packets if they do not have sensed data, so that the adversary cannot know whether the packet is for real event or dummy packet. However, the assumption that the adversary can monitor the transmissions of the entire network is not realistic especially for large scale WSN. Moreover, transmitting dummy packets periodically not only consumes significant amount of the nodes limited energy and bandwidth, but also increases packet collision that decreases packet delivery ratio. Routing-based schemes [3-5] preserve a source nodes location privacy by sending its packets through different routes to make it infeasible for the adversary to trace back the movement of the packets from the sink to the source node because he cannot receive a continuous flow of packets. However, if the adversarys overhearing range is larger than the sensor nodes transmission range, the likelihood of capturing a large ratio of the packets sent from a source node and thus locating the node significantly increases [3]. In this paper, we propose a secure and efficient scheme for preserving source nodes location privacy. Efficient cryptographic operations are used to change the packets appearance at each hop to prevent packet correlation. Moreover, a cloud of

fake traffic with irregular shape is created to hide the source node within the group of nodes forming the cloud. The real source node sends the sensed data anonymously to a fake source node selected from the clouds nodes to send to the sink. Tracing the packets back to the source node is nearly impossible because the adversary cannot distinguish between the fake and real traffic and the real source node sends its packets through different fake source nodes. To reduce the energy cost, clouds are active only during data transmission, the nodes generate fake packets probabilistically, and the intersection of individual clouds creates a larger merged cloud to reduce the number of fake packets and boost privacy preservation. Moreover, our scheme uses energy efficient cryptosystems such as hash function and symmetric key cryptography and avoids the intensive energy consuming cryptosystems such as public-key cryptography. It also avoids large scale packet broadcasting and network-wide packet flooding. To determine the tradeoff between the energy cost and the strength of location-privacy protection, some parameters such as the cloud size can be tuned. Simulation and analytical results demonstrate that our scheme can provide much stronger protection for source nodes location privacy than routingbased schemes because in addition to varying the traffic routes, our scheme uses fake packets and changes the packets appearance at each hop. It also incurs much less energy cost than global-adversary-based schemes. The remainder of this paper is organized as follows. The related works are presented in Section II. In Section III, the network and adversary models are discussed. We present our privacy-preserving scheme in Section IV. Privacy preservation and overhead evaluations are given in Section V, followed by conclusion in Section VI. II. RELATED WORKS In global-adversary-based schemes, if an event is sensed between two time slots, the node should wait for the first time slot to transmit the data. To reduce the event delivery delay, Shao et al. [2] propose a statistically strong source privacy preserving scheme. The nodes try to send real packets after short delay with keeping them statistically indistinguishable from dummy packets. In [3], a routing-based source privacy preserving scheme called Phantom is proposed. Each packet takes a random walk to a random location before it is sent to the sink. However, the effectiveness of the scheme degrades when the adversarys overhearing range is more than the sensor nodes transmission range, e.g., in [3], it is shown that if the adversarys overhearing range is three times of the sensor nodes transmission range, the likelihood of locating source nodes is 0.97. Moreover, it is very likely that the routes will loop around the source node and branch to a random location that is not far from the

2 node. To resolve this problem, the source node can attach the direction of the random walk to the packet header, and each node in the random-walk route forwards the packet to a random neighbor in the same direction. However, once a packet is captured in the random-walk route, the adversary can get the direction information to the source node, which reduces the complexity of tracing the packets back to the source. Wang et al. [4] present a privacy-aware parallel routing scheme to maximize the time of tracing packets back to the source node. A weighted random stride routing that breaks the entire routing into strides is proposed. In [5], dynamically selected nodes in each route modify the packets to make tracing packets back to the source node unlikely. However, the adversary can trace the modified packets if there are only one or few transmissions. The proposed schemes in [6, 7] conceal the nodes network/MAC addresses in order to achieve anonymous communications for mobile ad hoc networks. However, these schemes employ different network and threat models from the ones suitable for the source location-privacy problem in sensor networks. III. NETWORK AND ADVERSARY MODELS The WSN is composed of the sink and a large number of sensor nodes which are interconnected through wireless links to perform distributed data collection. The sensor nodes are resource-limited devices with computation, communication, and sensing abilities, but the sink has much more computation and storage capabilities. The sink and the sensor nodes are stationary. The sink has two basic functions: a) broadcasting beacon packets to bootstrap our scheme; and b) collecting the data sensed by the sensor nodes. Each sensor node has a transmission radius of r meters and the communication in the network is bidirectional, i.e., any two nodes within wireless transmission range may communicate with each other. Multihop communication is used if the distance between a source node and the sink is more than r, where some sensor nodes (called relaying nodes) relay the source nodes packets. The adversary eavesdrops on the network traffic to locate source nodes. He resides at the sink and follows the packets movement to the source node. The adversary uses sophisticated devices that can accurately determine the location of the node that sends a packet. The overhearing range of the adversary can be multiple times of the sensor nodes transmission range because the sensor nodes are cheap and simple devices, but he cannot monitor the entire network. IV. PRIVACY PRESERVING SCHEME A. Pre-deployment and Bootstrapping Phase Before deploying the network, each sensor node A is loaded with a unique identity IDA, a shared key with the sink KA, and a secret key dA that is used to compute a shared key with any sensor node using identity based cryptography (IBC) based on bilinear pairing. According to [8], the bilinear mapping can be computed efficiently using the Weil and Tate pairings on elliptic curves. Using IBC, two sensor nodes with identity/private key pairs (IDA, dA) and (IDB, dB) can independently compute the shared key using one pairing operation and without exchanging messages as follows.
KAB = (H(IDB), dA) = (H(IDA), dB) = KBA

packet so that each node can know the shortest route to the sink which includes the identities of the nodes in the first received beacon. Every sensor node determines its location and notifies the sink using the shortest route. In order to assign fake source nodes, node A broadcasts Fake Nodes Request Packet (FREQ) that contains the maximum number of hops (hmax) the packet can be propagated. Each node adds its identity and broadcasts the packet if the number of hops is less than hmax; otherwise, it unicasts Fake Nodes Request Reply Packet (FREP) to node A containing the identities of the nodes in the route. Node A receives multiple FREP packets containing different routes with maximum number of hops of hmax. It chooses a group of nodes at different number of hops and unicasts the Fake Node Assignment Packets (FASS) to assign them as fake source nodes to its packets. For each FASS, node A adds the identities of the nodes in the route and a random value that will be used to generate pseudonyms shared between each two neighboring nodes in the route. To reduce the number of FASS packets, one packet can assign multiple fake source nodes, e.g., the end and some intermediate nodes. Finally, each node groups its one-hop neighbors in such a way that each group can send packets in different directions, e.g., by choosing the nodes in opposite directions in one group. An example for grouping a nodes neighbors is shown in Fig. 1. Node X divides its neighbors into three groups with four nodes in each group ({{A1, A2, A3, A4}, {B1, B2, B3, B4}, {C1, C2, C3, C4}}) in such a way that each group can send packets in different directions. Node X has also to share a key with each group. A simple way to do this is by computing the shared keys with its neighbors using bilinear pairing and sending the group key and random value encrypted with the shared key to each neighboring node. The random value will be used to create pseudonyms for the group.

Fig. 1: Grouping the one-hop neighbors of node X.

B. Event Transmission Phase As illustrated in Fig. 2, in this phase, the real source node sends events anonymously to fake source nodes to send to the sink, and simultaneously, a cloud of fake packets is activated to protect the source nodes location. 1) Pseudonyms If two nodes share a key, they can create a sequence of pseudonyms using one-way keyed hash function by iteratively hashing a random value. For example, the two nodes A and B which share the key KAB can create the following pseudonyms using the random value R and the hash function H():
, , , . , ,
() () () () () () ()

After deploying the network, the sink broadcasts a beacon packet and each node adds its identity and broadcasts the

Where: = ( , ) and = ( , ).

3 Obviously, with changing the random value, the two nodes can generate different pseudonyms using the same key, and thus, pseudonyms are not only used for identifying the sending and receiving nodes but also for identifying routes by using different random values for different routes. However, if a node does not receive a pseudonym, e.g., due to packet drop, the two nodes may lose pseudonym synchronization. To avoid this, each node uses a sliding window to match a received pseudonym against a window of expected pseudonyms. From Fig. 3, the expected pseudonym is number i but the node matches the pseudonyms with a sliding window of n pseudonyms. If the node receives pseudonym number i+1 instead of i, the node can identify the pseudonym and the starting point of the window is updated to the pseudonym number i+2. thenticity, and integrity. In order to enable the sink to know the location of the source node and the key it should use to decrypt () the message, the source node attaches its pseudonym ( ). Event_o is the event unique number. After receiving the packet, the neighbors of S first match the attached group pseu() donym ( ) to the expected ones. If a node cannot find the pseudonym in its table, it discards the packet, else it accepts the packet and updates the pseudonyms window to synchronize the pseudonyms with node S. For the group nodes, if a () node does not find the relaying nodes pseudonym (, ) in its table, it has to generate fake packets, else it relays the packet to the next node in the route to the fake source node. The relaying node (A) selects the group that contains the next hop relaying node (B) in the route to F, e.g., G2. Then, it () attaches the group pseudonym ( ) and the pseudonym () shared with node B (, ). The node reduces the hop counts (hG1{ }) to limit the propagation area of the fake packets that are generated as the event packet propagates. Node A encrypts the packet with the key shared with G2 and sends the following packet:
, , , (Event_o, hG2{}, () , ())
() ()

These procedures are repeated at each hop until the fake source node receives the packet anonymously as shown in Fig. 2. Since the packet is encrypted with different keys at each hop, it looks quite different as it is relayed from the real source node to the fake source node.
Fig. 2: Event transmission phase.

3) Fake Packets As the event packet is propagating from the real source node to the fake source, fake packets are sent to create a cloud of fake traffic. To generate fake packets, the node T chooses a group, e.g., G4, and sends the following fake packet, where Rand is a random value:
, Rand, (Event_o, hG4{}, () , ())
()

Fig. 3: Pseudonyms sliding window.

2) Real - Fake Source Nodes Route When a source node (S) wants to send data to the sink, it first picks up a fake source node (F) from its list of fake source nodes and a group (e.g., G1) that contains F, and sends the following event packet:
, , , (Event_o, hG1{}, () , ())
() ()

Where: () is the ciphertext of message encrypted with KS.

is the pseudonym shared between node S and sink. () is the pseudonym shared between S and G1. () , is the shared pseudonym between S and the relaying
()

The source node encrypts the message with the shared key with the sink (KS) to provide message confidentially, au-

node A in the route to the fake source node F. hG1{} is the number of hops the fake packets are relayed. is an encryption with the shared key between S and G1.

Since the nodes of G4 cannot find Rand in their pseudonyms tables, the nodes will generate fake packets. The nodes have also to decrease the hop counts (hG4{ }) to limit the propagation area of the fake packets. Once the hop count reaches zero, the nodes stop generating fake packets. For example, if the group G has the three nodes N1, N2, and N3, the hop counts hG{2, 4, 3} means that the fake packets will be relayed two, four, and three hops through the nodes N1, N2, and N3, respectively, and the nodes reduce the hop counts to be {1, 1, 1}, {3, 3, 3}, and {2, 2, 2}, respectively. In this way, the source node can determine the hop counts so that its location can be anywhere in the cloud and the cloud shape is irregular and changeable each time the source node sends an event. To prevent generating multiple fake packets for one event when the nodes receive the same packet from different neighbors, all the packets with the same Event_o are processed once. If a node receives multiple packets from multiple clouds during time , it sends only one fake packet, e.g., for the packet that has larger number of hop counts. This cloud merging can reduce the number of fake packets and boost privacy protection because the merged cloud has more nodes. 4) Fake Source Node - Sink Route () From the pseudonym , , the fake source node can know that the packet has to be sent to the sink. As shown in Fig. 2,

4 the fake source node sends the packet to the first node in the route to the sink. The packet contains a pseudonym shared () with the next hop node ( ) and the message and the source nodes pseudonym encrypted with the shared key with the sink. Each relaying node re-encrypts the packet with the shared key with the sink and replaces the pseudonym with the one shared with the next node in the route. As the packet propagates to the sink, the neighboring nodes do not send fake packets because they cannot find the packets pseudonym in their tables. When the sink receives the packet, it checks the pseu() donym ( ) to determine the keys it should use to remove the encryption layers to recover the message. V. EVALUATIONS A. Privacy Preservation 1) Analysis For pseudonyms unlinkability, generating or correlating pseudonyms is infeasible without knowing the secret key used in generating them. This property is important because if an adversary could link a pseudonym to a node, he will not benefit from this conclusion in the future. In our scheme, Even if there is only one transmission, the fake packets can make pseudonyms linkability infeasible because the adversary cannot distinguish between event and fake packets. For packets content correlation, if the packets of a flow (or a cloud) have a fixed or distinguishable part that does not change at each hop, the adversary can identify the packets flow (or the cloud). The hop-by-hop decryption/encryption operations and changing pseudonyms can make the packets of one flow look different at each hop. For time correlation, the adversary may observe the correlation in transmission time between a node and its neighbor attempting to deduce the forwarding path. To obfuscate the temporal relationship between the transmissions of consecutive hops, each node can delay relaying the packets for a random amount of time and buffered packets can be reordered. Using fake packets can make time correlation nearly impossible because the random nature of the channel access in MAC protocols introduces randomness to the transmissions times. For fake and real source nodes unlinkability, if an adversary could locate a fake source node, he cannot get any information about the location of the corresponding real source node. This is because each real source node sends packets to multiple fake sources, each fake source serves multiple real sources. Even if the adversary eavesdrops on both the real and fake source nodes, he cannot link them because the packets look different. For source node and sink unlinkability, if the adversary eavesdrops on a source node and the sink, he cannot link the packets. For cloud shape and source node unlinkability, if a strong adversary could trace a part of a cloud or all the cloud, he cannot get any information about the source nodes location because the shape of the cloud is changeable. For merged-cloud splitting attack, the adversary cannot reduce the size of a merged cloud, e.g., to reduce the anonymity set because the traffic of the individual clouds is indistinguishable. For packet tracing attack, it is unlikely that the adversary will continuously receive event packets from the same source node because the packets are sent through different fake source nodes that can be far from each other. Moreover, event packets sent from the same real source nodes or the same fake source nodes at different times are uncorrelated. Even if the adversary captures the same packet at different relaying nodes, the packets are uncorrelated. Actually, fake packets can make tracing packets from the fake source node to the real one infeasible. When a node sends a packet, any neighboring node can be the receiver of the packet, but it is infeasible to figure out the receiver because it is infeasible to know the owner of the pseudonym and more than one neighbor send packets (fake and real). For packet-replay attack, the adversary tries to replay old packets repeatedly in order to observe the repeated pattern of packet forwarding, e.g., to figure out the network topology to locate source nodes. This is infeasible because the adversary cannot compute fresh pseudonyms and the nodes drop the packets if they could not recognize the pseudonyms. For event packets flow recognition attack, the adversary attempts to recognize the flow of real packets to identify the source node or at least a small area around it. In our scheme, the event and the fake packets are indistinguishable and the adversary cannot correlate an event packet as it is relayed from the real source node to the fake source. Routing-based schemes use privacy metric called safety period which is the number of packets the adversary has to capture in order to move from the sink to the source node. Stronger privacy protection can be achieved with increasing the safety period. This metric is not accurate because it measures the best case when the adversary resides at the sink but if the adversary could capture a packet at any relaying node, the safety period decreases. Moreover, if the monitored objects spend some time in one location, the adversary can capture enough packets to locate them even if the safety period is large. We use an information-theoretic measure called entropy to measure the privacy protection provided by our scheme. The entropy of identifying the real source node in a cloud is given in Eq. 1, where P is the probability that node i is the source node, nc is the number of nodes in the cloud, and P = 1. The entropy characterizes the adversarys uncertainty about the location of the source node in the cloud. The maximum entropy and thus the maximum anonymity level can be achieved when the probabilities P pursue a uniform distribution, i.e., when the adversary believes that all the nodes in the cloud have the same probability to be the real source node or Pi = 1/nc. The maximum entropy (EnM) is given in Eq. 2.
En(X) = P log (P )

(1) (2)

log = log n

Since not all the nodes in the geographic area of a cloud send fake packets, the adversary may overestimate the anonymity set if he does not have a complete view to the traffic in the cloud. For example, if a cloud has nc of 50 nodes that send fake packets and the geographic cloud size (ng) has 150 nodes, the actual anonymity set is nc, but the anonymity set seen by the adversary will be ng-nd, where nd is the number of nodes the adversary can know that they do not send fake packets and nd ng-nc. The amount of information the adversary can gain from knowing that nd nodes do not send fake packets can be expressed by the degree of anonymity (D) given in Eq. 3. The minimum degree of anonymity is given in Eq. 4 when the adversary can identify all the nodes that do not send fake packets. Fig. 4 shows that the increase of nd decreases the degree of anonymity, the increase of ng regardless of nc increases the

5 degree of anonymity, and the decrease of nc can decrease the minimum anonymity level.
D = 1Dmin =
()

()

( )

(3) (4)

B. Energy Cost From [9, 10], the consumed energy for performing one encryption/decryption operation using AES is 1.21 J per byte, and the consumed energy for pairing and SHA-1 hashing operations are 25.5 mJ and 0.76 J per byte, respectively. The pairing operations consume relatively higher energy than the hashing and symmetric key encryption/decryption operations. However, pairing operations are used only one time in the network lifetime because keys can be stored after they are computed due to the static nature of the network topology. Pseudonyms do not require large storage space, energy, or computational power because they are computed by the efficient hashing operations. Comparing to global-adversary-based schemes, our scheme uses fake packets more efficiently by sending them only if there is an event, and the fake packets are sent in the active cloud instead of flooding the entire network, and cloud merging can reduce the number of fake packets. VI. CONCLUSION We have proposed a source location privacy-preserving scheme that creates a cloud of fake packets around the source node, varies traffic routes, and changes the packets appearance at each hop. Simulation and analytical results have demonstrated that our scheme can provide high privacy preservation comparing to routing-based schemes because packet uncorrelation and fake packets can boost the privacy protection and make packet back tracing nearly impossible. Our scheme can also better preserve the source nodes location privacy when the monitored objects stay for some time in one location because clouds have irregular and changeable shape and back tracing the packets from the fake source node to the real one is nearly impossible. Moreover, our scheme requires much less energy cost than global-adversary-based schemes and the intersection of individual clouds creates a larger merged cloud for higher privacy protection and less number of fake packets. REFERENCES
[1] Y. Fan, Y. Jiang, H. Zhu, J. Chen, and X. Shen, Network coding based privacy preservation against traffic analysis in multi-hop wireless networks, IEEE Trans. on Wireless Communications, vol. 10, no. 3, pp. 834-842, 2011. [2] M. Shao, Y. Yang, S. Zhu and G. Cao, Towards statistically strong source anonymity for sensor networks, Proc. of IEEE INFOCOM08, pp. 5159, Phoenix, Az, USA, April 2008. [3] P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk, Enhancing source location privacy in sensor network routing, Proc. of IEEE International Conference on Distributed Computing Systems (ICDCS05), pp. 599608, Columbus, Ohio, USA, 6-10 June 2005. [4] H. Wang, B. Sheng, and Q. Li, Privacy-aware routing in sensor networks, Computer Networks, vol. 53, no. 9, pp. 15121529, 2009. [5] K. Pongaliur and L. Xiao, Maintaining source privacy under eavesdropping and node compromise attacks, Proc. of IEEE INFOCOM, Shanghai, China, April 10-15, 2011. [6] M. Mahmoud and X. Shen, Lightweight privacy-preserving routing and incentive protocol for hybrid ad hoc wireless networks", Proc. of IEEE INFOCOM, International Workshop on Security in Computers, Networking and Communications (SCNC), Shanghai, China, April 10-15, 2011. [7] M. Mahmoud and X. Shen, Anonymous and authenticated routing in multihop cellular networks, Proc. of IEEE International Conference on Communications (IEEE ICC'09), pp. 839-844, Dresden, Germany, June 14-18, 2009. [8] D. Boneh and M. Franklin, Identity based encryption from the Weil pairing, Proc. of Crypto01, LNCS, Springer-Verlag, vol. 2139, pp. 213-229, 2001. [9] N. Potlapally, S. Ravi, A. Raghunathan, and N. Jha, A study of the energy consumption characteristics of cryptographic algorithms and security protocols, IEEE Transactions on Mobile Computing, vol. 5, no. 2, pp. 128-143, March-April 2006 [10] Y. Zhang, W. Liu, W. Lou, and Y. Fang, Location-based compromisetolerant security mechanisms for wireless sensor networks, IEEE Journal on Selected Areas Communication, vol. 24, no.2, pp. 247-260, 2006.

Fig. 4: The degree of anonymity versus nd. Table 1: The probability of locating the source nodes. nS t Our scheme Phantom (hw = 4) Phantom (hw = 8) 1 1 25 3 1 0.4 0.05 0.1 0.08 0.27 0.7 0.15 0.41 0.33 50 3 0.12 1 0.9 1 0.02 0.24 0.13 25 3 0.06 0.68 0.4 1 0.04 0.39 0.33 3 50 3 0.07 1 0.88

Scheme

2) Simulation Results We built up a simulator to evaluate the privacy protection of our scheme and routing-based schemes. 4000 nodes are randomly deployed over 3500 m 3500 m network field and the sink is located at the center of the network. The nodes radio transmission range is 50 m and the attackers overhearing range is ( 50) m. nS source nodes are located in one random location and fixed during the simulation runs. Event transmission rate is 1/30 seconds and h{ } is six at the source node. For Phantom routing, the number of hops for random walk (hw) is four and eight which correspond to 248.76 and 503.69 meters. The results are averaged over 100 runs and the simulation is run for t minutes. Each run ends when the adversary locates the source nodes or the simulation time expires. The simulation results given in Table 1 indicate that the attacker will more likely locate the source nodes with increasing its overhearing range, but this likelihood is much less in our scheme because packets are uncorrelated and back tracing the packets from the fake source node to the real one is nearly impossible. Moreover, when the monitored objects stay for some time in one location, the attackers can locate them more likely because they can intercept more packets. However, in the runs that the adversary could be close to the cloud in our scheme, back tracing packets was impossible and the few times the adversary could locate the source nodes were random, which indicates that what an adversary can do in a cloud is exhaustive search. For Phantom, the increase of the source nodes number has little impact on the probability of locating the source nodes because packets are correlated, i.e., the adversary can identify the packets of one flow, but packet uncorrelation in our scheme can boost the privacy protection.