International Journal of Computer Trends and Technology (IJCTT) - volume4Issue4 April 2013

Isolation Protection and Location Auditing System for Wireless Networks

G. Anil Kumar, Cheedalla Raghav Sai, Gudipati Shanker
Computer Science Department, MGIT, Hyderabad INDIA
AbstractWe propose a isolation-protection location auditing system for wireless sensor networks. Auditing personal locations with entrusted server poses isolation threats to the monitored individuals. We use two network location anonymization algorithms, namely, resource- and quality-aware algorithms that aim to enable the system to provide high quality location auditing services for system users, while protection personal location isolation. Both algorithms depend on established k-anonymity isolation concept, that is, a person is similar persons, to enable sensor nodes to provide the aggregate location information of monitored persons for the system. To utilize the aggregate location information to provide location auditing services, we use a spatial histogram that estimates the distribution of the monitored objects based on the gathered aggregate location information. Then the estimated distribution is used to provide location auditing services through answering range queries. The results show that our system provides high quality location auditing services for system users and guarantees the location isolation of the monitored persons. Keywords: Location isolation, wireless sensor networks,

location auditing system, aggregate query processing. I. INTRODUCTION The wireless sensor technology has resulted in many new applications for military purposes. These locationdependent systems are realized by using either identity sensors or counting sensors. With identity sensors [2], [3], the system can pinpoint the exact location of each monitored person. The counting sensors [4] report the number of the objects in the sensing area. Unluckily, auditing personal locations with a potentially system poses isolation threats to the monitored individuals, because an attacker could abuse the location data gathered by the system to infer personal private information, location information gathered by the system to infer personal sensitive information [5]. For the location auditing system using identity sensors, the sensor nodes report the exact location data of the monitored objects to the server; thus using identity sensors immediately poses a major isolation threat to location data, that is, a collection of location information relating to a category of persons from which objects identities have been removed, has been suggested as an effective approach to preserve location isolation [6], [7] although the counting sensors by nature provide aggregate location information, they would also pose isolation breaches. Isolation-protection location auditing system for wireless sensor networks to provide auditing services. Our

system relies on the well established k-anonymity isolation concept, which requires each person is indistinguishable among k persons. In our system, each sensor node blurs its sensing area into a cloaked area, in which at least k persons are residing. Each sensor node reports only aggregate location information, which is in a form of a cloaked area, along with the number of persons, N, located in A, where N _ k, to the server. It is important to note that the value of k achieves a trade-off between the strictness of isolation protection and the quality of auditing services. A smaller k indicates less isolation protection, because a smaller cloaked area will be reported from the sensor node; hence better auditing services. However, a larger k results in a larger cloaked area, which will reduce the quality of auditing services, but it provides better isolation protection. Our system can avoid the isolation leakage by providing low quality location auditing services for small areas that the adversary could use to track users, while providing high quality services for larger areas. Thus the adversary cannot infer the number of persons currently residing in a small area from our system output with any fidelity; therefore the adversary cannot know details about the objects in our system. To preserve personal location information, we propose two in-network aggregate location anonymization algorithms, namely, resource- and quality-aware algorithms. The resource-aware algorithm aims to reduce communication and computational cost, while the quality-aware algorithm aims to reduce the size of the cloaked areas, in order to increase the accuracy of the aggregate locations reported to the server. On the other hand, the quality-aware algorithm starts from a cloaked area A, which is computed by the resource-aware algorithm. Then A will be iteratively refined based on extra communication among the sensor nodes until its area reaches the minimal possible size. For both algorithms, the sensor node reports its cloaked area with the number of monitored persons in the area as an aggregate location to the server. We propose a spatial histogram that analyzes the gathered aggregate locations to estimate the distribution of the monitored persons in the system. The estimated distribution is used to answer aggregate queries. The results show that the communication and computational cost of the resource-aware algorithm is lower than the quality-aware algorithm, while the quality-aware algorithm provides more accurate auditing services (the average accuracy is about 90%) than the resource-aware algorithm (the average

ISSN: 2231-2803

http://www.ijcttjournal.org

Page 810

International Journal of Computer Trends and Technology (IJCTT) - volume4Issue4 April 2013
accuracy is about 75%). data mining and databases. A common technique is to perturb the data and to reconstruct distributions at an aggregate level. II. LITERATURE SURVEY A distribution reconstruction algorithm utilizing the Straightforward approaches for protection users' Expectation Maximization (EM) algorithm is discussed in, location isolation include enforcing isolation policies to and the authors showed that this algorithm converges to the restrict the use of collected location information and anonym maximum likelihood estimate of the original distribution zing the stored data before any disclosure. However, these based on the perturbed data. Many of these methods are not approaches fail to prevent internal data thefts or inadvertent appropriate for sensor networks, particularly sensor networks disclosure. Recently, location anonymization techniques have that are deployed for auditing valuable assets. Consequently, been widely used to anonymize personal location information full-fledged isolation solutions are not appropriate, and before any server gathers the location information, in order to lightweight, resource-efficient alternatives should be explored. preserve personal location isolation in location-based services. Sensor networks will be deployed to monitor valuable assets. Pandurang Kamat [10] said that one of the most These techniques are based on one of the three concepts. notable challenges threatening the successful deployment of (1) False locations. Instead of reporting the monitored object's exact sensor systems is isolation. Although many isolation-related location, the object reports n different locations, where only issues can be addressed by security mechanisms, one sensor one of them is the object's actual location while the rest are network isolation issue that cannot be adequately addressed by network security is source-location isolation. Adversaries may false locations [12]. use RF localization techniques to perform hop-by-hop trace(2) Spatial cloaking. The spatial cloaking technique blurs a user's location back to the source sensors location. To achieve improved into a cloaked spatial area that satisfies the user's specified location isolation, we proposed a new family of routing techniques, called phantom routing, for both the flooding and isolation requirements [16]. single-path classes that enhance isolation protection. Phantom (3) Space transformation. This technique transforms the location information of routing techniques are desirable since they only marginally increase communication overhead, while achieving significant queries and data into another space Where, the spatial relationship among the query and data are isolation amplification. Andy Harter [2] describes a sensor-driven, or sentient, encoded [17]. platform for context-aware computing that enables applications to follow mobile users as they move around a a) RELATED LITERATURE D. L. Chaum [13] said that Contextual isolation building. The platform is particularly suitable for richly issues have been examined in the context of general networks, equipped, networked environments. The only item a user is particularly through the methods of anonymous required to carry is a small sensor tag, which identifies them communications. Chaum proposed a model to provide to the system and locates them accurately in three dimensions. Xiaoyan Hong [11] said that in hostile environments, anonymity against an adversary doing traffic analysis. His solution employs a series of intermediate systems called mixes. the enemy can launch traffic analysis against intercept able Each mix accepts fixed length messages from multiple sources routing information embedded in routing messages and data and performs one or more transformations on them, before packets. Allowing adversaries to trace network routes and forwarding them in a random order. In the IP routing space, infer the motion pattern of nodes at the end of those routes onion routing uses this model to provide anonymous may pose a serious threat to covert operations. We propose connections similarly, the Mixmaster remailer is an email ANODR, an anonymous on-demand routing protocol for mobile ad hoc networks deployed in hostile environments. We implementation of Chaum mixes. Reiter [14] said that Chaum mixes provide address two closely related problems: For route anonymity, destination isolation when an attacker knows the source. An ANODR prevents strong adversaries from tracing a packet alternative strategy to anonymity was proposed, where users flow back to its source or destination; for location isolation, are gathered into geographically diverse groups, called ANODR ensures that adversaries cannot discover the real Crowds, to make it difficult for identifying which user makes identities of local transmitters. M. Gruteser [5] said that advances in sensor a Web request. In, a distributed anonymity algorithm was introduced that removes fine levels of detail that could networking and location tracking technology enable locationcompromise the isolation associated with user locations in based applications but they also create significant isolation location-oriented services. For example, a location-based risks. Isolation is typically addressed through isolation service might choose to reveal that a group of users is at a policies, which inform the user about a service providers data specific location, or an individual is located in a vague handling practices and serve as the basis for the users location, but would not reveal that a specific individual is decision to release data. However, isolation policies require user interaction and offer little protection from malicious located at a specific location. Sastry Duri [15] examined the protection of service providers. David Culler [8] said that Wireless sensor networks telematics data by applying isolation and security techniques Protection isolation is an important and challenging task in could advance many scientific pursuits while providing a

ISSN: 2231-2803

http://www.ijcttjournal.org

Page 811

International Journal of Computer Trends and Technology (IJCTT) - volume4Issue4 April 2013
vehicle for enhancing various forms of productivity, including manufacturing, agriculture, construction, and transportation. The individual devices in a wireless sensor network (WSN) are inherently resource constrained: They have limited processing speed, storage capacity, and communication bandwidth. These devices have substantial processing capability in the aggregate, but not individually, so we must combine their many vantage points on the physical phenomena within the network itself. In most settings, the network must operate for long periods of time and the nodes are wireless, so the available energy resourceswhether batteries, energy harvesting, or bothlimit their overall operation. A. Perrig [9] said that wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. We present a suite of security protocols optimized for sensor networks: SPINS. SPINS has two secure building blocks: SNEP and TESLA. SNEP includes: data confidentiality, two-party data authentication, and evidence of data freshness. TESLA provides authenticated broadcast for severely resourceconstrained environments. H. Kido [12] said highly accurate positioning devices enable us to provide various types of location-based services. On the other hand, because such position data include deeply personal information, the protection of location isolation is one of the most significant problems in location-based services. In this technique, such users generate several false position data (dummies) to send to service providers with the true position data of users. Because service providers cannot distinguish the true position data, user location isolation is protected. We also describe a cost reduction technique for communication between a client and a server. B. Bamba [16] presented Isolation Grid a framework for supporting anonymous location-based queries in mobile information delivery systems. The Isolation Grid framework offers three unique capabilities. First, it provides a location isolation protection. Second, it provides fast and effective location cloaking algorithms for location kanonymity and location l-diversity in a mobile environment. Last but not the least, Isolation Grid incorporates temporal cloaking into the location cloaking process to further increase the success rate of location anonymization. P. Kalnis [17] proposed a novel framework to support private location dependent queries, based on the theoretical work on Private Information Retrieval (PIR). This framework does not require a trusted third party, since isolation is achieved via cryptographic techniques. This approach achieves stronger isolation for snapshots of user locations; moreover, it is the first to provide provable isolation guarantees against correlation attacks. This framework is used to implement approximate and exact algorithms for nearestneighbour search. We optimize query execution by employing data mining techniques, which identify redundant computations. III. SYSTEM DESIGN The architecture (figure 1) [2] of our system, where there are three major entities, sensor nodes, server, and system users. We will define the problem addressed by our system, and then describe the detail of each entity and the isolation model of our system.

Figure 1 : System architecture 1) Sensor node: Each sensor node is responsible for determining the number of objects in its sensing area, blurring its sensing area into a cloaked area A, which includes at least k objects, and reporting A with the number of objects located in A as aggregate location information to the server. Our system only requires a communication path from each sensor node to the server through a distributed tree [8]. 2) Server: The server is responsible for collecting the aggregate locations reported from the sensor nodes, using a spatial histogram to estimate the distribution of the monitored objects, and answering range queries based on the estimated object distribution 3) System users: Authenticated administrators and users can issue range queries to our system through either the server or the sensor nodes a) Isolation model: In our system, the sensor nodes constitute a trusted zone, where they behave as defined in our algorithm and communicate with each other through a secure network channel to avoid internal network attacks [9]. Our system also provides anonymous communication between the sensor nodes and the server by employing existing anonymous communication techniques [10], [11]. Thus given an aggregate location R, the server only knows that the sender of R is one of the sensor nodes within R. Our system only allows each sensor node to report a k-anonymous aggregate location to the server the adversary cannot infer an objects exact location with any fidelity. This is a nice isolation-protection feature, because the object count of a small area is more likely to reveal personal location information. IV. ALGORITHMS USED We present our in-network resource- and quality-aware location anonymization algorithms that are periodically executed by the sensor nodes to report their k-

ISSN: 2231-2803

http://www.ijcttjournal.org

Page 812

International Journal of Computer Trends and Technology (IJCTT) - volume4Issue4 April 2013
anonymous aggregate locations to the server for every reporting period. a) The Resource-Aware Algorithm Algorithm 1 outlines the resource-aware location anonymization algorithm. Figure 2 [1] below gives an example to illustrate the resource-aware algorithm, where there are seven sensor nodes, A to G, and the required anonymity level is five, k=5. The dotted circles represent the sensing area of the sensor nodes, and a line between two sensor nodes indicates that these two sensor nodes can communicate directly with each other. In general, the algorithm has three steps. Step 1: The broadcast step. The objective of this step is to guarantee that each sensor node knows an adequate number of objects to compute a cloaked area. To reduce communication cost, this step relies on a heuristic that a sensor node only forwards its received messages to its neighbours when some of them have not yet found an adequate number of objects. Step 2: The cloaked area step. The basic idea of this step is that each sensor node blurs its sensing area into a cloaked area that includes at least k objects, in order to satisfy the kanonymity isolation requirement. algorithm as an initial solution, and then refines it until the cloaked area reaches the minimal possible area, which still satisfies the k-anonymity isolation requirement, based on extra communication between other peers. The quality-aware algorithm initializes a variable current minimal cloaked [2] area by the input initial solution. When the algorithm terminates, the current minimal cloaked area contains the set of sensor nodes that constitutes the minimal cloaked area. In general, the algorithm has three steps. Step 1: The search space step. Since a typical sensor network has a large number of sensor nodes, it is too costly for a sensor node m to gather the information of all the sensor nodes to compute its minimal cloaked area [2]. To reduce communication and computational cost, m determines a search space [12], S, based on the input initial solution, which is the cloaked area computed by the resource-aware algorithm, such that the sensor nodes outside S cannot be part of the minimal cloaked nodes outside S cannot be part of the minimal cloaked area. We will describe how to determine S. Thus gathering the information of the peers residing in S is enough for m to compute the minimal cloaked area for m. Step 2: The minimal cloaked area step. This step takes a set of peers residing in the search space, S, as an input and computes the minimal cloaked area for the sensor node m. Although the search space step [12] already prunes the entire system space into S, exhaustively searching the minimal cloaked area [2] among the peers residing in S, which needs to search all the possible combinations of these peers, could still be costly. Thus we propose two optimization techniques to reduce computational cost. The basic idea of the first optimization technique is that we do not need to examine all the combinations of the peers in S; instead, we only need to consider the combinations of at most four peers. The rationale behind this optimization is that an MBR [2] is defined by at most four sensor nodes because at most two sensor nodes define the width of the MBR (parallel to the x-axis) while at most two other sensor nodes define the height of the MBR (parallel to the yaxis). Thus this optimization mainly reduces computational cost by reducing the number of MBR computations among the peers in S. The second optimization technique has two properties, lattice structure and monotonicity property. We first describe these two properties, and then present a progressive refinement approach for finding a minimal cloaked area V. EXPERIMENTAL RESULTS AND ANALYSIS In this section, we show and analyze the experimental results with respect to the isolation protection and the quality of location auditing services of our system. a) Anonymization Strength

Figure 2: Resource Aware Anonymization Step 3: The validation step. The objective of this step is to avoid reporting aggregate locations with a containment relationship to the server. b) The Quality-Aware Algorithm Algorithm 2 outlines the quality-aware algorithm[12] that takes the cloaked area computed by the resource-aware

ISSN: 2231-2803

http://www.ijcttjournal.org

Page 813

International Journal of Computer Trends and Technology (IJCTT) - volume4Issue4 April 2013
Figure below depicts the resilience of our system to the attacker model with respect to the anonymity level and the number of objects. In the figure, the performance of the resource- and quality-aware algorithms is represented by black and gray bars, respectively. Figure a depicts that the stricter the anonymity level, the larger the attacker model error will be encountered by an adversary. When the anonymity level gets stricter, our algorithms generate larger cloaked areas, which reduce the accuracy of the aggregate locations reported to the server. Figure b shows that the attacker model error reduces, as the number of objects gets larger. This is because when there are more objects, our algorithms generate smaller cloaked areas, which increase the accuracy of the aggregate locations reported to the server. It is difficult to set a hard quantitative threshold for the attacker model error. However, it is evident that the adversary cannot infer the number of objects in the sensor nodes sensing area with any fidelity. our algorithms increases. To satisfy the stricter anonymity levels, our algorithms generate larger cloaked areas. For the quality-aware algorithm, since there are more peers in the required search space when the input (resource- aware) cloaked area gets larger, the computational cost of computing the minimal cloaked area by the quality- aware algorithm and the basic approach gets worse . However, the quality-aware algorithm reduces the computational cost of the basic approach by at least four orders of magnitude. Larger cloaked areas give more inaccurate aggregate location information to the system, so the estimation error increases as the required k-anonymity increases. The quality-aware algorithm provides much better quality location auditing services than the resource-aware algorithm, when the required anonymity level gets stricter.

Figure 4 (a): Cloaked Area Figure 3 (a): Anonymity Levels

Figure 4 (b): Communication Cost

Figure 3 (b): Number of objects b) Effect of Isolation Requirements Figure depicts the performance of our system with respect to varying the required anonymity level k from 5 to 200. When the k-anonymity isolation requirement gets stricter, the sensor nodes have to enlist more peers for help to blur their sensing areas; therefore the communication cost of

ISSN: 2231-2803

http://www.ijcttjournal.org

Page 814

International Journal of Computer Trends and Technology (IJCTT) - volume4Issue4 April 2013
[3] N. B. Pr i ya n th a , A. Cha kr a bor t y, an d H. Ba l a kr i shn an, .Th e cr i cket l oca t i on -supp ort s yst em , i n Proc . of Mobi Com , 2000. [4] B. S on , S. Shin , J. Kim , an d Y. Her , . Im pl em en ta t i on of t h e r ea l ti m e peop l e c oun t in g syst em usi n g wi r el ess s en sor n et wor ks, IJ MUE , vol . 2, n o. 2, pp. 63. 80, 2007. [5] M. Gruteser, G. Schelle, A. Jain, R. Han, and D. Grunwald, Isolation-aware location sensor networks,. in Proc. of HotOS, 2003. [6] Location Isolation Protection Act of 2001, http://www.techlawjournal.com/cong107/ isolation/location/s1164is.asp. [7] Title 47 United States Code Section 222 (h) (2), http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=browse usc&do%cid=Cite:+47USC222. [8] D. Culler and M. S. Deborah Estrin, .Overview of sensor networks. IEEE Computer, vol. 37, no. 8, pp. 41.49, 2004. [9] A. Perrig, R. Szewczyk, V. Wen, D. E. Culler, and J. D. Tygar,.SPINS: Security protocols for sensor netowrks,. in Proc. of MobiCom, 2001. [10] P. Kamat, Y. Zhang,W. Trappe, and C. Ozturk, .Enhancing source location isolation in sensor network routing,. in Proc. of ICDCS, 2005. [11] J. Kong and X. Hong, .ANODR: Anonymous on demand routing with untraceable routes for mobile adhoc networks,. in Proc. Of MobiHoc, 2003. [12] H. Kido, Y. Yanagisawa, and T. Satoh, .An anonymous communication technique using dummies for location-based services,. In Proc. of ICPS, 2005. [13] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):8488, 1981. [14] M. Reiter and A. Rubin, Crowds: anonymity for web transactions, ACM Transactions on Information and System Security, vol. 1, pp. 6692, 1998. [15] Sastry Duri, Marco Gruteser, Xuan Liu, Paul Moskowitz, Ronald Perez, Moninder Singh, and Jung-Mu Tang. Framework for security and isolation in automotive telematics. In 2nd ACM International Worksphop on Mobile Commerce, 2002. [16] B. Bamba, L. Liu, P. Pesti, and T. Wang, .Supporting anonymous location queries in mobile environments with isolationgrid,. In Proc. of WWW, 2008. [17] G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, and K.-L. Tan,. Private queries in location based services: Anonymizers are not necessary,. In Proc. of SIGMOD, 2008.

Figure 4 (c): Computational Cost VI.CONCLUSION In this paper, we propose a isolation-protection location auditing system for wireless sensor networks. We design two in-network location anonymization algorithms, namely, resource- and quality-aware algorithms that preserve personal location isolation, while enabling the system to provide location auditing services. Both algorithms rely on the well-established k-anonymity isolation concept that requires a person is indistinguishable among k persons. In our system, sensor nodes execute our location anonymization algorithms to provide k- anonymous aggregate locations, in which each aggregate location is a cloaked area A with the number of monitored objects, N , located in A, where N k, for the system. The resource-aware algorithm aims to minimize communication and computational cost, while the quality-aware algorithm aims to minimize the size of cloaked areas in order to generate more accurate aggregate locations. To provide location auditing services based on the aggregate location information, we propose a spatial histogram approach that analyzes the aggregate locations reported from the sensor nodes to estimate the distribution of the monitored objects. The estimated distribution is used to provide location auditing services through answering range queries. We evaluate our system through simulated experiments. The results show that our system provides high quality location auditing services (the accuracy of the resource-aware algorithm is about 75% and the accuracy of the qualityaware algorithm is about 90%), while protection the monitored objects location isolation. VII. REFERENCES [1] Ch i -Yin Ch ow, Moh a m ed F. Mokbel , T ian He. A Isol a t i on -Pr ot e ct i on L oca t i on Audi t in g Syst e m for Wi r el ess Sen s or Net wor ks i n IEE E VOL. 10, NO. 1, Jan 2011. [2] A. Ha rt er , A. Hopp er , P. St eggl es, A. Ward, a n d P. We bst er , . Th e an a t om y of a con t ext -a wa r e a ppl i ca t i on, . in Proc . of Mobi Com , 1999.

ISSN: 2231-2803

http://www.ijcttjournal.org

Page 815