George Corser, PhD Candidate
Oakland University
May 1, 2014
Slide: 1
1. Background
2. Problem Statement
3. Related Work
4. Preliminary Results
5. Proposed Research
Slide: 2
• What is VANET?
• DSRC Protocol Stack(s)
• Why VANET?
• What is Privacy?
• VANET Privacy Threat Model
Slide: 3
Vehicular Ad-hoc Network
Global Positioning System
Roadside Unit
Slide: 4
V2V: Vehicle-to-vehicle
V2V:
V2R: Also called: V2I
Image source: http://adrianlatorre.com/projects/pfc/img/vanet_full.jpg
Slide: 5
• Two DSRC stacks
– WSMP: WAVE Short
Message Protocol
– TCP/IP
• DSRC: Dedicated Short
Range Communications
• WAVE: Wireless Access for Vehicular
Environments
Location
Based
Services
Image source: Kenney, 2011
Major Applications
• Safety
– Application: Collision Avoidance
– Est: Eliminate 82% of crashes of non-impaired drivers
(US DOT)
– Est: $299.5 billion for traffic crashes (AAA)
• Traffic Management
– Application: Congestion reduction
– Est: $97.7 billion for congestion (AAA)
• Infotainment (LBS)
– Applications: Simple queries, Navigation
– Application: Frequent precise location (FPL) queries
Slide: 6
• Definitions of privacy
– Charles Fried (1984): “Privacy is not simply an absence of information about us in the minds of others, rather it is the control we have over information about ourselves.”
– James Moor (1997): “I agree that it is highly desirable that we control information about ourselves.
However, in a highly computerized culture this is simply impossible.”
– IEEE 1609.2 (2013): “ Anonymity —meaning the ability of private drivers to maintain a certain amount of privacy—is a core goal of the system.”
Slide: 7
• Types of privacy
– Identity privacy: unlinkability with personally identifiable information (PII); often achieved with
pseudonyms.
– Location privacy: unlinkability of PII with a geographical position, and further, the unlinkability of one pseudonym with another by using location data.
– Query privacy: unlinkability of PII, not only with location, but also with the particular type of request made or service used.
• This research would focus on location privacy.
Slide: 8
Slide: 9
• Desired properties of vehicle network privacy systems
1. Safety (Collision
Avoidance)
2. Trust (Authentication)
3. Identity Privacy
(Pseudonymity*)
4. Location Privacy
(Untrackability)
5. Historical Privacy
(Untraceability)
6. Conditional Privacy
(Accountability)
7. Revocability
8. Trust Authority
Decentralization
9. Anonymous LBS Access
(LBS Pseudonymity)
10. Map Database
Undeanonymizability
11. Context Awareness
(Contextuality)
12. User Consent, Choice,
Control
* a.k.a. anonymous authentication, pseudonymous authentication
Slide: 10
RSU: Roadside unit, a wireless access point for vehicles to connect to wired network infrastructure
MAC Layer APP Layer
LBS: Location Based Service, an internet application which uses geographical position as input (e.g. Google Navigation)
• VANET (MAC Layer)
– Ultra low latency, for safety
– Low overhead, for wireless efficiency
– Conditional/revocable anonymity, for privacy
• LBS (APP Layer)
– Frequent precise location (FPL) service availability
– Undeanonymizable* anonymous service access with privacy over wide geographical range
• How to achieve vehicular location privacy?
* protect from RSU/LBS collusion and map deanonymization
Slide: 11
• Location Privacy Techniques
• Location Privacy Theory
• Dummy Events
• Dummy Events v. Active Decoys
• Location Privacy Metrics
Slide: 12
• Group signature
– Chaum, 1991, 1712 citations
– Boneh,Boyen, Shacham, 2004, 1024 citations
• Mix zones
– Beresford, Stajano, 2003, 1068 citations
• Cloaking, anonymous LBS
– Gruteser, Greenwald, 2003, 1303 citations
Slide: 13
Group Signatures
Mix Zones
Cloaking
Slide: 14
Image source: Shokri (2010)
Slide: 15
Source: Location Privacy in Pervasive Computing, Beresford & Stajano, 2003
Early abandonment
Assumption: many concentrated vehicles require continuous privacy protection?
Authors Methods
You, Peng and Lee (2007) Random trajectory
Category
Spatial shift
Lu, Jensen and Yiu (2008) Virtual grid, virtual circle Spatial shift
Chow & Golle (2009) Google Maps poly line Trajectory database
Kido, Yanagisawa and
Satoh (2009)
Krumm (2009)
Moving in a neighborhood
Data gathered from GPS receivers, then modified with noise
Alnahash, Corser, Fu, Zhu
(ASEE, 2014)
Random trajectory confined to road grid
Corser, et. al. (IEEE, 2014) “Live” dummies generated by active vehicles
Spatial shift
Trajectory database
Spatial shift
Active decoy
Recent resurgence, special applicability to vehicular settings
Assumption: only a subset of users desire privacy?
Slide: 16
Slide: 17
• Dummy event: a message containing false data, sent in order to help conceal a genuine message. Dummy events and genuine messages are sent by the same genuine entity, and function analogously to aircraft flares.
• Active decoy: a dummy event sent by an entity pretending to be the genuine one.
Active decoys function analogously to fleeing and dispersing animals in a herd.
The proposed research is designed to examine the tradeoffs between safety, efficiency and privacy using dummy event and active decoy methods.
• Anonymity Set Size: |AS|
• Entropy of |AS|: H( |AS| )
• Tracking Probability: Pt = Prob(|AS|=1)
• Short-term Disclosure (SD)
• Long-term Disclosure (LD)
• Distance Deviation (dst)
* See supplemental slides for equations
Slide: 18
• EPZ: Endpoint Protection Zone
• PBD: Privacy by Decoy
• RRVT: Random Rotation of Vehicle Trajectory
Slide: 19
Slide: 20
• Motorists will use LBS applications (V2I)
• LBS administrators can cross-reference vehicle
trajectory endpoints with map databases to
identify LBS user (privacy problem)
LBS: Location Based Service (like Google Navigation)
20
• Under FPL, cloaking can be defeated by examining trajectory (series of snapshots)
Slide: 21
#1: Vehicle/roadway mobility is more predictable than mobile phone mobility.
#2: What if no other active LBS users in vicinity?
21
• Endpoint Protection Zone (EPZ)
V: number of vehicles in region, R
λ: ratio of LBS user vehicles to V
A: area of R w, h: width, height of EPZ (endpoint protection zone)
E{ | AS
EPZ
| } = λVwh/A
“Corserian” mix zone provides “Snowden” privacy defense, and defends against map deanonymization.
Slide: 22
• Realistic mobility models [15][16][17]: MMTS
– Did not want to use grid-like models (e.g.
Manhattan) because EPZ is square-shaped)
• Counted vehicles originating in EPZ
• Computed metrics
– Metrics: |AS|, H(|AS|), Pt
– Variables: LBS user percentage, λ, and EPZ size
Slide: 23
MMTS: Multi-agent Microscopic Traffic Simulator [16]
23
Slide: 24
• The anonymity set, AS i
, of target LBS user, i , is the collection of all LBS users, j , including i , within the set of all LBS userIDs, ID, whose trajectories, T j
, are indistinguishable from T i
AS i
{ j | j
ID ,
T j s .
t .
p ( i , j )
0 }
24
Slide: 25
• Entropy expresses the level of uncertainty in the correlations between T i and T j
• It is the sum of the products of all probabilities and their logarithms, base 2.
H i
j
AS i p ( i , j )
log
2
( p ( i , j ))
If all trajectories equally likely to be the real one, then H max
= - log
2
(p(i,j))
25
Slide: 26
• Tracking probability, Pt i
, is defined as the chance that |AS i
|=k=1
– If |AS|=1, then vehicle has no anonymity
• This metric is important because average Pt tells what percentage of vehicles have some privacy, and what percentage have no privacy
at all, not just how much privacy exists in the overall system
Pt i
P ( AS i
1 )
26
27
10% LBS users (λ=0.1) 20% LBS users (λ=0.2)
Slide: 27
Average anonymity set size, |AS| = k
Slide: 28
28
10% LBS users (λ=0.1) 20% LBS users (λ=0.2)
Entropy of average anonymity set size, H(|AS|) = H(k)
29
10% LBS users (λ=0.1) 20% LBS users (λ=0.2)
Slide: 29
Average tracking probability, Pt
Slide: 30
• Suppose a vehicle tried sending a request to an LBS using a false location.
• Privacy by Decoy (PBD) Note: an active decoy is different from a dummy.
Slide: 31
PARROTS: Position Altered Requests Relayed Over Time and Space
Slide: 32
• Grid: 3000 m x 3000 m (1.864 mi x 1.864 mi)
• Mobility models, rural, urban and city
• Sim. time 2000 seconds or 33.3 minutes.
• EPZ: 600 m x 600 m (25 EPZs) to 300 m x 300 m (100 EPZs)
• λ = LBS users; ρ = potential parrots; φ = pirates
Slide: 33
Slide: 34
Before PBD (EPZ Only)
After
Slide: 35
Theoretical Values of |AS|
Individual login:
E{ | AS
EPZpi
ρ: ratio of potential parrots to total vehicles
φ: ratio of LBS users who desire privacy
| } = 1 + ρ / φ λ
Group login:
E{ | AS
EPZpg
| } = (λ + ρ) wh/A
Slide: 36
• Can a vehicle transmit dummy events without recruiting parrots?
• Random Rotation of Vehicular Trajectory
Note: vehicles desiring privacy can produce accurate dummies using points from other vehicles which transmit precise locations.
Slide: 37
Left image source: You, Peng and Lee, 2007
• Short-term Disclosure (SD) m: time slices
D i
: set of true and dummy locations at time slot i
SD: the probability of an eavesdropper successfully identifying a true trajectory given a set of true and dummy POSITIONS over a short period of time
Slide: 38
• Long-term Disclosure (LD) More overlap means more privacy
Slide: 39
n total trajectories
k trajectories that overlap
n – k trajectories that do not overlap
T k is the number of possible trajectories amongst the overlapping trajectories
SD: the probability of an eavesdropper successfully identifying a true trajectory given a set of true and dummy TRAJECTORIES over a longer period of time
• 3 trajectories
• 8 possible paths
Slide: 40
Image source: You, Peng and Lee, 2007
• Distance Deviation (dst) dst
PL j i i
L j dk
: the distance deviation of user i
: the location of true user i at the jth time slot
: the location of the kth dummy at the jth time slot
dist() express the distance between the true user location and the dummy location n dummies m time slots
dst is the average of distance between trajectories of dummies and the true user
Slide: 41
Slide: 42
Example real trajectory in red
Example dummy trajectories in black • Sim. time: 20 time slots
• Speed: ~3 squares/slot
• Dummies: sets of 5 to 25
• Manhattan grid 50x50
• Trajectories constrained to roadways every 10 grid squares
• Ran simulation nine times per dummy set
• Data presented: median number of trajectory intersection overlaps
Improvement in LD when roadway mobility enforced
Slide: 43
SD LD
For SD, LD: Lower is better
• Systematic Study
• Anticipated Contributions
• Timeline
Slide: 44
Slide: 45
• Measure the effectiveness of existing methods
(See: Metrics supp. slides)
• Create new methods* and compare tradeoffs, effectiveness with existing methods
• Create new metrics, if necessary
• Consider vehicular domain specific issues
– Mobility/density (city, suburb, rural), location privacy metrics, mix zone choices, GPS precision,
LBS query frequency (esp. FPL), RSU coverage area, LBS market penetration, MAC/APP layer collusion, map deanonymization, ...
* Currently working on gas station mix zone
Slide: 46
• Combined MAC layer and APP layer privacy has not been studied in vehicular contexts.
• Dummy event and active decoy methods have been ignored for many years. It is possible they may apply in vehicular applications because of the different network architecture.
• Journal publication(s) detailing the discovered mathematical relationships (extending conference papers)
Month
May
June
July
August
(Move to
Saginaw)
September
October
November
December
Slide: 47
Actions
Present this dissertation proposal to DAC on May 1
Apply to graduate in fall 2014
Gather early simulation results, develop simulation (simple anonymous LBS access)
Gather more simulation results (LBS access with spatial-temporal cloaking, and active decoy LBS access)
Final simulation results
Begin dissertation write-up
Conclude dissertation initial draft write-up
Submit dissertation draft to DAC prior to August 31
Meet with adviser to ensure all degree requirements met
Register for 1 dissertation credit, Fall 2014
Dissertation write-up
Wait for DAC approval
Schedule defense
Submit Dissertation Defense Announcement Form to Graduate Study and Lifelong
Learning (at least 2 weeks prior to defense)
Defend before DAC prior to Oct 31
Format dissertation and submit for binding
Graduate December 13
Slide: 48
Slide: 49
Venue
IEEE IV 2014: 2014 IEEE Intelligent Vehicles
Symposium
IEEE ICCVE 2013: Second International
Conference on Connected Vehicles & Expo
IJITN: International Journal of Interdisciplinary
Telecommunications and Networking 2013
ACM InfoSecCD 2012: 2012 Information
Security Curriculum Development Conference
Topic
PBD: Privacy-by-decoy
(Dearborn, MI)
EPZ: Endpoint Protection Zone
(Las Vegas, NV)
Measuring Attacker
Motivation (Journal)
A tale of two CTs: IP packets rejected by a firewall (Award)
Year
2014
2013
2013
2012
ACM InfoSecCD 2012: 2012 Information
Security Curriculum Development Conference
Professional association membership (Award)
2012
• Alrajei, N., Corser, G., Fu, H., Zhu, Y. (2014, February).
Energy Prediction Based Intrusion Detection In Wireless Sensor
Networks . International Journal of Emerging Technology and Advanced Engineering (IJETAE), Volume 4, Issue 2. (Journal)
• Oluoch, J., Corser, G., Fu, H., Zhu, Y. (2014, April). Simulation Evaluation of Existing Trust Models in Vehicular Ad Hoc Networks.
In 2014 American Society For Engineering Education North Central Section Conference (ASEE NCS 2014).
• Alnahash, N., Corser, G., Fu, H. (2014, April). Protecting Vehicle Privacy using Dummy Events. In 2014 American Society For
Engineering Education North Central Section Conference (ASEE NCS 2014).
Slide: 50
Method
Hiding
Technique
Silent period
+ Anonymizing Mix zone
Anonymizing PseudoID
MAC Layer
Unsafe
Unsafe
OK (1)
IP, APP Layers
No service
No service
OK (1)
+ Dummifying Cloaking region Latency:TTP (2) Congestion
+ Dummifying Active decoy OK (2) Congestion
Dummifying
Obfuscating
False data
Noise
Unsafe
Unsafe
Congestion
Impaired service
All techniques, except active decoy, impair APP-level continuous precise location (CPL) and frequent precise location (FPL) queries. Other problems:
1.
Anonymizing problems: PseudoID-to-pseudoID tracking, map deanonymization
2.
MAC layer cloaking/decoy problems: too slow for safety beacon, exposes duplicate beacons, complicates authentication/CRL/congestion