- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Recently Accepted Articles ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents
International Journal of Distributed Sensor Networks
Volume 2013 (2013), Article ID 601462, 14 pages
An Efficient and Lightweight Source Privacy Protecting Scheme for Sensor Networks Using Group Knowledge
1Department of Computer Science, Minjiang University, Fuzhou, Fujian 350108, China
2School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan, Hunan 411201, China
3College of Information Science and Technology, Bohai University, Jinzhou, Liaoning 121013, China
Received 20 December 2012; Accepted 10 March 2013
Academic Editor: Yanmin Zhu
Copyright © 2013 Zhiqiang Ruan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Providing source privacy is a critical security service for sensor networks. However, privacy preserving in sensor networks is a challenging task, particularly due to the limited resources of sensor nodes and the threat of node capture attack. On the other hand, existing works use either random walk path or fake packets injection, both incurring tremendous overhead. In this work, we propose a new approach, which separates the sensor nodes into groups. The source packet is randomly forwarded within and between the groups with elaborate design to ensure communication anonymity; furthermore, members of each group exchange encrypted traffic of constant packet length to make it difficult for the adversary to trace back. One salient feature of the proposed scheme is its flexibility of trading transmission for higher anonymity requirement. We analyze the ability of our proposed scheme to withstand different attacks and demonstrate its efficiency in terms of overhead and functionality when compared to existing works.
Wireless Sensor Networks (WSNs) are explored to be used in many applications ranging from military strategy to civilian purposes. Although a sensor node has certain limitations like low processing capabilities and battery supplement, the smaller size and the cost of the sensor node helps to be unspectacular in the sensing area and is useful for tracking events without being recognized.
The sensor nodes usually adopt wireless communications mode when deployed in open and harsh environments, which makes data transmissions overheard by the vicinity sensor nodes or other wireless devices. Without precaution, the adversary can overhear packet transmission and trace back the packet to the source. This can lead to the leakage of source position and the time of event packet taken place. In view of a mission critical military application, any revelation of information such as time or event location can be beneficial to the adversary and costly to the network goal. Therefore, privacy of the monitored event holds great importance that requires providing privacy to source nodes.
Source privacy is usually compromised by the contextual information of a packet, but not by the actual content of the packet. Specifically, a packet consists of a payload and a header. The payload part can be encrypted with cryptography methods to prevent adversaries from learning the information carried in intercepted packets, while the header part has to be left in clear to provide multihop routing. Hence, attackers can learn packet original source and final destination from packet headers. A viable solution is allowing neighboring nodes to establish pairwise keys whereby to encrypt packet sources and destinations. However, this countermeasure may become invalid in the presence of compromised nodes. Therefore, source privacy cannot be addressed by encryption alone.
Traffic analysis  enables attackers to infer the network traffic pattern and real packet sources/destinations. If noticing that a few nodes often act as packet source, the adversary may think these nodes are important and launch targeted attacks on them. Providing communication anonymity has been regarded as an effective solution against traffic analysis [2–4] because the adversary can no longer distinguish true sources from intercepted packets.
Plenty of work is guided towards applying some form of simulating the source [5–9] or performing a random walk [5, 10] to guarantee source privacy. One primary drawback of these approaches is that a large amount of overhead is incurred to simulate a source or to redirect traffic randomly. Besides, recent works only consider eavesdropping attacks; however compromised nodes are not considered as part of the threat model where an adversary can easily capture any of sensor nodes. In this work, we consider a rather strong threat model in which the adversary can compromise nodes and is able to eavesdrop over the network communication. An example of such an adversary is a laptop class attacker who has more powerful capability to execute higher strength calculation. When a node is compromised, the adversary has access to all the cryptographic information along with data packets of past communications stored at the node.
This paper aims to protect source privacy against both passive attacks (global eavesdroppers) and active attackers (node compromise attack) as well as to guarantee fundamental security requirements such as confidentiality, data integrity, authentication, and nonrepudiation.
The contribution of the paper is as follows. We present an efficient and lightweight source privacy guaranteeing mechanism (ELSP), which applies Identity-Based Cryptography (IBC) method to complement other techniques. First, sensor nodes are organized into pairwise disjoint groups (or sets) to hide real packet sources among crowds of nodes. In order to conceal source identity, packet sources use pseudonyms instead of their real IDs so that any other nodes cannot ascertain the initiators of received packets. Our work differs from previous works in that pseudonyms generation does not introduce a central authority. Second, to provide strong communication anonymity, a random packet-forwarding strategy is presented. The source no longer sends packets along the shortest path to the destination. On the contrary, it randomly selects several forwarding nodes within each group to confuse the adversary. More importantly, members of each group exchange encrypted traffic of constant packet length to make the path untraceable. Each intermediate router (referred to as key node), only knowing its predecessor and successor, strips off one layer of encryption, and eventually, the receiver obtains the packet in plaintext. Finally, ELSP provides provably strong source anonymity against different attacks. One salient feature of ELSP is its flexibility of trading transmission for higher anonymity requirement. A detailed analysis of ELSP is provided, and a comprehensive comparison with existing schemes is presented to show its effectiveness and efficiency.
The rest of this paper is organized as follows. Section 2 reviews the existing work on source privacy, and Section 3 presents the models and design goals. Next, we describe the ELSP scheme in Section 4, followed by the detailed analysis and performance evaluation in Section 5. Finally, we have the conclusions in Section 6.
2. Related Work
Recently, source privacy in sensor networks has drawn widespread concern. Kamat et al. proposed a phantom routing protocol for flooding and single path routing . They were the earliest researchers to study source privacy and present multiple techniques to guarantee the objective. One technique uses fake sources with nodes sending fake packets to mislead the adversary. The other technique is called phantom routing which takes a random walk before forwarding the packet towards the base station in order to increase the cost of the adversary to backtrack to the source. Although the schemes are robust, they have a large overhead involved and can not withstand the collaborative attacks.
Mehta et al. similarly propose two schemes called per iodic data aggregation and source simulation to overcome global eavesdropping attacks . The source simulation scheme is similar to the fake sources technique proposed in . In per iodic aggregation scheme, each node reports back to the base station per iodically, regardless of whether it detects an event or not. The drawback of per iodic collection scheme is the latency incurred as well as overhead, while in source simulation scheme, it is the overhead introduced.
Wang et al.  propose a parallel-routing protocol to maximize the time for adversary traceback to source. The packets from the same source are passed through different paths to the base station. Furthermore, a weighted random stride routing is presented that breaks the entire routing into rounds. Li et al.  adapt the conventional function of data mules to design a new protocol for securing source location privacy, namely, the Mules-Saving-Source (MSS) protocol, which provides a-angle anonymity. Although they are nice schemes, one of the prerequisites is that the sensor location should provided for determining the forwarding angle. Moreover, they be fail in protecting source privacy in case of a global eavesdropping adversary.
In , the authors propose a scalable hop-by-hop authentication scheme based on elliptic curve cryptography (ECC), which enables any intermediate node to transmit an unlimited number of messages without determining the degree of threshold suffering in the polynomial-based scheme [13, 14]. They further propose a scheme to provide source location privacy through routing to a randomly selected intermediate node and a network-mixing ring . Although these two schemes can provide comparable source privacy, the first scheme brings another problem of handling the selection of the AS (ambiguity set), while the second scheme again involves taking a random walk.
Nezhad et al. devise a label-switching based technique to meet source and base station anonymity . One of the restrictions is the requirement of global network information with which the base station constructs a routing tree. Each link of the routing path has a separate label when a node receives a packet, it changes the label of the packet to the upstream link and the packet gets propagated. Except for the base station demanding global knowledge of the network, each node has to perform exhaustive processing and reconstruction of the packets routing over them.
Shao et al. proposed FitProbRate , an exponentially distributed dummy traffic generation scheme, to maintain source anonymity. This work differs from other similar works with the dummy traffic generated at a dynamic rate decided by the Fitprob parameter. It is a great improvement over source simulation and fake sources but still has the drawback of having overhead due to dummy packet generation.
There is some other literature that considers privacy issue in WSNs. Chai et al.  provide the sink-location privacy against a powerful adversary with a global view, but it not considered the source privacy, which is the main focus of this paper. Chow et al.  focused on providing both location-monitoring services and source privacy. Di Pietro and Viejo  addressed the problem of querying by the base station to provide the MAX of sensor-stored readings and get a trade-off between accuracy of the result and overhead. Li and Hwang  propose a lightweight anonymous routing protocol in secure wireless ad hoc networks. Therefore, they are orthogonal to our paper.
All the works discussed by now just consider a passive adversary. Most consider a local eavesdropping adversary with a few providing solution about global eavesdropping adversary. In ELSP, we consider an eavesdropping adversary having node compromising capabilities. We present a packet-altering scheme, which has lesser overhead compared to existing schemes. Also, when compared to a label-switching scheme as , ELSP does not need every node on the path to perform packet transformation and does not need the base station to be aware of the network topology.
Our work is partly inspired by Mix Nets  and Crowds . In particular, Crowds is used for intragroup communications; each packet travels a random path whose length follows a given geometric distribution. Since each packet may traverse a group through different number of nodes, each group in fact serves as a virtual mix through which packets are mixed.
3. Models and Design Goals
3.1. Network Model
We consider the sensor network comprised of homogeneous sensor nodes spread over a wide area. The sensor nodes are responsible for detecting events and reporting back to the base station. The base station is assumed to be secure and has unlimited resources when compared to the general sensor nodes. The occurrence of the events can be irregular and random in nature. ELSP can be used for many applications requesting source node privacy protection. A class of applications is used to track endangered animals or birds. The existences of such species need to be preserved from hunters or poachers as they have potential market value; meanwhile, they need to be studied. In a word, we consider the sensor network deployed in a wild for sensing endangered animals (e.g., South China tiger). It is a homogeneous network with small size sensor nodes dispersed over a vast area. Sensor nodes sense their environment for the presence of endangered species and report back to the base station. Note that multiple sensor nodes can detect the event simultaneously, and they will independently report it back to the base station.
The base station collects the packets and identifies the emergence of the tracked object and studies the hunting way and their living conditions. Given the tracked object being swoop and swift, we can have multiple nodes detecting the event in a specified time, and then not having any detection for a long time. We are based on the following consideration: if the animal appears somewhere, it did so to either prey or to have a rest, and this increases the possibility of the animal haunting to that location thereby needing source location privacy for the detecting packet. The event in some applications can be sporadic, but there are still other communications between the sensor nodes, resulting in the generation of packet traffic.
3.2. Attack Model
Since the high profits are brought from animal hunting, it is no wonder that the adversaries would equip themselves with advanced equipment, which means they have overwhelming technical advantages over general sensor nodes, such as sufficient energy resource, powerful computation capability, and large storage space. Therefore, the adversaries can overhear communication at much larger distances compared to a sensor node. They also possess the ability to compromise nodes. Specifically, the adversaries can operate the following two modes.
3.2.1. Global Eavesdropping Mode (External Attacks)
The adversary in this mode can carry out passive attacks, such as eavesdropping of the communications and can correlate the transmission of the packet over multiple hops. Although the adversary may not able to ascertain the contents of the packet, it has the capability to compare two packets. Note that the adversary will not interfere with the function of the network, such as destroying sensor nodes, altering the routing path, or modifying packets because such activities can be easily identified.
3.2.2. Stealth Mode (Internal Attacks)
The adversaries in this mode can compromise sensor nodes and get access to all the cryptographic information stored on them. They can further decode the packet and get information as available to any rightful sensor node. The adversary can compromise sensor nodes randomly from the network or geographically close to each other (e.g., neighboring nodes).
The goal of an attacker is to acquire the location and time of event occurrence, either by passive eavesdropping or active node compromise. In the worst case, the adversary may employ both.
3.3. Design Goals
The objective of this paper can be summarized as follows.(1)The adversary can not get the source information by analyzing the traffic pattern.(2)The adversary can not get the source information, even though a few network nodes are compromised.(3)Only the base station can distinguish the source location through the messages received. The recovery of the source information from the received message should be very efficient.(4)The length of each message must be as short as possible to save the energy of sensor node.
For the sake of clarity and convenience for the readers, we list some major notations in Table 1 to be used throughout this paper.
4. The Proposed ELSP Scheme
In this section, we first give the basic idea of ELSP, and then elaborate on its design.
4.1. Outline of ELSP
In ELSP, sensors are divided into pairwise disjoint sets called groups. We take source and destination as an example to present the basic idea of ELSP. Without loss of generality, we assume that and are in different groups.
To secretly send packets to , node randomly picks one node from every group which is called a key node through which every packet will be routed. ELSP adopts the idea of mix-nets . Specifically, packs the message for by several layers of encryption. The packed message is then routed through the key nodes; each of them strips off one layer of encryption and then transmits to the next key node. By constructing the packet appropriately, we can guarantee that every key node knows neither other key nodes nor how many key nodes separate it between and . Source is thus hidden from all the key nodes.
ELSP integrates several techniques to thwart both internal and external attackers. For example, to cover the transmission behavior, first sends the packets to a randomly chosen group peer instead of directly sending it to the first key node. Then, after receiving a packet from its group peer, each node will send the packet to the first group with some probability, say , or randomly choose another group peer to which the packet is sent. Finally, the packet will be sent to a randomly chosen proxy node in each group other than the first key node, which in turn forwards the packet to the first key node. We will show that this method assists in hiding the first key node from global eavesdropper. The packet will be forwarded in subsequent groups in a similar way. Furthermore, ELSP requires the members of every group to exchange encrypted packet of constant length to prevent attackers from tracing the packet. All these measures are attempted to make it difficult for the adversary to locate packet sources with tunable communication overhead.
An example is illustrated in Figure 1, where each group forms one layer. We denote by the key node in each group; destination is in group and is actually . Moreover, nodes in each group are proxy nodes. As we can see, source forms a packet which is forwarded through four random nodes and then passed to which, in turn, routes the packet to . Only the key node can strip off one layer of encryption, and then the modified packet passes three random nodes to reach the next group. This process continues until the packet reaches (the base station). ELSP can ensure that each key node cannot determine which packet layer it resides at, that is, its distance from the source or destination group. This process will gradually be clear when we come back to it in Section 4.2.6.
In the following section, we will give the design details of ELSP, including group formation, group traffic maintenance, key distribution, and packet forwarding.
4.2. Detailed Description of ELSP
4.2.1. Group Formation
It is quite common that sensor nodes are deployed in groups; that is, a group of sensors are deployed at a single deployment point, and the probability distribution function (e.g., a two-dimensional Gaussian distribution) of the final resident points of all the sensors in each batch (or group) are the same [21, 22]. We assume such a group-based deployment, and we model the deployment knowledge as follows.
We consider a sensor network with sensor nodes. Before the network deployment, the network owner divides sensor nodes into pairwise disjoint groups denoted by . The relation between sensor nodes and groups should hold the following conditions: (1). (2) ( denotes a sensor node, denotes all groups set).
Sensor nodes in each group are indexed from 0 to . Let denote the network ID of the jth node in group , where . Note that the groups may have different numbers of sensor nodes. Each sensor node is preloaded with the information regarding the affiliation it belongs to, the network ID of every other sensor node, and the index in that group.
4.2.2. Key Distribution and Agreement
As with other schemes, ELSP requires sensor nodes to establish appropriate cryptographic keys. In this work, we assume a key distribution scheme (e.g., ) based on Identity-Based Cryptography (IBC) . However, ELSP can also rely on other suitable key distribution schemes by taking advantages of deployment knowledge of the deployed sensor nodes in a sensor network .
Since ELSP targets a single owner WSN, there exists a trusted authority (TA) to bootstrap the network. Before the network deployment, the TA selects a large prime , a master secret key , an additive group of order , a multiplicative group of order , a bilinear map , and a hash function which maps arbitrary binary strings into nonzero points in . Improved Weil  and Tate  pairing are examples of the bilinear map , and we refer the readers to [24, 26] for the detailed properties of .
Each sensor node, say , is equipped with . Additionally, it has a unique public/private key pair, where the public key is the unique network ID, and the private key is acquired from the TA. Note that the master secret cannot be linked from any public/private key pair like [23, 24, 26], so it is only known to the TA.
In ELSP, any pair of sensor nodes, say and , can establish a shared key independently without communicating with each other. In particular, and compute Here, because of the symmetric and bilinear properties of [23, 24, 26]. Furthermore, each sensor node can create many pseudonyms and the corresponding private keys. For instance, can choose a random integer to generate a pseudonym and the corresponding private key . Since is a cyclic group of order , multiplying by can cloak and . In other words, it is unable to link to node given only the pseudonym .
4.2.3. Group Traffic Maintenance
Generally, sensor node acts as a networking repeater to route packets to and from other nodes; it seems that WSN has natural source anonymity since the adversary is unable to distinguish whether a sensor node just forwarded a given packet or has initiated it. However, this argument holds only when the outgoing traffic rate of the node is not greater than its incoming traffic rate. Otherwise, the adversary can ascertain that the node has initiated some traffic, even if he cannot determine what packets originated from that node. For example, a sensor node intended to send more packets than others indicates that it probably detects animals’ activities. ELSP thus must prevent this from happening.
In ELSP, in order to hide packet sources, we insert garbage data to keep the packet length constant all the time. Furthermore, any two nodes in group , for , exchange a traffic rate of packets/second, where is a public system parameter. To prevent attackers from distinguishing different packets, shared secret key should be established between any two nodes for encrypting the packet using (1).
For example, nodes and are both in group which exchange packets as follows: where denotes a fixed-length message encryption using the key on the subscript; is the shared key of and using (1); is the timestamp for ensuring message freshness; is a one-way keyed hash function to guarantee message authenticity. On receiving the packet, node (or ) first checks the message authentication code. If succeed, it then decrypts message using and adopts the method in Section 4.2.5 to process DATA.
Eavesdropper cannot ascertain whether sensor node initiated a data packet, as he is unable to differentiate data from each other. ELSP also guarantees that even node cannot ascertain whether DATA was just forwarded by or actually originated from node ; this protects from internal attackers if any. Intergroup traffic and intragroup traffic are of the same fixed length, which can prevent attackers from inferring any useful information from packet-length changes .
4.2.4. Packet Construction
Now we describe the construction of packets. Assume that source determines to send information info to destination . To construct a packet, does the following procedure.
Step 1. Select one key node for each group. To complete this, node has to rely on the normal routing protocol (e.g., min hop routing) to find the node IDs on the forwarding path between and . Fortunately, this can be done in the network initialization with the base station simply broadcasting a message to the whole network. The base station adds two fields to the header of this message, which are “node-in-route” (NIR) field and group ID (GID) field. Initially, these two fields are empty. Starting from the base station, whenever a node propagates the message to the next hop, the node ID and group ID of the upstream node are appended to the NIR and GID. Nodes included in NIR are excluded from the random pick at the next hop. This nonrepetitive propagation terminates until reaching every node. Finally, each node has a path node ID list (NIDL) and the corresponding group ID list (GIDL) between itself and the base station. Node randomly picks one node from its NIDL for each group as the key node through which every packet will be routed.
Step 2. Choose a unique random integer for each group whereby to calculate a pseudonym and the corresponding private key . is used to cloak source from key nodes at group , as will be shown soon.
Step 3. Compute a shared key with each key node , which is used to add (by ) or peel off (by ) one layer of encryption.
We use the following approach to prevent each key node from knowing its distance from source or destination . Assume that destination is in layer , . Source computes a shared key with as and then calculates
Source then derives where . Here, is called a path object which indicates the packet path. Mark is a predetermined string that explains the legitimacy of the . Since is a fixed-length cipher, we have . Finally, constructs the packet as
Suppose that has another message for the same destination ; it can generate a new packet by just replacing the message part Ω. That is, the same set of key nodes can be used in multiple messages between and . However, has to change the set of key nodes per iodically if it has many messages for to prevent the predecessor attack . Besides, different event packets from the same source should have different pseudonyms in case the two packets are correlated by the adversary.
4.2.5. Packet Forwarding and Processing
Packet travels a random path in source group before entering . Specifically, source randomly selects a node from and sends to it in a standard packet length. When the chosen node receives , it forwards with probability to a random node in and with probability directly to . Here, is a system parameter called the rabbling probability. In particular, the preloaded one-way hash function is denoted as , where is the hash seed. The mapping function is with . For the output range of the hash function, the mapping functions map to 1 with probability and to 0 with probability . The benefit of using two functions in the system is that it gives the base station a simple way to change the rabbling probability by just updating the mapping function via a broadcast. When a node receives a packet, it calculates ; if the computation maps to 1, it forwards the packet to the next group. Otherwise, it forwards to another group peer. Such random-forwarding mechanism helps to prevent the attacker from identifying source whose effectiveness has recently been discussed in . Specifically, every packet forwarder (except ) cannot tell whether the group peer-sending is the packet source or just a packet forwarder.
Once a node in , say , decides to forward to , picks a random node in to which the following packet modified from is sent: it is possible that itself happens to be in which case . Note that should be sent in an encrypted packet to which then directly forwards it to after verifying . Since eavesdroppers cannot distinguish this packet from others between and , they cannot immediately determine that is the key node in . If is a compromised node, then the attackers confirm as the key node. But they still cannot ascertain whether is the packet destination or help them to identify the packet source. On receiving , assumes that it was originated from node with which to compute a shared key as . There are four cases.(i)If is a key node, then which is equivalent to [23, 24, 26].(ii)If is destination , then which is equivalent to [23, 24, 26]. (iii)If the above conditions are all met, then we have .(iv)Otherwise, is neither equal to nor .
Then it attempts using to decrypt Ω in ; if the decryption result has a predefined message format, then realizes itself as the destination, or else, the decryption result can be ignored. Let denote the output of decrypting msg using shared keys sequentially, which is executed by nodes sequentially. For example, and are separately the outputs of decrypting using the shared key by , and using and by and sequentially. Based on (3), we have
Furthermore, uses to decrypt . Since , only can make a successful decryption, which knows this after seeing Mark. Node continues using to decrypt , and obtain . According to (4), it has . Finally, forms a new packet where , and is a random garbage data of length used to compensate for the deletion of so that and are of the same format and length. Similar to , packet takes a random path (starting from ) in before reaching . Generally, each key node generates packet in which a random string is added after the message part to keep a constant packet length. can not be differentiated from each other and will be treated as real path objects by subsequent key nodes. By doing so, each key node cannot identify at which layer of encryption it is.
The packet forwarding is terminated at the last key node which receives the following packet: where , Here, is replaced with zero of equal length by . Then processes similarly as before. knows itself as the key node after decrypting and finding Mark there. Then it uses to decrypt Ω in . Since knows that it is the message destination because the decryption result info has a predefined message format.
Since the same set of key nodes is used in delivering multiple messages from to , this can significantly reduce the computation overhead. Specifically, each knows whether it is the destination or a key node after processing the first message and can cache the corresponding source pseudonym .
4.2.6. An Example
In order to have a better understanding with ELSP, we take the same example in Figure 1, where and the base station as the destination which is actually the key node in . For simplicity, we assume that all groups have the same size of 6.
Source forms , where passes through four nodes before leaving group . Node receives from its proxy node the packet and calculates a shared key based on the source pseudonym . Obviously, only with which generates , where Node knows itself not the message destination after decrypting Ω with and not finding Mark there. Because , the decryption result is a random string which does not provide a predefined message format. So, uses mapping function to generate the next forwarding node for . As we can see from Figure 1, passes through three nodes before leaving .
Node receives from the proxy node a packet and then calculates a shared key based on . This time we have then uses to generate , where . Again, knows that itself not the destination after decrypting with .
goes by two nodes before leaving . Node receives from its proxy node a packet and then calculates to decrypts . Node knows that it is the message destination, as the decryption result does provide a predefined message format so the packet forwarding process succeeded.
By virtue of pseudonym, each considers that it receives the packet from source . Besides, the addition of maintains constant packet length all the time. Hence, each cannot identify which packet layer it resides in, and it could be at any layer with equal probability ( knows that it locates at the last layer ). This forces the attackers to consider all packets when tracking back, and it cannot discount any packet analysis requirement upon the packet length. Using garbage filler slightly increases the overhead, but it is still very less compared to existing random walk or fake packet generation schemes as shown in Section 5.
5. Analysis and Performance Evaluation
In this section, we first give the communication and computation overhead of ELSP, and then its security about source anonymity. Finally, we conduct the simulation to demonstrate the efficiency of ELSP when compared with existing works.
5.1. Overhead Analysis
5.1.1. Communication Cost
In ELSP, a fixed packet size is used to prevent the attackers from inferring any useful information from packet-length changes. Each packet contains a constant length message part and path objects of equal length. If the message is not long enough, it has to be padded to keep the fixed length. For convenience, we choose to analyze the packet overhead which is defined as the ratio of nonmessage part to the packet length len. Since , we only need to compute , where .
The length of is an element in group and in fact a point on an elliptic curve over [23, 24, 26]. If the prime is of 160 bits and other pairing parameters are properly selected, it can achieve a security level equivalent to that of 1024-bit RSA . So we have bits. Assume that each node ID is of bits, the hash seed is of bits, the packet overhead is as follows: where . In ELSP, |Ω| is fixed and unchangeable. Since |Mark|, and are also constant, the packet overhead is in direct ratio to , the number of packet layers, or path objects.
Now we discuss , the number of end-to-end packet transmissions cost by each message from to . Suppose for the sake of simplicity that no two consecutive packet forwarders are the same, and that no key node is selected as a proxy node. Let denote the number of times that packet ) is transmitted before entering group . According to Section 4.2.5, satisfies the geometric distribution , with mean . Each also involves intergroup transmissions, each for one proxy node in group . According to the packet-forwarding process in Section 4.2.5, we can derive Note that includes intragroup transmissions and intergroup transmissions. The former are hidden by intragroup traffic rate of packets/second and can be dynamically adjusted as needed. So, each message only incurs inter-group transmissions. Besides, given a certain value of , the larger it is, the fewer concurrent sessions can be supported and vice versa.
5.1.2. Computation Cost
In ELSP, the most time-consuming task is undoubtedly the pairing operation for shared-key establishment, which chooses Tate paring . Zhang et al.  quantify the energy consumption of the Tate pairing. It assumes that the sensor CPU is a low-power 32-bit Intel PXA255 processor at 400 MHz. The computation of the Tate pairing roughly needs ms, and the energy consumption is approximately 25.5 mJ. In fact, the pairing function in the protocol is executed relatively rarely. Specifically, each pair of nodes only needs to do once on demand to establish a shared key whereby to encrypt and authenticate intergroup or intragroup traffic using efficient symmetric key ciphers, the remaining pairing operations can be precomputed and stored for all protocol instances. Moreover, if source intends to transmit multiple messages to destination , each key node only need execute once to compute a shared key when transmitting the first message. All subsequent packet processing are implemented based on the shared keys using efficient symmetric-key ciphers. Therefore, the computation cost of ELSP is totally acceptable even on low-end sensor device.
5.2. Security Analysis
Packets in ELSP use pseudonym instead of real source ID so that key nodes can not determine the initiators of received packets. Further, even the base station (a key node as well) cannot ascertain who sends it the message if the source node does not reveal its real identity in the message. This implies that the adversary can not directly determine packet sources. However, the adversary can assign a probability to each sensor node for being the source of a given packet. Therefore, we will investigate the resilience of ELSP against such probabilistic attacks.
We first use two entropy-based metrics to evaluate source anonymity. Then we describe the random forwarding approach of how to prevent internal attackers from determining key nodes. Finally, we evaluate the capability of ELSP providing source anonymity and show its efficiency compared with existing works.
5.2.1. Anonymity Metrics
Pfitzmann and Hansen  first defined anonymity as “the state of Indistinguishable within a set of all possible subjects, anonymity set.” Since then, anonymity set has become a popular metric to evaluate the anonymity in various anonymous communication systems. Generally, the greater the anonymity set is, the better anonymity achieved. However, it is unable to reflect the possibility that the adversary assigns different probabilities to each node as being the source of a given packet. This problem was solved by an entropy-based metric proposed in . Briefly speaking, let be a set of nodes in an anonymous communication system; the anonymity entropy is defined as Here, represents the probability of the adversary assigned to node being the source of a packet, and Δ denotes the uncertainty about which node is the source of a packet or the additional information that the adversary needs to determine the packet source. It follows that . The upper bound is achieved when each node is assigned an equal probability of to be the source as viewed from the adversary (the ideal case); the lower bound is attained when is assigned a probability of one, while each node is assigned a probability of zero. In addition, Diaz et al.  defined anonymity degree as which indicates the distance between the real anonymity entropy and the maximum anonymity entropy that a system can provide.
5.2.2. Efficacy of Random Forwarding
We denoted source a key node by . It is crucial in ELSP to prevent the attackers from identifying key nodes . As discussed before, each packet takes a random path starting from key node before entering group ; this helps withstanding eavesdroppers (external attackers). However, there might be some sensor nodes compromised (internal attackers) in the transmission path. The countermeasure is to identify and isolate these compromised nodes via some effective solutions like reputation and trust-based mechanism as in  this can improve anonymous routing, but also increase the complexity of the system. In the following, we illustrate the efficacy of the random-forwarding mechanism against such internal attackers without other complements.
We assume that a set of compromised nodes in group , among which at least one appears in the forwarding path of packet . The goal of internal attackers is to find out which noncompromised node in is that initiated . Let denote the first compromised node which received from a noncompromised node . From the point of view of internal attackers, all the noncompromised nodes in other than have equal probability to be , but they are obviously less likely to be than . We need to analyze how confident the adversary can be that is indeed , or in other words, the probability that they assigned to being .
Theorem 1. Let one suppose that the first compromised node B in group , for all , received packet from node A; the probability that the adversary assigned to A as the key node is , where and c is the number of compromised nodes in group i.
Proof. Let be the event that received packet from node . The probability of being is
Let be the event that locates in the kth position of the path. Then represents the probability that is indeed , and went through noncompromised nodes before . There are three cases:(i): it shows that selected as the first packet forwarder; this occurs with probability because each packet forwarder is chosen randomly and uniformly from group ).(ii): it shows that selected itself as the first packet forwarder and then as the second one, which occurs with probability .(iii): it shows that packet passed noncompromised nodes, and the last one selected as the ()th packet forwarder who chose as the kth packet forwarder, which occurs with . It follows that Likewise, we have
At last, if has no other information, all the noncompromised nodes in group are equally likely to be the key node , so we have
Substituting (18), (19), and (20) into (17) and then (16), we finally obtain
Based on (21), we can further deduce that (i)when , it indicates that all the nodes in other than are compromised, . Thus, the adversary can make sure that is indeed ;(ii)when , the larger , the smaller , the better the key node is concealed from the internal attackers, and the larger the communication overhead .
Note that all the other noncompromised sensor nodes have equal probability of being . Consequently, the probability distribution of each node in being as viewed by the adversary is given by
5.2.3. Source Anonymity Measurement
It should be noted that besides the event packets, there are still other communications among the sensor nodes involving a large number of packets, which makes it infeasible for the adversary to precisely separate different communication sessions from eavesdropping . This allows us to focus on the impact of internal attackers. For simplicity, we still consider the session from source to destination .
We first discuss the impact of consecutively compromised key nodes. Suppose that the adversary compromised out of the overall sensor nodes. Because of the layered encryption, the same information appears entirely different across packet layers so that only key nodes that strip off one layer of encryption can correlate messages across two adjacent layers. Note that the last key node does not further forward; the packet, therefore, is excluded here. We call a chain of compromised key nodes participating in the same packet delivery as an e-chain. The e-chain can integrate the same message across consecutive packet layers. For example, when , no consecutive key nodes were compromised, and when , the adversary can trace the packet from to . It is possible that there exist multiple disjoint chains, but the adversary cannot link them together, so we only need to consider the longest e-chain, referred to the -chain, which exposes the maximum information to the adversary. The -chain can begin with any of the key nodes, and the probability of it starting from is . In other words, there is at least one compromised node in serving random packet forwarding; is the source group with probability .
We also consider an extreme case where there is at least one compromised node serving random packet forwarding in each group. For convenience, we assume that each group comprises the same number of sensor nodes (i.e., ) and the adversary knows . There might be no -chain; in this case, the anonymity of will be definitely better than what we will demonstrate below. Theorem 2 gives the principle about the source anonymity.
Theorem 2. Let the -chain beginning with and the first compromised node B in group received packet from node A, the probability that the adversary assigned to A as the packet source is , where c is the number of compromised nodes in .
Proof. The proof is directly based on Theorem 1. Since is in source group with the probability of 1/(), then its predecessor is in the random-forwarding path being source with the probability of
Likewise, each noncompromised node except in has the equal probability of being the source. Let us suppose that there are compromised nodes among all the sensor nodes in the network (excluding source and destination ) the residue () noncompromised nodes not in equally hold the probability of being the source. In a word, the probability distribution of each node being the source from the adversary’s point of view is given by
5.3. Performance Evaluation
We first give numerical results to demonstrate the effectiveness of ELSP, and then make a comparison with existing schemes by simulations. Unless specified otherwise, we assume that each sensor node is compromised independently with probability 0.1, which is considered a severe situation. Due to space limitations, we omit the calculation details.
5.3.1. Numerical Results
Figure 2 illustrates the parameters , , and impact on the source anonymity degree, where the network size , the number of groups , and nodes are compromised. We can see that the larger and are, the higher the source anonymity is. In addition, given parameters and , increasing will decrease the source anonymity. The reason is straight: the larger is, the more key nodes are compromised by the adversary, which in turn, increases the probability of message disclosed. Note that with , it is impossible for the adversary to ascertain the packet source even when the first key nodes are all compromised. These results verify the efficiency of random-forwarding technique in improving source anonymity.
Figure 3 shows the impact of the total number of compromised nodes on source anonymity, where . It is obvious that the more compromised the nodes are, the lower the source anonymity is; this coincides with the intuition. For example, when , namely, half of the sensor nodes are compromised; the source privacy are still higher than 0.9. Based on this figure, it can be concluded that ELSP is resilient to node compromise attack.
The source privacy is also relevant to the group size (cf. (24)). Figure 4 shows the impact of the group size on source anonymity, where and . As we can see, source anonymity increases as increases; meanwhile, it increases the total intragroup traffic (communication overhead) and vice versa. In fact, various objects may have different security levels; in order to provide differentiated source anonymity requirement, one viable solution is to hide more important nodes with higher privacy requirements in relatively large groups while letting other groups be of small sizes. Therefore, ELSP has a nice property of flexibility of source anonymity that can be guaranteed by varying the group size .
First, we compare the difference between DCARPS and ELSP from the technique implementation. In particular, DCARPS adopts label-switching approach, while ELSP uses the pseudonym and intermediate packet-altering scheme to conceal source traversal information. ELSP makes much less assumptions while considering a strong threat model as well as bearing the lightweight design in mind. DCARPS requires the base station to know the topology information of the network. ELSP only needs the information of intermediate nodes. In ELSP, only a small number of nodes are chosen to reconstruct the packet before forwarding, whereas in DCARPS, all the nodes involved in delivering the packet have to perform decryption and re-encryption operation with the new label. Further, in ELSP, this construction method allows the base station to verify the packet, while in DCARPS it is only used for routing. More importantly, node compromise attacks are not considered in DCARPS, which is the main attention we focus on ELSP.
Second, we conduct the simulation in NS2 to show the effectiveness of ELSP and compare it to random walk technique . In Figure 5, we show the overhead (energy consumption) of random walk-based methods and ELSP. For fair comparison, sensor nodes in random walk-based methods are also organized into pairwise disjoint groups; the -axis represents the longest path length of 50 hops between source and destination. Note that the overhead of random walk-based methods includes propagation over the random path and the journey towards the base station. The random walk lengths (denoted by ) are 10, 15, 20, and 25, respectively. The rabbling probability is chosen as a stable status of 0.75 for ELSP, which is equivalent to hops of intragroup random forwarding (cf. Section 5.1.1). As shown in Figure 5, the overhead of ELSP slightly increases with the path lengths, while the overhead involved in random walk-based methods is higher than ELSP.
In Figure 6, we set , , for random walk-based methods and ELSP. We also define privacy in random walk based methods as the length of distance the random walk takes the source information away from the actual source when compared to the path length (say S-D distance). The source privacy achieved for ELSP and random walk based scheme with the same path lengths and random walk lengths are shown in Figure 5. As we can see, the source anonymity degree or privacy of ELSP is constant irrespective of the path lengths, while the random walk based methods’ privacy decreases with the increases of path length. This is because we consider a rather strong threat model, where the adversary can either eavesdrop over a larger coverage area or compromise sensor nodes. Thus, once the attackers obtain data packets on compromised node, they can traceback to the source with higher probability. Conversely, in ELSP, each packet is modified en route by selected nodes to make it difficult for the adversary to trace back to the source.
Finally, Figure 7 shows the overhead incurred in fake packet generation schemes [6, 8] compared to ELSP. We consider different numbers of fake packet-generating nodes (denoted by ), with the numbers ranging from 20% to 50% of all nodes. The -axis represents the number of actual source nodes in the network as a percentage of all nodes. As shown in Figure 7, the larger the source nodes in the network are, the smaller the overhead incurred. We can conclude that any form of fake packet generation technique will have significantly higher overhead compared to ELSP. Even the conservative case of 20% of sensor nodes generating fake packets leads to higher overhead compared to ELSP. This is because the fake packet generation is an obfuscating technique which is only successful under the heavy load of fake packet generation. When a sensor node detects an event and generates the event reporting packet, there should be at least one more source node generating a fake event-reporting packet. On this occasion, we see that 50% of the traffic corresponds to fake traffic. Moreover, to increase security will incur more overhead in the form of fake packets. Consequently, the realization of such a system is dependent on the amount of fake packets generated which still provide very minimal source privacy and have more overhead than ELSP. In addition, the fake packet generation schemes do not consider node compromises.
Sensor node detecting the event is important, as it can reveal the event occurrence location and time occurrence; thus, needs to maintain source privacy. Previous works consider an eavesdropping adversary and do not provide countermeasures to an intrusive node compromise attack with global eavesdropping capabilities. In this paper, we presented the design and evaluation of a novel anonymous mechanism for WSNs. By utilizing the grouping, the self-generated pseudonym, and the Identity-Based Cryptography, the proposed protocol is demonstrated to achieve desired security objectives and efficiency. As future work, we will seek to analyze the security of our scheme under other adversary models.
The authors acknowledge support from the National Natural Science Foundation of China (Grant nos. 61173136, 61202462, 61173141, and 61232016), and the fund support of the key subject of Fujian province—Computer Application Technology.
- J.-F. Raymond, “Traffic analysis: protocols, attacks, design issues, and open problemsin,” in Proceedings of the International Workshop on Design Issues in Anonymity and Unobservability, pp. 10–29, Berkeley, Calif, USA, 2000.
- D. L. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,” Communications of the ACM, vol. 24, no. 2, pp. 84–88, 1981.
- A. Pfitzmann and M. Waidner, “Networks without user observability,” Computers and Security, vol. 6, no. 2, pp. 158–166, 1987.
- M. Reiter and A. Rubin, “Crowds: anonymity for web transactions,” ACM Transactions on Information and System Security (ITSSEC), vol. 1, no. 1, pp. 66–92, 1998.
- P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk, “Enhancing source-location privacy in sensor network routing,” in Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, pp. 599–608, Columbus, Ohio, USA, June 2005.
- K. Mehta, D. Liu, and M. Wright, “Protecting location privacy in sensor networks against a global eavesdropper,” IEEE Transactions on Mobile Computing, vol. 11, no. 2, pp. 320–336, 2012.
- Y. Ouyang, Z. Le, D. Liu, J. Ford, and F. Makedon, “Source location privacy against laptop-class attacks in sensor networks,” in Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm '08), pp. 1–10, Istanbul, Turkey, September 2008.
- M. Shao, Y. Yang, S. Zhu, and G. Cao, “Towards statistically strong source anonymity for sensor networks,” in Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08), pp. 466–474, Phoenix, Ariz, USA, April 2008.
- Y. Yang, M. Shao, S. Zhu, B. Urgaonkar, and G. Cao, “Towards event source unobservability with minimum network traffic in sensor networks,” in Proceedings of the 1st ACM Conference on Wireless Network Security (WiSec '08), pp. 77–88, Alexandria, Va, USA, April 2008.
- H. Wang, B. Sheng, and Q. Li, “Privacy-aware routing in sensor networks,” Computer Networks, vol. 53, no. 9, pp. 1512–1529, 2009.
- N. Li, M. Raj, D. Liu, M. Wright, and S. K. Das, “Using data mules to preserve source location privacy in wireless sensor networks,” in Proceedings of the 13th International Conference on Distributed Computing and Networking (ICDCN '12), vol. 7129 of Lecture Notes in Computer Science, pp. 309–324, Hong Kong, Hong Kong, 2012.
- Y. Li, J. Li, J. Ren, and J. Wu, “Providing hop-by-hop authentication and source privacy in wireless sensor networks,” in IEEE Conference on Computer Communications (INFOCOM '12), pp. 3071–3075, Orlando, Fla, USA, 2012.
- W. Zhang, N. Subramanian, and G. Wang, “Lightweight and compromise-resilient message authentication in sensor networks,” in Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08), pp. 2092–2100, Phoenix, Ariz, USA, April 2008.
- M. Albrecht, C. Gentry, S. Halevi, and J. Katz, “Attacking cryptographic schemes based on perturbation polynomials,” Cryptology ePrint Archive, Report 2009/098, 2009, http://eprint.iacr.org/.
- Y. Li, J. Ren, and J. Wu, “Quantitative measurement and design of source-location privacy schemes for wireless sensor networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 7, pp. 1302–1311, 2012.
- A. A. Nezhad, A. Miri, and D. Makrakis, “Location privacy and anonymity preserving routing for wireless sensor networks,” Computer Networks, vol. 52, no. 18, pp. 3433–3452, 2008.
- G. Chai, M. Xu, W. Xu, and Z. Lin, “Enhancing sink-location privacy in wireless sensor networks through k-anonymity,” International Journal of Distributed Sensor Networks, vol. 2012, Article ID 648058, 16 pages, 2012.
- C. Y. Chow, M. F. Mokbel, and T. He, “A privacy-preserving location monitoring system for wireless sensor networks,” IEEE Transactions on Mobile Computing, vol. 10, no. 1, pp. 94–107, 2011.
- R. Di Pietro and A. Viejo, “Location privacy and resilience in wireless sensor networks querying,” Computer Communications, vol. 34, no. 3, pp. 515–523, 2011.
- C. Li and M. Hwang, “A lightweight anonymous routing protocol without public key en/decryptions for wireless Ad Hoc networks,” Information Sciences, vol. 181, no. 23, pp. 5333–5347, 2011.
- N. T. T. Huyen, M. Jo, T.-D. Nguyen, and E.-N. Huh, “A beneficial analysis of deployment knowledge for key distribution in wireless sensor networks,” Security and Communication Networks, vol. 5, no. 5, pp. 485–495, 2012.
- B. Zhou, S. Li, Q. Li, X. Sun, and X. Wang, “An efficient and scalable pairwise key pre-distribution scheme for sensor networks using deployment knowledge,” Computer Communications, vol. 32, no. 1, pp. 124–133, 2009.
- D. Du, H. Xiong, and H. Wang, “An efficient key management scheme for wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 2012, Article ID 406254, 14 pages, 2012.
- D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003.
- A. K. Das, “ECPKS: an improved location-aware key management scheme in static sensor networks,” International Journal of Network Security, vol. 7, no. 3, pp. 358–369, 2008.
- P. Barreto, H. Kim, B. Bynn, and M. Scott, “Efficient algorithms for pairing-based cryptosystems,” in Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '02), pp. 354–368, Santa Barbara, Calif, USA, 2002.
- M. K. Wright, M. Adler, B. N. Levine, and C. Shields, “The predecessor attack: an analysis of a threat to anonymous communications systems,” ACM Transactions on Information and System Security, vol. 7, no. 4, pp. 489–522, 2004.
- G. Danezis, C. Diaz, E. Kasper, and C. Troncoso, “The wisdom of crowds: attacks and optimal constructions,” in Proceedings of 14th European Symposium on Research in Computer Security (ESORICS '09), pp. 406–423, Saint-Malo, France, 2009.
- Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Location-based compromise-tolerant security mechanisms for wireless sensor networks,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 2, pp. 247–260, 2006.
- A. Pfitzmann and M. Hansen, “Anonymity, unobservability, and pseudonymity: a consolidated proposal for terminology,” Draft v0.25, 2005.
- A. Serjantov and G. Danezis, “Towards an information theoretic metric for anonymity,” in Proceedings of the 2nd International Conference on Privacy Enhancing Technologies (PET '02), pp. 41–53, Heidelberg, Germany, 2002.
- T. M. Cover and J. A. Thomas, Elements of Information Theory, Wiley, London, UK, 2nd edition, 2006.
- C. Diaz, S. Seys, J. Claessens, and B. Preneel, “Towards measuring anonymity,” in Proceedings of the 2nd International Conference on Privacy Enhancing Technologies (PET '02), pp. 54–68, Heidelberg, Germany.
- G. V. Crosby, L. Hester, and N. Pissinou, “Location-aware trust-based detection and isolation of compromised nodes in wireless sensor networks,” International Journal of Network Security, vol. 12, no. 2, pp. 107–117, 2011.