Citation
Privacy Preserving Techniques in Mobile Networks

Material Information

Title:
Privacy Preserving Techniques in Mobile Networks
Creator:
Liu, Xinxin
Place of Publication:
[Gainesville, Fla.]
Publisher:
University of Florida
Publication Date:
Language:
english

Thesis/Dissertation Information

Degree:
Doctorate ( Ph.D.)
Degree Grantor:
University of Florida
Degree Disciplines:
Computer Engineering
Computer and Information Science and Engineering
Committee Chair:
Li, Xiaolin
Committee Members:
Chen, Shigang
Mcnair, Janise Y
Helmy, Ahmed Abdelghaffar
Fang, Yuguang
Graduation Date:
5/4/2013

Subjects

Subjects / Keywords:
Coordinate systems ( jstor )
Energy consumption ( jstor )
Entropy ( jstor )
Game theory ( jstor )
Location based services ( jstor )
Mobile devices ( jstor )
Pseudonyms ( jstor )
Sensors ( jstor )
Simulations ( jstor )
Trajectories ( jstor )
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre:
Electronic Thesis or Dissertation
bibliography ( marcgt )
theses ( marcgt )
Computer Engineering thesis, Ph.D.

Notes

Thesis:
Thesis (Ph.D.)--University of Florida, 2013.
Local:
Adviser: Li, Xiaolin.
Electronic Access:
INACCESSIBLE UNTIL 2015-05-31
Statement of Responsibility:
by Xinxin Liu.

Record Information

Source Institution:
University of Florida
Holding Location:
University of Florida
Rights Management:
Copyright by Xinxin Liu. Permission granted to University of Florida to digitize and display this item for non-profit research and educational purposes. Any reuse of this item in excess of fair use or other copyright exemptions requires permission of the copyright holder.
Embargo Date:
5/31/2015
Classification:
LD1780 2013 ( lcc )

Downloads

This item has the following downloads:


Full Text

PAGE 1

PRIVACYPRESERVINGTECHNIQUESINMOBILENETWORKSByXINXINLIUADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2013

PAGE 2

c2013XinxinLiu 2

PAGE 3

MydearestthanksIdedicatetomyfatherforhisendlesslove,constantsupport,andcaringandthejoyhehasbroughttomylife. 3

PAGE 4

ACKNOWLEDGMENTS Iwouldliketoexpressmysinceregratitudetothemanywhohavehelpedmethroughgraduateschool.Firstandforemost,Iwouldliketothankmyadvisor,ProfessorXiaolin(Andy)Li,forhisinvaluableguidanceandsupportthroughoutmygraduatestudyatbothUniversityofFloridaandOklahomaStateUniversity.Hehashelpedmetoseelifeandscienceintheirfulldepth,andtaughtmetoappreciatethegoodscienticworkthathelpsotherresearcherstobuildonit.IamalsogratefultoProfessorYuguang(Michael)Fang,oneofthebestmentorsIhaveevermet,forhissoundadvice,patience,andencouragement,andforgivingmetheopportunitytolearnfromandcollaboratewiththeseexcellentresearchersatWirelessNetworkLaboratory(WINET).IalsowouldliketothankProfessorShigangChen,ProfessorAlmedHelmy,andProfessorJaniseMcNairforservingonmysupervisorycommitteeandfortheirgreathelpinvariousstagesofmyworkandcareer.BeforetransferringtoUniversityofFlorida,Ihadthegoodfortuneofworkingwithmanyexcellentmentorswhotaughtmethevalueofteachingandresearch.IwouldliketothankDr.JohnChandler,Dr.K.M.George,Dr.DouglasR.Heisterkamp,Dr.SubhashKak,Dr.NohpillPark,andDr.JohnsonThomasfortheirwonderfullecturesandinvaluableguidance.IwouldalsoliketoextendmythankstoallthemembersinS3LabandWINETlaboratoryforprovidingmeawarm,family-likeenvironment,andfortheircollaborationandinsightfuladvice.IspeciallythanksDr.HuanyuZhao,XinYang,ZeYu,MinLi,KaikaiLiu,DiWang,LiYu,RuiYang,XingMao,ShivamTivari,Dr.MiaoPan,HaoYue,LinkeGuo,HuangLin,YuanxiongGuo,Dr.ZongruiDing,Dr.GuoliangYao,andthelistgoesonandon.Laughterandmanygreatpartiestogetherhavewitnessedourfriendship.Mostofall,IoweaspecialdebtofgratitudetomyhusbandHanZhaoforhisfaithfulloveandunconditionalsupport.Idon'tknowwhatmylifewouldbewithoutyoustandby 4

PAGE 5

mysideandsharethejoysandtearswithme.Youarelikethesunshine,alwaysgivingmethefeelingofwarmth,hopeandpeace.Iwouldalsolovetosaythankyoutomylovingparents,fortheirconstantsupportandformakingmewhoIam.IthanktheUniversityofFloridaandOklahomaStateUniversityfortheirgeneroussupportofmygraduatestudies.MyworkhasalsobeenfundedbyNationalScienceFoundationgrantCCF-0953371,CCF-1128805,OCI-0904938,CNS-0709329,andCNS-0916391. 5

PAGE 6

TABLEOFCONTENTS page ACKNOWLEDGMENTS .................................. 4 LISTOFTABLES ...................................... 9 LISTOFFIGURES ..................................... 10 ABSTRACT ......................................... 12 CHAPTER 1INTRODUCTION ................................... 14 1.1MobileNetworks:AnOverview ........................ 14 1.2UnderstandingPrivacy ............................. 15 1.3ScopeandOrganizationoftheDissertation ................. 16 2PRIVACYPRESERVATIONUSINGMULTIPLEMIXZONES ........... 18 2.1ChapterOverview ............................... 18 2.2RelatedWork .................................. 21 2.3SystemModel ................................. 23 2.3.1ArchitectureOverview ......................... 23 2.3.2MixZoneImplementation ....................... 25 2.3.3MixZoneEffectivenessMeasurement ................ 26 2.4ThreatModel .................................. 26 2.5PrivacyPreservationMetric .......................... 28 2.5.1GraphModel .............................. 28 2.5.2PrivacyMetric .............................. 29 2.6UniformTrafcMixZoneDeployment ..................... 30 2.6.1ProblemFormulation .......................... 31 2.6.2HeuristicAlgorithm ........................... 33 2.7Trafc-AwareMixZonePlacement ...................... 35 2.7.1ProblemFormulation .......................... 35 2.7.2HeuristicAlgorithms .......................... 39 2.7.2.1Non-uniformtrafcmixzoneplacement .......... 40 2.7.2.2Priority-awarenon-uniformtrafcmixzoneplacement .. 41 2.8PerformanceEvaluation ............................ 41 2.8.1SimulationSetup ............................ 41 2.8.2MobilityTraceCharacteristics ..................... 42 2.8.3ProtectionEffectiveness ........................ 43 2.8.4ResiliencetoInferentialAttack ..................... 45 2.8.5Complexity ............................... 48 2.9ChapterSummary ............................... 48 6

PAGE 7

3PRIVACYPRESERVATIONUSINGGAME-THEORETICAPPROACH ..... 50 3.1ChapterOverview ............................... 50 3.2RelatedWork .................................. 52 3.3Preliminaries .................................. 54 3.3.1SystemModelforLocationBasedServices ............. 54 3.3.2ThreatModel .............................. 55 3.3.3LocationPrivacyMetric ........................ 57 3.3.3.1DegreeofPrivacy(DoP) .................. 57 3.3.3.2ValuationofPrivacy(VoP) .................. 57 3.4ProblemStatement ............................... 58 3.4.1DummyUserGeneration ........................ 58 3.4.2ProblemDescription .......................... 59 3.5TheDummyUserGenerationGame ..................... 60 3.5.1GameModel .............................. 60 3.5.2BayesianNashEquilibriumofDUGGame .............. 63 3.6TheTimingawareDummyUserGenerationGame ............. 65 3.6.1ExtensiontoDUGGame ........................ 65 3.6.2BayesianNashEquilibriumofT-DUGGame ............. 67 3.7ADistributedAlgorithmforStrategyOptimization .............. 68 3.8PerformanceEvaluation ............................ 70 3.8.1AnalysisofDataTrace ......................... 70 3.8.2Results ................................. 71 3.9ChapterSummary ............................... 73 4PRIVACYPRESERVATIONUSINGLOGICALCOORDINATES ......... 75 4.1ChapterOverview ............................... 75 4.2RelatedWork .................................. 76 4.2.1DataSourcePrivacy .......................... 77 4.2.2DataSinkPrivacy ............................ 77 4.2.3EnergyEfcientRouting ........................ 78 4.3NetworkandAdversaryModel ........................ 80 4.3.1NetworkModel ............................. 80 4.3.2AdversaryModel ............................ 81 4.3.3PrivacyProtectionGoal ........................ 81 4.4SinkTrailProtocolDesign ........................... 81 4.4.1SinkTrailProtocolwithOneMobileSink ............... 82 4.4.1.1Logicalcoordinatespaceconstruction ........... 83 4.4.1.2Destinationidentication .................. 85 4.4.1.3Greedyforwarding ...................... 86 4.4.2SinkTrailProtocolwithMultipleMobileSinks ............. 88 4.4.3SinkTrail-SProtocol ........................... 92 4.5PerformanceEvaluation ............................ 93 4.5.1PrivacyProtection ........................... 94 4.5.2CommunicationCostAnalysis ..................... 94 7

PAGE 8

4.5.3SimulationResults ........................... 97 4.6ImpactFactorsofEnergyConsumption ................... 100 4.6.1ImpactofMovingPatternsofaMobileSink ............. 100 4.6.2ImpactofNumberofMobileSinks .................. 102 4.6.3ImpactofBroadcastingFrequency .................. 103 4.7ChapterSummary ............................... 105 5CONCLUSIONANDFUTUREDIRECTIONS ................... 106 5.1DissertationSummary ............................. 106 5.2FutureDirections ................................ 107 REFERENCES ....................................... 109 BIOGRAPHICALSKETCH ................................ 117 8

PAGE 9

LISTOFTABLES Table page 2-1NotationsforPrivacyPreservationUsingMultipleMixZones .......... 24 3-1NotationsforPrivacyPreservationusingGame-TheoreticApproach ...... 55 4-1NotationsforPrivacyPreservationusingusingLogicalCoordinates ....... 82 9

PAGE 10

LISTOFFIGURES Figure page 2-1Amixzoneexample. ................................. 19 2-2Systemmodelforatypicalmobilenetworks. .................... 23 2-3SideinformationandusertraceexampleinanabstractedPOIgraph. ..... 27 2-4AnexamplefabstractedgraphconsistofPOIsregisteredbysomeapplicationserversinGainesvilleFlorida. ............................ 29 2-5Usertrajectoryandpseudonymassociatedvertexpairs. ............. 29 2-6Executionsnapshotofourheuristicalgorithms. .................. 34 2-7Mobilitytracecharacteristics. ............................ 43 2-8Totalnumberofpairwiseassociations ....................... 44 2-9ComparisonofmixzonelocationsbetweenCPLEX'ssolutionandheuristicalgorithms ....................................... 45 2-10Attacksuccessrateunderdifferenttrafcandmixzonedeploymentsituations 47 2-11ComparisonofexecutiontimebetweenstandardILPsolverandtheproposedheuristicalgorithms ................................. 49 3-1Systemmodel:Users,Localization/CommunicationServiceInfrastructure,andLBSServers ................................... 54 3-2Anexampleofinferenceattackbasedonsideinformation. ............ 56 3-3Asnapshotshowinghowdummyusersareusedtoprotectagainsttheinferenceattack. ......................................... 58 3-4Statisticalanalysisoftheprivacydatatrace. .................... 70 3-5FavorableoutcomerateofDUGandT-DUGgame. ................ 71 3-6AchievedDoPandtimingdecisionsofplayers:b=1(normalized)and'=2. 72 4-1Datagatheringwithonemobilesink. ........................ 80 4-2ExampleexecutionsnapshotofSinkTrail. ..................... 85 4-3ExampleexecutionsnapshotofSinkTrailofmultiplemobilesinksscenario. .. 88 4-4Anillustrativeexampletoshowthatmobilesink'smovementhaslessimpactonremotesensornodesthanimmediateones. .................. 92 4-5PerformancecomparisonbetweenSODDandSinkTrail. ............. 98 10

PAGE 11

4-6PerformancecomparisonbetweenSinkTrailprotocolandSinkTrail-Sprotocol. 99 4-7Representativemobilesinkmovingpatterns. ................... 100 4-8Impactofmobilesink'smovingpattern. ...................... 100 4-9Impactofthenumberofmobilesinks. ....................... 102 4-10Impactofbroadcastfrequency. ........................... 104 11

PAGE 12

AbstractofDissertationPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyPRIVACYPRESERVINGTECHNIQUESINMOBILENETWORKSByXinxinLiuMay2013Chair:Xiaolin(Andy)LiMajor:ComputerEngineeringWiththefastdevelopmentinminiaturehardwareandwirelesscommunicationtechnologies,mobilewirelesscommunicationdeviceshavebeentightlyconnectedwiththeouterenvironmentandpervasivelyusedinmanyhumanactivities.Thevarioustypesofsensorsequippedonthesemobiledevicesenablethemtoconvenientlycollectcontextinformationandprovideuserswithpersonalizedserviceon-the-go.Althoughsuchpersonalizedservicesgreatlybenetpeople'sdailylife,theyalsobringinunprecedentedprivacythreats,forexample,thepotentialleakageoftheinformationretrievedorprovidedbytheseusers,andthepotentialleakageoftheinteractionpatternsamongusersandbetweenusersandtheouterenvironment.Inthisdissertation,weproposemultipleprivacypreservingtechniquesagainstseveraltypesofprivacythreatsthataretargetingatusersinamobilenetworkenvironment.Specically,weinvestigatethelocationprivacyprotectionproblemformobileusersinthefollowingtwoapplicationscenarios:locationbasedservicesandinformationretrievalfrompervasivelydeployedsensornetworks.Weconciselydeneandformallyanalyzetheadversarymodels,anddeviseprivacyprotectionmechanismsaccordingtotheuniquecharacteristicsofeachadversarymodel.Ourcontributionsaremanifolds.First,forprivacyprotectioninlocationbasedservices,weidentifyandformallyanalyzeanewtypeofinferentialattacks,i.e.,attacksbasedonsideinformation.Second,weproposeacentralizedapproachusingmultiplemixzonedeploymentto 12

PAGE 13

tacklesuchsideinformationbasedinferentialattack[ 53 55 ].Thisapproachfeatureshighscalabilitywhileincurringverylowcosttousers.Third,toprovideuserswithcontrolovertheirownprivacyprotection,weproposeadistributedapproachutilizingdummyusers[ 54 ].Thisapproachimplementsne-grainedprivacyprotectionbasedoneachuser'sprivacyrequirements.Usinggame-theoreticmodels,weformallyprovetheeffectivenessofourapproach.Forth,toprotectthecurrentlocationofamobileuserwheninteractingwithpervasivelydeployedwirelesssensornetworks,weproposeanenergyefcientandprivacypreservingroutingprotocol[ 56 57 ].Theeffectivenessofourproposedresearchisdemonstratedthroughformalproofaswellassimulationandexperiments. 13

PAGE 14

CHAPTER1INTRODUCTION 1.1MobileNetworks:AnOverviewThepastafewdecadeshavewitnessedasurgeofgrowthofmobilewirelesscommunicationdevices.Startingfrom1973asamarginalfeature,mobilehandheldcommunicationdevicesnowbecomeaworldwidephenomenon.Nowadays,80%oftheworld'spopulationhasamobilephone,andtherearemorethan5billionmobilephonesworldwide[ 30 ].Peopleusecellphonestomakecalls,exchangeshortmessages(SMS),evenaccesstheinternet.AccordingtoanewreportbyWalkerSands[ 74 ],mobiledevicesnowmakeupabout23.1%ofwebtrafcintheUSalone.Themobiledevicesareequippedwithradiotransmissioncomponents,aswellasincreasinglypowerfulcomputingandstoragecapabilities.Together,theyformawirelesscommunicationnetworkcalledamobilenetwork.Amobilenetworkisestablishedbyeitherrelyingonaunderlyinginfrastructureorinaself-organizingpeertopeerfashion.Anexamplefortheinfrastructurebasedmobilenetworkisthecellularnetwork.Withthehelpofcellularinfrastructure,mobilephonesprovidepeoplewiththeconvenienceofstayingconnectedwitheachotherfromanywhereandatanytime.Anexampleoftheself-organizedmobilenetworkcanbendinmilitarycommunications.Whensettingupaxedinfrastructureinenemyterritoriesorinhospitableterrainsisimpossible,mobiledevicescarriedbysoldierstransmitorrelaymessageswhenevertwodevicesarewithineachother'scommunicationrange.Theproliferationofmobiledevicesandmobilenetworksnotonlymakespeoplecommunicatemoreeasily,butalsointroducesvariousnewtypesofinformationandentertainmentservices.Theseservicesleveragethecontextinformationofauser,i.e.,therichinformationthatiscollectedbythemulti-modalsensorsequippedonamobiledevice,toachievepersonalizationandimprovetheirservicequality.Forexample,thewidepopularityofsmartphonesempowerspeopletoretrieveinformationbasedontheir 14

PAGE 15

currentlocationorenvironment.Suchcontext-basedservicesandmobileapplicationssignicantlyalteredpeople'slifestyles.Furthermore,otherwirelesscommunicationdevices,suchassensorsinstalledalongtheroadsorbuses,andvehiclesequippedwithGPSandwirelesscommunicationcapabilities,alsoprovidepeoplewithmuchmoreaccurateandup-to-dateinformationfornavigationandtrafcprediction.Asaresult,theubiquitousmobiledevicesthatarebothdeeplyembeddedintotheenvironmentaswellastightlycoupledwithhumanactivitiesforeshadowthefutureofpervasivecomputing. 1.2UnderstandingPrivacyPrivacyisaconceptofincreasingimportance.Withthefastadvancesintechnologies,sharinginformationbecomesextremelyeasyforusersofmobiledevices.Asthesharedinformationdemonstratesmanypersonalcharacteristicsandpreferencesoftheusers,theyareofgreatinteresttoadvertisersaswellasadversarialparties.Asaresult,moreandmoreprivacybreachesarefoundandreported,andprivacyhasbeenthetopicofheateddiscussionforthepastafewyears.However,thetermprivacyisanumbrellatermthatcoversawidevariousgroupofrelatedthings.Inthebroadsense,privacymeanstherelieffromarangeofsocialfriction,anditenablespeopletoengageinworthwhileactivitiesinwaysthattheywouldotherwisenddifcultorimpossible[ 81 ].Itiswellacceptedthatprivacyproblemisdifculttoarticulatepreciselyandconcretelywithoutrstgivingaspecicrealworldscenario.Inthisdissertation,wefocusontheprivacyproblemsconcerningcontextinformationofamobileuser.Privacyvulnerabilitywhenusingamobiledevicecomesfromthreesources:(1)thepotentialleakageofinteractionamongusersofwirelesscommunicationdevices,(2)thepotentialleakageofinteractionpatternsbetweenauserandtheouterenvironment,(3)thepotentialleakageofthetypeofinformationthattheseusersretrieveorprovide.Forexample,thesojourntimeofauseratsomespeciclocationmayindicatethehomeorworkaddressofthatperson.Also,informationqueriesaboutnearbymovietheatersthatcomefromauser'smobilecommunicationdevicemayleadtotheexposureoftheuser's 15

PAGE 16

currentlocationaswellashis/herplanedactivities.Eventhoughthecontentofthemessagesprovidedbyorexchangedbetweenmobiledevicescanbeprotectedthroughmanysecuritymechanisms,thecontextinformation,especiallythelocationinformationofausercanbeeasilyinferredoreavesdroppedthroughthewirelesstransmissionmedia.Seriousconsequencesmayberesultedduetotherevelationofauser'scontextinformation.Inviewofthisproblem,thetopicofthisdissertationisthedesignofprivacypreservingtechniquesinmobilenetworktohelpusersobtainthesamekindsofserviceswithoutsacricingtheirprivacy. 1.3ScopeandOrganizationoftheDissertationThisdissertationcontributestotheinvestigationofseveralprivacythreatsindifferentmobilenetworkenvironments,andthedesignofprivacypreservationmechanismsinthesemobilenetworks.Chapter 2 andChapter 3 studytheproblemofprotectingusers'locationsandmovingtrajectoriesinlocationbasedservices.Sinceuserswhosubscribetolocationbasedservicesneedtoupdatetheirlocationinformationperiodicallyusingsomekindofpseudonym,theirinformationisvulnerabletoinferentialattack,whereanattacker,withthehelpofcollectedaccidentalrealidentityleakage,unveilsthecorrespondingrealidentitybehindapseudonymandobtainsanextendedviewofthisuser'strajectory[ 60 86 ].Todefendagainsttheinferentialattack,weproposetwoapproaches.InChapter 2 ,weproposeacentralizedapproachusingmultiplemixzonesforgeneralizedprivacyprotection.Weformallymodelthemixzonelocationselectionproblem,anddesignanefcientalgorithmtosolveit.InChapter 3 ,wedesignadistributedprivacyprotectionscheme,whereeachuserisabletomakedecisionsbasedonhis/herownprivacyrequirements.InChapter 4 ,westudythelocationprivacyprotectionprobleminwirelesssensornetworks.Withtheproliferationofmobiledevicesandthewidedeploymentofsensor 16

PAGE 17

networks,moreandmoreapplicationssuggestusingmobiledevicesasdatasinkstocollectiondatafromasensornetwork.Thisapproachraisestheproblemofprotectingbothmobilesinks'anddatasources'locationinformation.Weproposeanenergyefcientdatacollectionprotocol,namedSinkTrail,whichpreserveslocationprivacyforbothdatasinksandsensornodes.Theprotectioneffectivenessisanalyzed,andtheenergyefciencyofSinkTrailisvalidated. 17

PAGE 18

CHAPTER2PRIVACYPRESERVATIONUSINGMULTIPLEMIXZONES 2.1ChapterOverviewTherapiddevelopmentofpositioningtechnologiesandproliferationofmobiledeviceshaveledtotheourishofpersonalizedmobileservicesbasedonusers'locations,knownasLocation-BasedServices(LBS).Utilizingtheunderlyingnetworkinfrastructure,LBSapplicationsarecapableoftrackingauser'smovementanddeliveringinformationbasedontheuser'scurrentgeographiclocation.AwiderangeofmobileLBSapplicationshavebeendevelopedtoaidpeople'sdailyactivities,includingGPSnavigation,socialeventsandfriendsrecommendations,mobileadvertising,location-basedgame[ 76 ],etc.AccordingtoarecentstudyconductedbyStrategyAnalytic,withtheincreasingconsumerdemandssuchassearch,mapsornavigation,LBSisenvisionedtobecomeanover$10-billion-per-yearbusinessbyyear2016[ 2 ].AlthoughLBSsignicantlybenetsmobileusers,privacyissuesariseduringtheprocessofcollecting,storing,andsharingofusers'locationinformation.UserswhosubscribetoLBStypicallyhavelittlecontrolovertheextenttowhichtheirlocationinformationisrevealed,orwithwhomtheserviceproviders,e.g.,smartphonecompaniesandappcompanies,aresharingthisinformation.Eventhoughusersarerepresentedbypseudonymsinsteadoftheirrealidentitiesinanapplication,suchlong-termpseudonymarevulnerabletoinferentialattacks,whereanattacker,withthehelpofcollectedaccidentalrealidentityleakage,unveilsthecorrespondingrealidentitybehindapseudonymandobtainsanextendedviewofthisuser'strajectory[ 60 86 ].Suchrealidentityleakage,e.g.,identityleakagewhenusingcreditcardatacoffeeshop,isknownassideinformation.Weusethefollowingexampletoillustratetheimportanceoflocationprivacyprotectionagainstsuchattacks.SupposeuserAlice,representedbypseudonymAlice123,usesLBSatashoppingplazatoquerynearbyrestaurants.ShemaynotmindofothersndingoutthatAlice123correspondstoAlice,andtherefore 18

PAGE 19

discoveringhercurrentlocation.However,whenshelaterentersaspecializedhospitalanddoesnotwanttosharethisinformationwithothers,revealingthefactthatAlice123isAlicebecomesamoreseriousproblem(especiallywhenAliceisawell-knownpublicgure).Consequencessuchasstalkingand/orphysicalcrimesmayhappenduetosuchrevelationofauser'srealidentityandcompletemovingtrajectory.Locationprivacypreservationinmobileenvironmentsischallengingfortworeasons.First,wirelesscommunicationsareeasytobeintercepted,e.g.,aneavesdroppercancollecttransmittedinformationofmobileusersatcertainpublicplace.Besides,sincepeoplearepubliclyobservable,contextinformationcaneasilybeobtainedfromtheirconversationsorbehaviors.Asaresult,partialtrajectoryinformationassociatedwithauser'srealidentityisinevitablyexposedtotheeavesdropper.Second,thelimitedresourcesofmobiledevicesgreatlyrestrictPrivacy-EnhancingTechnologies(PET)onecouldapplyanddeployinawirelessnetwork.Consequently,currentPETsolutionsrestonsimpleschemestohidetherealidentityofamobileuserfromapassiveadversary,ratherthancomplexcryptographictechnologiescommonlyusedinwirednetworks. Figure2-1. Amixzoneexample.Rectangulararea:amixzonedeployedatroadintersection.Arrowsbeginorendwithdots:perceivableusermovingtrajectory.Dashedlines:usermovingtrajectoriesnotperceivablebyLBSapplications. 19

PAGE 20

Todealwiththesechallenges,acommonmodelforprivacypreservationisthemixzonemodeloriginallyproposedbyBeresfordandStajano[ 7 ].Amixzonereferstoaservicerestrictedareawheremobileuserscanchangetheirpseudonymssothatthemappingsbetweentheiroldpseudonymsandnewpseudonymsarenotrevealed.Amixzoneofkparticipantsthereforebecomesak-anonymizationregion.Forexample,Figure 2-1 showsamixzone,indicatedbytherectangle,deployedataroadintersection.FiveuserswithpseudonymsA-EenterthemixzonefromdifferententrancesandexitwithadifferentsetofpseudonymsF-Jatapproximatelythesametime.Thelinksbetweenoldandnewpseudonymsarenotobservablebyanyoutsider.Thischangeeffectivelymixestheidentitiesofalluserstoachieveprivacypreservation.Toensuremixingeffectiveness,amixzonetypicallyrequiresthefollowingconditionstobesatised: Atsomespecictime,thereareatleastkusersinsidethemixzone. Auserentersthemixzoneatanentrypoint,andleavesatanexitpoint.Theprobabilityoftransitionbetweenanyentrypointandexitpointareequallylikely.Despitethek-anonymityprovidedbythemixzoneconcept,deployingasinglemixzoneinalargeareawillnotprovidesufcientprotection.Inthispaper,weaddresstheproblemofoptimalmultiplemixzonesplacementtoenhancetheeffectivenessofprivacypreservation.Usinggraphtheory,wecharacterizepropertiesandconstraintsofthecost-constraineddeploymentoptimizationproblem,andbuildaformalmathematicalmodelwiththeobjectiveofminimizingpairwiseinformationcorrelation(measuredbypairwisenodeconnectivity)overallpossiblemixzoneplacementlocations.Ourcontributionscanbesummarizedasfollows: Weinvestigateanewtypeofattack,i.e.,sideinformationbasedattack,andweproposeanewmetrictoquantifythesystem'sresiliencetothesideinformationbasedattackmodel[ 60 ]. Wepresentanoptimizationformulationwithrealisticdeploymentconstraintstomodelthemultiplemixzonesplacementproblem.Sincethisformulationis 20

PAGE 21

NP-hard,weproposeseveralheuristicalgorithmsaspracticalmeansforndingsub-optimalsolutionstotheoptimizationproblem. Weverifytheeffectivenessofoursolutionthroughextensivesimulationsusingreal-worldmobileusertraces.Therestofthischapterisorganizedasfollows.Section 2.2 summarizesrelatedresearchintheliterature.Section 2.3 presentssystemmodelanddescriptionofthesoftwarelevelimplementationofmixzones.Section 2.4 discussestheadversarymodel.Section 2.5 proposesourprivacymetric.Section 2.6 formulatesthemix-zoneplacementproblemunderuniformtrafcconditionintheIntegerLinearProgramming(ILP)form,andprovidesheuristicalgorithmasanefcientwayforndingthesub-optimalsolution.Section 2.7 furtherextendstheILPformulationtoincorporatetrafcimpacts,anddiscussestwoheuristicalgorithmstosolvethemultiplemixzoneplacementproblem.Section 2.8 presentsthesimulationresultsofourproposedalgorithmsusingreal-worldmobilitytraceles.Finally,Section 2.9 concludesthepaper. 2.2RelatedWorkLocationprivacyissuesinmobilecomputingenvironmentshavereceivedsignicantattentionsinrecentyears.Anearlystudy[ 6 ]showedthatlocation-trackingLBS(locationsaretrackedbyotherparties)generatesmoreconcernsofprivacyleakingthanposition-awareLBS(device'sself-awarenessofitscurrentlocation)formobileusers.Hence,mostexistingworksfocusonthelocation-trackingLBSmodelandassumethepresenceofacentralizedtrustedanonymizationserver.Themostpopulartechniquetoachievethedesiredlevelofprivacypreservationistodegradetheresolutionoflocationinformationinacontrolledway.Thishasledtoalargenumberoflocationperturbationandobfuscationschemesproposedinthelastdecade.Forexample,spatialcloaking[ 26 31 ]allowsobfuscationofamobileuser'sexactlocationusingcloakedspatialareastomeetpre-speciedanonymityconstraints,suchask-anonymity.However,spatialcloakingmayresultinaseveredegradationofservicequalityduetothelargecloakedareaoveranextendedtimeperiod[ 10 ].Therefore,itisingeneralnot 21

PAGE 22

suitabletoprotectprivacyinanetwork-constrainedmobileenvironmentsuchasroadnetworks[ 88 ].Analternativeapproachforlocationperturbationandobfuscationistorestrictlocatingofmobileuserpositionincertainareas,knownasthemixzonemodel[ 6 ].Amixzoneoftencoversasmallarea,e.g.,aroadintersection,andallowsuserstochangepseudonymswithinthearea.Duetoitsabilitytoreducethelinkabilitybetweenidentityandtrajectory,mixzonedeploymentoverroadintersectionshasgainedpopularityinvehicularnetworks.Giventhepresenceofaglobalpassiveadversary,Freudigeretal.[ 24 ]proposedtheCMIXprotocoltocreatecryptographicmixzonesatroadintersections.Dahletal.[ 15 ]improvedthecryptographicapproachbyxingthekeyestablishmentprotocolinCMIX.Amoresophisticatedprotocol,MobiMix[ 70 ],improvedattackresiliencebyconsideringvariousfactors,e.g.,trafcdensity,usermovementpatterns,etc.Alltheseapproachesdonotconsidertheoptimalplacementofmultiplemixzones.Huangetal.[ 34 ]proposedtousecascadingmixzones.However,theirinvestigationfocusedonevaluatingtheQoSimplicationonreal-timeapplications,ratherthanprotectioneffectivenessofusingmultiplemixzones.Shinetal.[ 78 ]proposedarequestpartitioningmethodtoincreasetheunlinkabilityofdifferentrequestsovertime.Themostrelatedresearchtoourworkispresentedin[ 25 ],wheretheauthorsanalyzedtheoptimalplacementofmultiplemixzoneswithcombinatorialoptimizationtechniques.Ourworkisdistinctiveinthefollowingaspects:(1)comparedwiththeow-basedmetricusedin[ 25 ],theaccumulatedpairwiselocationassociationsismoreappropriatetocapturetheglobalplacementeffects;(2)basedonthismetric,ouroptimalplacementstrategyiscapableofhandlingarecentlyemergingsideinformationbasedattackingmodel[ 60 ]inadditiontothesimplepassiveadversarymodel;and(3)weconsidertheimpactoftrafcdensityateachmixlocationtoenhancetheattackresilience. 22

PAGE 23

Figure2-2. Systemmodel:Users,Communication/LocationServiceInfrastructure,andApplicationserver 2.3SystemModel 2.3.1ArchitectureOverviewTheLocation-BasedService(LBS)systemdiscussedinthispaperconsistsofthreemajorcomponents:Users,Communication/LocationServiceInfrastructure(CLSI),andthird-partyApplicationsServers,asdepictedinFigure 2-2 .Similarsystemmodelsarecommonlyfoundintheliterature,e.g.,[ 48 80 ].Insuchsystems,communicationshappenbetweenusersandCLSI,andbetweenCLSIandthird-partyapplications.Atanytime,theLBSusersusetheirrealidentities(mostlikelytheidentierassociatedwiththeirdevices)toactivelyorpassivelyupdatedtheirlocationinformationtoCLSI.CLSIcamouagetheusers'realidentitieswithpseudonyms,andupdatetheusers'locationinformationtothird-partyapplications.UserscannotbypassCLSIandtalkdirectlywiththird-partyapplications;otherwise,theapplicationscantriviallyobtaintherealuseridentitiesaswellastheuser'scompletetrajectories.Aspecicapplicationisinterestedinasetoflocationsonthemap,referredtoasPoint-Of-Interests(POIs).ThephysicalpositionsofthesePOIsmaybeatroadsideorroadintersections.TheapplicationwillregisterthesePOIstoCLSI.WheneverauserisapproachingoneofthePOIs,theapplicationwillbenotiedbyCLSI,anditwillsendserviceinformationthroughCLSIbacktotheuser.Forexample,consideragas-priceapplicationdesignedtoprovidegasstationinformationtailoredtoeachuser'spreferencearoundtheuser'scurrentlocation 23

PAGE 24

inGainesville,Florida.TheapplicationregistersallgasstationsasPOIsatCLSI.NowsupposeasubscribeduserAliceisdrivingfromhometoherworkplace.Thegas-priceapplicationwillcontinuouslydisplayup-to-dategaspricesatneighborhoodgasstationsalongAlice'sroute.Toimplementthisfunctionality,thegas-priceapplicationwillrecordAlice'spreferencesandrequireCLSItoperiodicallysendAlice'slocationinformationascallbackssothatthepriceinformationatthenearestgasstationcanberetrievedandreportedbacktoAlice.Thelocationupdatesoccurredduringtheserviceperiodresultinatrajectorylerecordingauser'sfootprints.Eachentryinthetrajectoryleisa3-tuple:.BasedonthetrajectoryrecordofAlice,onecanestimatethetimewhenAlicearrivesateachPOIalonghercompletetrajectory.Usingalong-termpseudonymisvulnerabletoprivacyattacks,sinceoneaccidentalleakageofrealidentitywillresultinauser'swholetrajectorybeingcompromised.Forbetterprivacypreservation,wewillemploythemixzonemodeltobreakthecontinuityofauser'strajectory.Thefollowingnotationsarelistedtoeasethepresentationinthelatersections. Table2-1. NotationsforPrivacyPreservationUsingMultipleMixZones SymbolDenition fPig asetofregisteredlocationswithincertainrange,e.g.,POIsinacitywhere(i=1,2,...,n) ux userx'spseudonyminthesystemvxuserx'srealidentitypresentinthesideinformation Tux(ti) per-usertime-basedfunctionusedtodescribethelocationtracescollectedbyanadversary where(i=1,2,...,m;x=1,2,...,n)tiindicatesthetimewhenux'slocationisreportedbyCLSI Svx(ti0) thesideinformationobtainedbyanadversarywhere(i=1,2,...,;x=1,2,...,) 24

PAGE 25

2.3.2MixZoneImplementationAlthoughthetheoreticalmixzonemodeldiscussedinSection 2.1 seemstobeeffectiveinprotectingauser'sprivacy,thesetwoconditions,i.e.,kusersexistinamixzoneatsomepointoftimeandusershaverandommovingpaths,maynotbeeasilysatisedinrealworld,especiallyonaroadnetwork[ 70 ].Asignicantamountofresearch[ 8 24 70 ]hasbeendevotedtoinvestigatingtheoptimalsizeandshapeofasinglemixzonedeploymenttoachievedesiredprivacyprotection.Targetingatvehicularnetworks,existingsinglemixzoneconstructionmethodsarenotsuitablefortheLBSsystemmodel,becauseLBSuserscanbepedestriansthatarenotconnedtovehiclemovingpatterns.BasedonthesystemmodelpresentedinSection 2.3.1 ,weproposetoestablishamixzonebyCLSIatthesoftwarelevel.AmixzoneplaceisselectedbyCLSIfromthesetofregisteredPOIs,fPig,(i=1,2,...,n).OncePiischosenasaplacefordeployingamixzone,asquareshapephysicalboundarywillbesetbyCLSI.RefertoFigure 2-1 asanexample.ThesizeofthemixzoneisdeterminedbyCLSIaccordingtothegeneraltrafccondition.Sothat,kusers,onaverage,willpresentinsidethemixzonewithinacertainperiodoftime.Wheneverausercrosstheboundaryandentersthemixzone,CLSIwillstopalllocationupdatesfromthisuseruntiltheuserexitsfromthemixzone.CLSIwillgiveasetofnewpseudonymstotheusersleavingPi.Suchasoftwarelevelmixzoneestablishmentapproachhasconsiderableexibilityoverphysicaldeploymentofmixzones,becausethelocationandthesizeofthemixzonesarenotconstrainedbyterrestrialbordersandcanbeeasilyadjusted.Moreover,thesoftwarelevelmixzoneestablishmentcanachievek-anonymityforgeneralcase.Finally,multiplemixzonescanbeestablishedbyCLSIalongsideauser'sroutewithmuchlesseffortthanphysicaldeployment.Consequently,theuser'scontinuoustrajectoryisbrokenintoasetofdiscretesegments,whereeachsegmentisassociated 25

PAGE 26

withauniquepseudonym.Thiscausesanadversarytolosethetrackingtarget.Eachsinglemixzonelowerstheprivacyriskintheuser'snexttrajectorysegment. 2.3.3MixZoneEffectivenessMeasurementToquantifytheprotectioneffectiveness,acommonlyusedmetricforevaluatinganadversary'suncertaintyinndingoutthelinkbetweenauser'soldandnewpseudonyminamixzonemodelisinformationentropygivenby: Hm=)]TJ /F3 11.955 Tf 11.3 11.35 Td[(Xupulogpu,(2)whereHmrepresentstheentropyvalueofamixzone,andpustandsfortheprobabilityofmappinganoldpseudonymtoanewpseudonym.Accordingtothismetric,wecanseethattheeffectivenessofamixzoneisgreatlyaffectedbytwofactors,theuserpopulationandroadtransitconstraint.Forexample,mixzonesdeployedatlocationswithhighertrafcdensityandmoreoutletshavehigherentropythanthoseplacedatlocationswithlessorbarelynotrafc.Therefore,whenselectingmixzonelocations,trafcdensityandthenumberofpossibletransitpathsshouldbecarefullyconsidered. 2.4ThreatModelInourthreatmodel,weconsiderCLSItobetrustworthyfortworeasons.First,aserviceproviderwhooperatesCLSIgenerallyhasnoincentivetobecomeadversarial.ThisisbecausetheserviceproviderwhocanaffordtheexpensiveequipmentinCLSIismorelikelytobeanestablishedmajorplayeronthemarket.Theopportunitycostforactingagainstitscustomersistoohightoafford,e.g.,facingexpensivelawsuitanddevastatingreputationdamage.Second,amajorityoflocalizationservicesofferedbyCLSIrelyonmessageexchangebetweenusersandCLSI.Inwirelessnetworks,thetrueidentierofauser'shand-helddeviceisnecessaryforcommunicationpurpose.Therefore,ifCLSIisnottrustful,weneedtoconsiderhowtolocalizeamobileuserunderthecurrentinfrastructure,withoutexposinganyIDinformationtoCLSI.Thisleadstoanothersetofproblemsthatareoutofthescopeofthispaper. 26

PAGE 27

Figure2-3. SideinformationandusertraceexamplesinanabstractedPOIgraph.Concentriccircles:POIsinagraph.Edges:roadsegmentsconnectingPOIs.Shadedvertex:amixzone.Dashedline:usertrajectory.Soliddotsconnectedbydashedline:sideinformation. Thethird-partyLBSapplicationsareconsiderednottrustworthy.Theymaydirectlyattackamobileuser'sprivacy,orsecretlysellinformationtootherindividualsororganizations.AnadversaryAreferstoanyentityformedbyoneormoremaliciousparties(bycolluding)whoaimatlearningthelocationsassociatedwithmobileusers'trueidentities.ThecasethatAactivelystalksaparticularuserisconsideredoutofthescopeofthispaper.Sinceanadversaryhasthecompletetrajectoryprolescamouagedbypseudonyms,itisoftencharacterizedasaglobalpassiveeavesdropper,andthistypeofthreatistreatedasthemajorthreatintheliterature[ 25 ].Besidesthetrajectoryprole,Tux(ti),(i=1,2,...,m;x=1,2,...,n),anewweaponisbroughtintosightrecentlytoaidtheadversary[ 60 ].Becausemobileusersarepubliclyobservable,partialtrajectoryinformationmaybeleakedwhentheytravelinpublicplaces.Forexample,informationsuchasAlicewaswitnessedtopassbyXYZcafeteriaat3pm,orAliceusedhercreditcardatXYZcafeteriaat4pmbecomesvaluableauxiliaryknowledgetotrackthemobiletarget.Suchgatheredoccasionallocationinformationformspartialtracesofthetrackingtargets,andbecomessideinformationtoA,denotedbySvj(ti0),(i=1,2,...,;j=1,2,...,).Givensomesideinformation,thegoalofAistoidentifythetargetmobileuserinthetrajectoryle 27

PAGE 28

basedonsideinformationmatching,andtolearnthecompletefootprintsleftbythetrackingtarget.Forexample,inFigure 2-3 ,supposeAobtainsuservj'ssideinformationSvj(t3)=P3,Svj(t4)=P4,andSvj(t5)=P5.IfAhasalreadylearntthewholetrajectoryrecordfromt1tot5atP1throughP5belongingtosomeuserwithpseudonymux,byperformingsideinformationmatching,Awillimmediatelyknowthatvjisux,andP1andP2havealsobeenvisitedbyvj.Therefore,thewholetrajectoryofvjiscompromised.Itmustbenotedthatwhilethetrajectorylescontainaccuratelocationrecordsforservicepurposes,thesideinformationmaybenoisyorevenincorrect.Thisisbecausethesourceofthesideinformationisunreliable,e.g.,personalencounterorcontextinference.Withthisestablishedadversarymodel,wearenowabletopresentourprivacypreservationgoalasfollows:topreventadversaryAfromlearningthetrackingtarget'scompletetrajectoryassociatedwithrealidentity,givenpartialtrajectorymaybeexposedtoA.Inthenextsection,wewillpresenthowtoquantifythisprotectiongoalandbuildtheformalmathematicalmodeltosolvetheproblem. 2.5PrivacyPreservationMetric 2.5.1GraphModelWemodelthelocationmapwithPOIsasanundirectedgraphG(V,E),whereVisthesetofverticesrepresentingtheregisteredPOIs,i.e.,fPig,i=1,2,...,n,andEisthesetofroadsegmentsthatconnectadjacentPOIs.Insomecases,multipleroadsegmentsconnectingtwoPOIsmaybeabstractedasasingleedgeifthereisnoPOIin-between.AnexamplegraphispresentedinFigure 2-4 .AllverticesinGareconsideredaspotentialmixzonedeploymentlocations.Atrajectoryrecordbelongingtouseruxdenesapathconsistingofoneorasequenceofpossiblyrepeatedvertices.Similarly,apieceofsideinformationcorrespondingtoapseudonymvxisaportionofsomespecictrajectoryinG.PiandindexiareusedinterchangeablytorefertoaPOIinthefollowingsections. 28

PAGE 29

Figure2-4. AnexampleofabstractedgraphconsistofPOIsregisteredbysomeapplicationserversinGainesvilleFlorida.TheedgebetweenverticescorrespondingtotheroadsegmentsconnectingthesePOIs 2.5.2PrivacyMetric Figure2-5. Usertrajectoryandpseudonymassociatedvertexpairs,e.g.,1and2,4and5,etc.Concentriccircles:POIsinagraph.Edges:roadsegmentsconnectingPOIs.Shadedcircle:amixzone.Dashedline:usertrajectory.Soliddotsconnectedbydashedline:sideinformation. IntheaforementionedgraphG,twoverticesarepairwiseconnectedwhenthereisatleastonepathconnectingthem.InaLBSsystem,ifauserusingonepseudonymfromPxcantraveltoPywithoutgoingthroughamixzoneandchangingpseudonym,PxandPyarepairwiseassociated.Usingabinaryvariable ij2f0,1gtoindicatetheassociationstatusoftwoPOIs,ifPxandPyarepairwiseassociated xy=1;otherwise, xy=0.TakingFigure 2-5 asanexample,supposeAlicetravelsfromP1toP5using 29

PAGE 30

thepseudonymux,withoutanymixzonedeployedinbetween,wesayP1andP5arepairwiseassociated.Similarly,P1andP4arepairwiseassociated,andP3andP4arealsopairwiseassociated.Animportantimplicationofthepairwiseassociationisthat,ifuxappearsatP1,uxcanonlyappearatlocationsthatarepairwiseassociatedtoP1.Furthermore,oncetheadversarydiscoversAlice'spseudonymatP1,locationsthatarepairwiseassociatedtoP1willdenitelybecompromisedifuxvisitedthem.Giventhatuserschangepseudonymsinmixzones,andpseudonymsareunique,placingamixzoneatP3willbreakthepairwiseassociationandprotectAlice'sfuturelocations,P4andP5,evenifheridentityisrevealedatP1.Weusethetotalnumberofpairwiseassociationsinthegraphasaprivacymetrictoquantifythesystem'sprivacypreservationlevel.Itisgivenby: =Xi,j2fPig ij.(2)Ourgoalincaseofthesideinformationbasedattackistostrategicallydeploymultiplemixzonessothatcanbeminimized,andthemaximumprotectionlevelcanbeachievedformobileusers.Hence,whenauserexposeshisidentityatsomepoint,onlylimitedtrajectorycanbedisclosedbyanadversary.NotethattheremightbemultiplepathsconnectingtwoverticesinG.Thetwoverticesaredissociatedonlywhenallpathsinbetweenareblockedbymixzones. 2.6UniformTrafcMixZoneDeploymentGiventhePOIgraphmodelofanareaandthepairwiseassociationmetric,itisreasonabletoarguethatthemaximumprotectionlevelisachievedwhenmixzonesaredeployedatalltheverticesinG.Bydoingso,whenadversaryAdiscoversAlice'spartialtrajectoryusingsideinformation,animmediatepseudonymchangecanpreventAfromlearningAlice'sfuturelocations.However,deployingmixzonesaddscertaincosttoCLSI,e.g.,pseudonymtransformationforeveryuserinthemixzonearea,savingstateinformation,andinformingapplicationserversofnewlyarrivedusers.Moreover,mixzonesalsoresultinQuality-of-Experience(QoE)degradationperceivedbyusers. 30

PAGE 31

WhenAlicepassesbyamixzonearea,shemightloseservicestemporarilyduetosynchronizedpseudonymchanges.Forthesereasons,deployingmixzonesatallPOIsisbothexpensiveandinefcient.Weneedtostrategicallyplanmixzoneplacementlocationsinthesystemtoachievethemaximumlocationprivacypreservationsubjecttocostandserviceconstraint. 2.6.1ProblemFormulationInthissection,weformulatethemultiplemixzoneplacementproblemasanoptimizationproblem,inwhichtheobjectivefunctionistominimizetheoverallnumberofassociatedvertexpairs.SincewedonotknowtheprobabilityofthesideinformationexposureataspecicPOI,weassumethatthesideinformationmayincluderealidentityleakagesatanyPOI.Thereafter,ourobjectivefunctionquantiestheglobalprotectioneffectivenessofdeployingmultiplemixzonesinG.Tofullyexplorethemultiplemixzoneplacementproblem,Werstconsidermixzonedeploymentunderuniformtrafccondition.Althoughoursimpliedformulationmaynotbewell-ttedforrealworldscenario,itisintendedtoserveasaguidelinefortheoptimalachievablereductionofthetotalnumberofpairwiseassociations.Morerealisticconstraintsareconsideredinlatersections.Costandserviceconstraints.Accordingtotheaforementionedprivacymetric,wedenote ijasabinaryvariableindicatingwhetherthereisapathassociationbetweenvertexiandjinG.LetdibeanotherbinaryvariableassociatedwitheachvertexiinG.di=1indicatesvertexiisselectedtobeamixzone;otherwise,di=0.ConsideringcostandserviceconstraintsposedonLSI,welimitthenumberofmixzonestobedeployedtobeatmostK.Theconstraintisexpressedas: Xi2VdiK.(2)Graphrelatedconstraints.WeformulatetwographrelatedconstraintstocapturetheconnectivityofthePOIgraph.Therstgraphconstraintconsiderstwovertices 31

PAGE 32

connectedbyanedgeinG.Ifthereisanedgeconnectingiandj,thentherewillbeapairwiseassociationbetweeniandj;otherwise,atleastoneofthemshouldbedeployedasamixzone.Thatis: ij+di+dj18(i,j)2E.(2)Thesecondgraphconstraintconcernsallvertextriplets.Specically,thepairwiseassociationistransitiveforallverticesinV.Ifvertexiandjarepairwiseassociated,andjandkarepairwiseassociated,theniandjarepairwiseassociated,meaningtheremustbesomepathi j kthatausercantravelthroughwithoutenteringintoamixzone.Thisconstraintisdescribedas: ij+ jk+ ki6=28(i,j,k)2V.(2)Insummary,withoutconsideringthetrafcvarietyatdifferentroads,wecanformulatetheoptimalmixzonedeploymentproblemasfollows:MinimizePi,j2V ijSubjectto ij+di+dj18(i,j)2E ij+ jv+ vi6=28(i,j,v)2VPi2VdiK ij2f0,1g8i,j2Vdi2f0,1g8i2VTheILPformulationofthemixzoneplacementproblemfallsintothecategoryofNP-hardproblems[ 14 ].AcommontechniquetosolvesuchILPformulationistorelaxthebinaryconstraint ij,di2f0,1gtoapairoflinearconstraints0 ij,di1.Bydoingso,theoriginalNP-hardproblemistransformedtoaLinearProgramming(LP)thatissolvableinpolynomialtime.Ingeneral,theoptimalsolutionderivedfromsolving 32

PAGE 33

LPdoesnothaveallvariableseither0or1.Itcannotbedirectlyusedtoanswerthemixzoneplacementproblem. 2.6.2HeuristicAlgorithm Algorithm1:Uniformtrafcmixzoneplacement(UTMP) input:AgraphG=(V,E)andKoutput:AsetofatmostKselectedmixzonepositions /* --Step#1:Findarticulationpoints--*/DepthrstsearchforGtonddiscovertimei.dforeachvertex;foreachvertexiinGdo i. minfi.d,minbackedgei!wfw.dgg; Initializearticulationpointsset ?;foreachvertexiinGdo ifi.i.dthen [fig; [; /* --Step#2:Maximalindependentset--*/FindmaximalindependentsetICjforeachconnectedcomponentCjbyiterativelyaddingnon-adjacentvertices;I [ICj; [fVnIng; /* --Step#3:Maintaincostconstraint--*/whilejj>Kdo Findvertexx2thatcontributestheleastpairwiseassociationstoVn,andremoveitfrom; Return; Inthissection,wedeviseaheuristicalgorithmasapracticalandefcientmeanstondasuboptimalsolutiontothemixzoneplacement.WerefertothisheuristicalgorithmasUniformTrafcMixZonePlacement(UTMP),summarizedinAlgorithm 1 .Itprovidesanestimationofachievableprivacylevelwhennoknowledgeoftrafcpatternsisavailable.TheinputsofUTMPincludetheabstractedPOIgraphG=(V,E)andthemaximummixzonenumberK,whichistypicallylessthanthenumberofverticesinG.TheoutputofUTMPisasetcontainingselectedmixzonelocationsinG. 33

PAGE 34

Figure2-6. Anexecutionsnapshotofourheuristicalgorithms.Concentriccircles:POIsinagraph.Edges:roadsegmentsconnectingPOIs.Shadedvertices:articulationpoints.Circledvertices:maximalindependentsetinbottompartofthegraph. Inrealworld,anyPOIshouldbereachablefromanyotherPOIinthetargetarea.Thus,theareagraphisconnectedwithoutisolatedpoints.Therefore,thetotalnumberofpossiblepairwiseconnectionsinsuchagraphofnverticesisO(n2).TherststepinUTMPisbuiltontheobservationthatpartitioningGintoseveraldisconnectedcomponentsishelpfultoeliminatethepairwiseconnectionsacrossthesecomponents.Hence,weareseekingforverticeswhoseremovaldisconnectthegraph.Suchverticesaretypicallyreferredtoasarticulationpointsingraphtheory,refertotherststepinAlgorithm 1 .TaketheareagraphinFigure 2-6 asanexample.Anyroutefrom1to9orfrom1to12needstogothroughvertices6and10.Therefore,6and10arearticulationpointsinthisgraph.Ifamixzoneisdeployedatvertex6or10,apseudonymappearsatanyvertexinthebottompartofthegraphcannotappearatvertices9,12,and11.Hence,thetotalnumberofpairwiseassociationsisreduced.AfterGispartitionedintodisconnectedcomponents,themixzonedeploymentineachcomponentisfurtherrenedtoimprovethesolutionquality.Ingraphtheory,anindependentsetreferstoasetofverticesthatarenotadjacenttoeachother.Ifallverticesthatarenotinanindependentsetareselectedasmixzones,therewillbenopairwiseassociationbetweentheverticesintheindependentset,refertothesecond 34

PAGE 35

stepinAlgorithm 1 .ConsideringthebottompartofFigure 2-6 asanexample.Circlehighlightedvertices,f1,8,3,5g,formamaximalindependentsetforthelowerpartofthegraph.Ifverticesf2,4,6,7gareselectedasmixzones,auserAlice'spseudonymuxappearsatvertex1willnotappearatanyothervertexintheindependentset.Asaresult,Alice'spastandfuturelocationsonhertrajectoryareprotected,eventhoughheridentitygetexposedatvertex1.Finally,weneedtocontrolthenumberofmixzonestomeetthecostandserviceconstraint.Atthelaststepofouralgorithm,themaintaincostconstraintstepinAlgorithm 1 ,weiterativelyremovethevertexthatintroducestheleastnumberofpairwiseassociationincrementfromthemixzonecandidatesetselectedbypreviousstepsuntilconstraint( 2 )ismet.Algorithm 1 summarizestheproposedUTMPalgorithm. 2.7Trafc-AwareMixZonePlacementInthissection,weextendtheuniformtrafcmultiplemixzoneplacementformulationtoincorporatetheimpactsoftrafcvariationsatdifferentlocations.AccordingtoourdiscussioninSection 2.3.2 andSection 2.3.3 ,wecanseethattrafcdensitiesaffectsboththecostofdeployingamixzoneandtheprivacypreservationeffectivenessofamixzone.Hence,trafcdensitysignicantlyaffectstheselectionofmixzonelocations.Furthermore,weincorporatethefactorofdifferentprivacyprotectionlevelrequirementsatdifferentplacesinourformulation. 2.7.1ProblemFormulationInthepreviousuniformtrafcmixzoneplacementformulation,weimplementthemixzonedeploymentcostconstraintbylimitingthemaximumtotalnumberofmixzonestoK.Inthissection,weemployamoredetailedcostmodelthatincludebothQuality-of-Experience(QoE)degradationconstraintofusersandmixzoneimplementationcostconstraintofCLSI.QoEdegradationconstraints.AccordingtothemixzoneimplementationdescribedinSection 2.3.2 ,whenauserAliceentersamixzone,shewilltemporarilyloseLBS 35

PAGE 36

serviceduetopseudonymchanges.ThetimeperiodthatAlicelosestheLBSserviceislargelyrelatedtothemixzone'sphysicalboundarysizeanditsanonymityrequirement,e.g.3-anonymityor4-anonymity.Asaresult,differentmixzonelocationswillcausedistinctdegradationofQuality-of-Experiences(QoE).WedenoteCiasthecostofthedegradationofQoEatlocationPi.Oncewedeploymultiplemixzonesinaspecicarea,theoverallQoEdegradationcanbequantiedasPi2VdiCi,whichcorrespondingtothecasethatausertravelsthroughallthemixzonesinthearea.ToensurecertainlevelofQoE,welimittheworstcaseQoEdegradationausercanexperienceas: Xi2VdiCiKu,(2)whereKuisapredenedthreshold.Thisconstraintguaranteesthatifausertravelsthroughallthemixzonesinanarea,his/heroverallQoEdegradationwillbelessthanorequaltoKu.ThevalueofCicanbeevaluatedaccordingtothesizeofthemixzoneinaparticularlocation.ForaspecicPi,Ciisaxedvalue.Costconstraints.SincethereisbothcomputationalandstoragecostforCLSItoestablishamixzone,weusecitorepresentsuchcostatPi.Thecostofestablishingamixzoneatdifferentplaceswillbehighlyrelatedtotheuserpopulationatthatplace,andcanbecalculatedaccordingtothehistoricaltrafcdensitydata.Weexpressthecostconstraintforestablishingmixzonesas: Xi2VdiciKc.(2)Trafcrelatedconstraints:Whentrafcsarenotuniformlydistributedaroundtheservicecoveragearea,thedifcultyofinferentialattackconductedbyadversaryAvariessignicantly.Forexample,supposeAobservesAlicedrivesonMainStreetat9:50am,andonlyonelocationupdatebelongingtouseruxwasrecordedinthetrajectoryprole.ThenAwilleasilyassociateuxwithAlice.WeuseentropytorepresenttheuncertaintyforAtoguesswhichpseudonymbelongstoAlice.Itquantiesthe 36

PAGE 37

inherentattackingresilienceforeachelementingraphG.First,theentropyforaroadsegmentisdenedasfollows: Hr=)]TJ /F3 11.955 Tf 11.3 11.36 Td[(Xupulogpu,(2)wherepucorrespondstotheprobabilitythattheidentitycontainedinthesideinformationmatchestoaparticularpseudonymontheroadsegment.Inadditiontoroadsegmententropy,pairwiseentropyisusefultodescribetheuncertaintythatanadversaryndsoutauserhasvisitedbothPOIsofanassociatedPOIpair.Beforedeningpairwiseentropy,werstclarifytheconceptofpathentropy.Apathconsistsofconsecutiveintermediateverticesbetweentwoassociatedverticesandithasnocycle.Theentropyforistheexpecteduncertaintyindeterminingifauserhastraveledthispathornot.Denotepriastheprobabilitythattheuser'ssideinformationisleakedontheithroadsegmentwithroadsegmententropyHri,wehave: H=XiHripri.(2)Sincetheremaybemultiplepathsconnectingtwovertices,wedenotepiastheprobabilitythattheuser'ssideinformationisleakedontheithpath.Thepairwiseentropybetweentwoverticesisthencalculatedas: Hp=XiHipi.(2)Iftwoverticeshaveverylowpairwiseentropy,i.e.,theyarehighlycorrelated,thenweshouldconsiderdeployingamixzonetoisolatethemfromotherPOIs.Bydoingso,whenauserAliceexposesheridentityatthesetwoPOIs,shecanchangepseudonymimmediatelytopreventfurtherlocationinformationexposure.Amixzonedeploymentisconsideredtobeeffectiveonlywhenitsatisestheminimumpairwiseentropyrequirement.Ourproposedmodelforoptimalmixzoneplacementistrafc-awarebecauseittakestrafcdensityandentropyintoconsiderationwhenexaminingthe 37

PAGE 38

graph.Specically,twoconstraintsaredenedtoensuretheeffectivenessofmixzonedeployment.First,amixzonedeployedateachvertexonthegraphshouldexceedthepredenedentropythresholdd: (1)]TJ /F7 11.955 Tf 11.96 0 Td[(di)M>d)]TJ /F7 11.955 Tf 11.96 0 Td[(ei8i2V,(2)whereMisaverylargeconstant,andeiistheentropyforlocationi.Inadditiontothevertexentropyconstraint,wedenethefollowingpairwiseentropyconstraintinourmodel: (1)]TJ /F4 11.955 Tf 11.95 0 Td[( ij)M>p)]TJ /F4 11.955 Tf 11.96 0 Td[(#ij8i,j2V,(2)wherepisapredenedthreshold,and#ijisthepairwiseentropyforiandj.Differentiatedlocationpriorityconstraints:Whiletheaboveformulationincorporatesboththecostandtrafcrelatedconstraints,anotherrealisticrequirementneedtobeaddressed.SincedifferentPOIsinourproposedgraphmodelcorrespondstodifferentphysicalfacilities,e.g.,acoffeeshoporahospital,peoplemayposedifferentprivacyrequirementsattheseplaces.Specicallyspeaking,peopletypicallydemandhigherprivacypreservationwhentheyarevisitingaspecializedhospitalthanwhenvisitinganordinarycoffeeshop.Consequently,inordertoachieveabettermixzoneplacementregardingsocialmeaningsofthePOIs,weemploycoarse-grainedprivacyrequirementstodifferentiatetheprotectionpriorityforallthecandidateareas,whichmeansaplaceeitherrequireshighprivacyprotectionlevelorrequiresonlyordinaryprivacyprotectionlevel.AstraightforwardsolutiontoenhancetheprivacyprotectionlevelofaparticularPOIistomakeitamixzone.Takeahospitalasanexample.IfuserAliceaccidentallyleakedherrealidentitybeforeenteringahospital,withoutchangingherpseudonym,anadversaryisabletotrackhowlongshestayedinthehospital.However,ifalluserchangespseudonymsatthehospital,itbecomesdifcultyfortheadversarytondout 38

PAGE 39

whetherAlicestayedinthehospitalforacertaintimeperiod,orshejusttraveledpassbythehospital.Denote)]TJ /F1 11.955 Tf 10.1 0 Td[(asthesetofPOIsthathavehighprivacyrequirements,andthereforeshouldbemixzones,wehavetheconstraint di2f1g8i2.(2)Insummary,giventheobjectivefunctionandallconstraints,wederiveaformalIntegerLinearProgramming(ILP)formulationforourtrafc-awaremultiplemixzoneplacementproblem.Thecompleteformulationisdescribedasfollows:MinimizePi,j2V ijSubjectto ij+di+dj18(i,j)2E ij+ jv+ vi6=28(i,j,v)2VPi2VdiCiKuPi2VdiciKc(1)]TJ /F7 11.955 Tf 11.95 0 Td[(di)M>d)]TJ /F7 11.955 Tf 11.95 0 Td[(ei8i2V(1)]TJ /F4 11.955 Tf 11.95 0 Td[( ij)M>p)]TJ /F4 11.955 Tf 11.95 0 Td[(#ij8i,j2Vdi2f1g8i2)]TJ /F4 11.955 Tf -192.63 -23.91 Td[( ij2f0,1g8i,j2Vdi2f0,1g8i2Vn)]TJ ET BT /F6 11.955 Tf 0 -512.78 Td[(2.7.2HeuristicAlgorithmsSincethedifferentiatedprivacypriorityconstraintdependshighlyonthePOIsinaspecicarea,andinsomecases,theprivacyrequirementsaregenerallythesameforallthePOIsinaparticularregion,wethenproposetwoheuristicalgorithmscorrespondingtowithandwithoutpriorityconstraint,respectively. 39

PAGE 40

2.7.2.1Non-uniformtrafcmixzoneplacementTherstheuristicalgorithmaimsatsolvingthemultiplemixzoneplacementproblemwhenCLSIobtainsenoughhistoricaltrafcinformationoverthetargetarea.WenameitasNon-UniformTrafcMixZonePlacement(NUTMP).AsUTMPalgorithm,theinputsofNUTMPincludingthePOIgraphG=(V,E).NUTMPalsorequiresadditionalinputofentropyandcostinformationatdifferentPOItotaketrafcintoaccount,aswellasthecostconstraintsofKuandKc.TheoutputofUTMPisasetcontainingmixzoneplacementlocationsinG. Algorithm2:Non-uniformtrafcmixzoneplacement(NUTMP) input:AgraphG=(V,E),Ku,Kc,mixzoneentropies,andentropymatrixforvertexpairsoutput:Asetofselectedmixzonepositions /* --Step#1:Findarticulationpoint--*/FindarticulationpointssetasinAlgorithm 1 ;Removethearticulationpointsthathaveentropyvaluelessthandfrom; /* --Step#2:Non-mix-zoneverticesselection--*/Putallverticeswithentropyvalueslessthandinto;SelectverticesfromVnnthatarenotadjacenttoanyvertexin,andputtheminto; Vn; /* --Step#3:Maintaincostconstraint--*/whilethecostofverticesinexceedsKuand/orKcdo Findvertexx2thatsatisesthepairwiseentropyconstraintandincurstheleastpairwiseassociationincrease,andremoveitfrom;endReturn; Algorithm 2 summarizestheproposedNUTMPalgorithmthatfurtherconsiderstheimpactoftrafcconditionsonmixzonedeploymenteffectiveness.ComparedwithUTMP,NUTMPincorporatestwolteringprocedurestoguaranteethenalsolutionmeetsthetrafc-relatedconstraints( 2 )and( 2 ).First,inthearticulationpointselectionstep,onlythosearticulationpointswithentropyvalueshigherthandareconsideredasmixzonecandidatesandputintoset.Second,unlikeUTMPthatselectsamaximalindependentsetasthestartingpoint,inNUTMP,werstchooseall 40

PAGE 41

verticesthathavelowerentropyvaluesthanpintoasetsothattheycannotbeusedasmixzones.Then,theverticesthatarenotarticulationpointsandarenotadjacenttoanyvertexinfromareputinto.ThereasonforthisstepissimilartothemaximalindependentsetselectioninUTMP.Byaddingnon-adjacentverticesto,nopairwiseassociationisintroduced(ifallothersaremixzones).Itispossiblethattheverticesnotqualiedtobecomemixzonesareadjacenttoeachother.Ifthethresholdvaluesaresetappropriately,thepairwiseentropyconstraintshouldbesatisedinthisstep.Letbecome(Vn).Byiteratingthroughallmixzonecandidatesin,weremovethoseverticesthatsatisfythepairwiseentropyconstraintandincurtheleastnumberofpairwiseassociationincrementuntilmixzonecostconstraint( 2 )ismet. 2.7.2.2Priority-awarenon-uniformtrafcmixzoneplacementForaspecicareathathavePOIswithdifferentiatedpriorityrequirements,wedevisethePirority-awareNon-uniformTrafcMixzonePlacement(PNUTMP)algorithm.TheinputsofPNUTMPissimilartothatofNUTMPwihtanadditionofplacesthatmustbecomemixzones.TheoutputofUTMPisasetcontainingmixzoneplacementlocationsinG. Algorithm 3 providesdetailedstepsoftheproposedPNUTMPalgorithm,whichenforcesthesetofcriticalplacesidentiedbyCLSItobemixzones.Specically,givenasetofcriticalplaces)]TJ /F1 11.955 Tf 6.77 0 Td[(,e.g.,hospitals,whicharegenerallylessthanK,weapplytherstlteringprocedureandputthemasmixzones.TherestofthestepsaresimilartotheNUTMPalgorithm. 2.8PerformanceEvaluation 2.8.1SimulationSetupInthissection,wepresentthesimulationresultsoftheproposedUTMP,NUTMP,andPNUTMPalgorithms.AllalgorithmsareimplementedinC++.Duetothedifferencesinprivacymetricsusedandproblemformulation,itisdifculttoconductdirectperformancecomparisonwithsomeexistingworks,e.g.,[ 25 34 78 ].Toevaluate 41

PAGE 42

Algorithm3:Priority-awarenon-uniformtrafcmixzoneplacement(PNUTMP) input:AgraphG=(V,E),Ku,Kc,mixzoneentropies,criticalplaceset)]TJ /F1 11.955 Tf 6.77 0 Td[(,andentropymatrixforvertexpairsoutput:AsetofatmostKselectedmixzonepositions /* --Step#1:Differentiatedpriority--*/Selectverticesin)]TJ /F1 11.955 Tf 10.1 0 Td[(asmixzones;ifthecostofverticesinnotexceedsKuand/orKcthen FindarticulationpointssetandmaximalindependentsetasinAlgorithm 2 ; (Vn)[)]TJ /F1 11.955 Tf 6.77 0 Td[(; /* --Maintaincostconstraint--*/whilethecostofverticesinexceedsKuand/orKcdo Findvertexx2thatsatisesthepairwiseentropyconstraintandincurstheleastpairwiseassociationincrease,andremoveitfrom;endendelse Reportnosolutioncanbefound;endReturn; thesolutionqualityofUTMP,NUTMP,andPNUTMP,wecomparetheresultswiththenearoptimalsolutionobtainedfromCPLEXTM[ 36 ]usingstandardsolvers,e.g.,branch-and-boundalgorithm.Fortrajectorygeneration,weadopttherealworldmobilitytraceofSanFranciscoBayareacabsfromCRAWDAD[ 45 ].Thepartialroadmapofthesameareaisabstractedasourinputgraph.Weselect20POIsfromthemapcoveringadiverselocationtypes,e.g.,roadintersections,hospitals,andbars/coffeeshops.ForthePNUTMPalgorithm,werandomlyselect20%percentofthePOIsastheplaceswithhighprivacypriority. 2.8.2MobilityTraceCharacteristicsThemobilitytrace[ 45 ]ofSanFranciscoBayAreacabscontainsmovingtrajectoriesofmorethan500cabsspanningover20daystimeperiod.Inthetraceles,eachcabisrepresentedbyacabid,anditstrajectoriesarestoredinalenamedafteritscabid.Themobilitytraceofaparticularcabincludesentriesoftheform.Asamplesnapshotofasinglecab'smovingtrajectoryoveracertain 42

PAGE 43

ASampletrajectoryofauserfollowingroadnetwork. BSpatialhistogramoftrafcdensityintheSanFranciscoBayArea.Figure2-7. Mobilitytracecharacteristics. periodisshowninFigure 2-7A .ThetrafcvariationsintheBayAreaisalsoreectedinthecabtraces.InFigure 2-7B ,weplottedthespatialhistogramshowingthecabtrafcdensitypercellwithinashortperiodoftime. 2.8.3ProtectionEffectivenessFirst,wecomparethesolutionqualityofbothUTMPandNUTMPtothesolutionderivedbyCPLEXTM(referredtoandmarkedasnear-optimal).WeomitthecomparisonbetweenPNUTMPandthesolutionprovidedbyCPLEXforthdifferentiatedprioritycase,becausetheplacesthathavehighpriorityareselectedasmixzonesinbothPNUTMPaswellasthesolutionprovidedbyCPLEX,andonlytheselectionoftherestoftheverticesmaybedifferent.Consequently,itbecomesthecomparisonofNUTMPandnearoptimalsolutionobtainedfromCPLEX.Todemonstratetheeffectiveness,wealsoincludethesimulationresultsforrandomlyselectedmixzonelocations(markedasrandom),andselectingrepresentativemixzonesfromKevenlypartitionedcomponentsinG(markedaseven).TheinputgraphisshowninFigure 2-9 ,whereallPOIsarepotentialmixzonedeploymentlocations.Weevaluatetheprotection 43

PAGE 44

effectivenessforKrangingfrom0to10.Accordingly,thecostthresholdKuandKcarecalculatedastheaveragecosttimesK.FortheNUTMPalgorithm,20%oftheedgesand10%oftheverticesarerandomlyselectedaslow-trafclocations.TheirentropyvaluesaredrawnfromthenormaldistributionofN(1,0.5),andtheentropyvaluesfortherestaredrawnfromthenormaldistributionofN(4,0.5).Figure 2-8 shows AUniformtrafccondition BNon-uniformtrafcconditionFigure2-8. Totalnumberofpairwiseassociations thereductionintotalnumberofpairwiseassociationswhendifferentnumberofmixzonesaredeployedinthesystem.Asexpected,thenumberofpairwiseassociationsdecreaseswiththeincreasednumberofmixzonesinallfourmethods,underbothuniformandnon-uniformtrafcassumptions.WeobservethatbothUTMPandNUTMPperformveryclosetothenearoptimalsolution.Whenthenumberoftheselectedmixzonesislargerthan4,theaveragedifferenceofpairwiseassociationsbetweenourheuristicalgorithmsandthenearoptimalsolutionsprovidedbyCPLEXTMislessthan10%.BecauseentropyconstraintsforbothvertexandincidentedgesaretakenintoaccountinNUTMP,itsoutcomeisingeneraldifferentfromUTMP.MostlythevaluederivedfromNUTMPishigherthanthatinUTMP.ApossibleexplanationforthisphenomenonisthattheideallocationsforminimizingpairwiseassociationsinUTMP 44

PAGE 45

maynotbequaliedinNUTMPbecauseofthetrafc-relatedconstraints.Finally,whenKbecomeslarger,thepossibilityofselectionoverlappingincreasesforallmethods.Hence,weobservethatbothrandomandevenapproachperformsfairlywellwhenKislarge.Figure 2-9 presentsanexamplemixzoneselectionresulttocomparethe AMixzonedeploymentbyCPLEXunderuniformtrafcwhenK=4 BMixzonedeploymentbyUTMPunderuniformtrafcwhenK=4 CMixzonedeploymentbyCPLEXundernon-uniformtrafcwhenK=4 DMixzonedeploymentbyNUTMPundernon-uniformtrafcwhenK=4Figure2-9. ComparisonofmixzonelocationsbetweenCPLEX'ssolutionandheuristicalgorithms near-optimalsolutionandourheuristicalgorithms.Wecanseethat,themajorityofthelocationsareoverlapped.Sincetheassignedentropyvaluesarelowforedges3$5and19$20,andforvertices3and20,vertex3isnotselectedinFigure 2-9C andFigure 2-9D .Instead,vertex19isselectedinFigure 2-9C andFigure 2-9D tosatisfythetrafcconstraint.Whenthenumberofmixzonesbecomeslarger,theselectedlocationsetsexhibitmoreoverlap.ThisisthesametrendexhibitedinFigure 2-8A andFigure 2-8B ,wherethenumberofpairwiseassociationsbetweenoptimalandheuristicbecomeveryclose. 2.8.4ResiliencetoInferentialAttackUtilizingthemixzoneplacementselectionresultspresentedinthelastsection,weconductanothersetofsimulationstoinvestigatethesystems'resiliencetosideinformationbasedattacks.Werandomlyselect500partialmobilitytraces,eachhasastartandendpoints,fromtheSanFranciscoBayareacab'smobilitytracesinCRAWDAD[ 45 ].Eachofthemisrecordedwithadistinctpseudonym.Thesemobility 45

PAGE 46

tracessimulateusers'trajectoriesintheinputgraph.Sincethetraceleisrecordedinformat,weconsiderausersteppingontothecorrespondingvertexinG,whenhistraceappearswithinacertainrangeofoneofthemarkedPOIs.Similarly,thecoordinatesofauser'stracebetweentwoPOIsareinterpolatedandmappedtotheclosestedgeinG.Werandomlyselectsomeportionoftheselectedusermobilitytracestogenerate100shortertrajectoriesassideinformation.EachsideinformationbelongstoaparticularIDthatservesastherealidentityofauser.Sincerealworldsideinformationoftencontainsnoises[ 60 ],weobfuscatethegeneratedsideinformationtobettersimulatethiseffect.ThemaximumlikelihoodestimationapproachforadversaryAisimplementedasdescribedin[ 60 ]tosimulatethesideinformationbasedinferentialattack.Anattackissuccessfuliftheadversaryndsoutthecorrespondingpseudonymusedbyauserinthesideinformationwithhighprobability.Thesuccessrateofanadversaryistheratioofnumberofsuccessfulattacksovertotalnumberofattacks.Itisworthnotingthat,duetotheunevendistributionoftrafc,someofthePOIshaveareincludedinmoretracesthanothers.Asaresult,thecorrespondingentropyvaluesarethencalculated.Furthermore,weintentionallyselectcertainPOIsasprivacycriticalplacestotesttheperformanceofourPNUTMPalgorithm.Figure 2-10 showsthereductionofattacksuccessratewhendifferentnumberofmixzonesaredeployedinthetargetarea.Accordingto[ 60 ],thistypeofinferentialattackhashighsuccessratewhennomixzoneisdeployed.Usingourmixzonedeploymentalgorithms,weobservethattheattacksuccessratecanbereducedtoover50%oforiginalvaluewhen10mixzonesaredeployed.Moreover,thedifferencebetweenourheuristicalgorithmsandthenearoptimalsolutionprovidedbyCPLEXTMisonlyabout10%onaverage.Thereasonisthat,previously,apieceofsideinformationmaybeabletobematchedbacktoitsoriginalmobilitytracewithhighprobability.Whenmoremixzonesaredeployed,thismobilitytracemaybebrokenintomorepiecesofshortertrajectories.Itisdifculttondthebestmatchbecausethesideinformationnowfacesmanypossibilitieswiththese 46

PAGE 47

AUniformtrafccondition BNon-uniformtrafcconditionFigure2-10. Attacksuccessrateunderdifferenttrafcandmixzonedeploymentsituations brokentrajectoriesunderdifferentpseudonyms.InFigure 2-10B ,weplottedboththeresultsforbothNUTMPandPNUTMPalgorithm.FromFigure 2-10 wecanseethatUTMP,NUTMP,andPNUTMPachievesatisfactoryprotectioneffectcomparingwiththenear-optimalsolutions,andresultinlowerattackratethantheothertwoapproaches.Moreover,fromFigure 2-10B wecanseethatwhentrafcintensityisconsidered,betterprotectioneffectivenessisachieved.Thereasonisthatwhenaroadsegmenthashightrafcintensity,itishardtodistinguishusersontheroadwithorwithoutthehelpofsideinformation.Therefore,thetrafc-relatedconstraintprovidesanotherlevelofprotectiontoprivacyattack.AsforPNUTMP,wexed2POIsasprivacycriticalplacesstartingfromdeploying2mixzones.Consequently,userspassingthroughthe2selectedPOIswilldenitelychangetheirpseudonyms,makingitmoredifcultforanadversarytondoutwhohavevisitedtheseplaces.AlthoughtheprotectioneffectivenessofPNUTMPmaynotbeasgoodasNUTMPatrst,however,whenmorenumbersofmixzonesaredeployed,theirprotectingeffectivenessisbecomingcloser. 47

PAGE 48

2.8.5ComplexityThecomplexityofUTMP,NUTMP,andPNUTMPalgorithmsarecontributedbymainlythreecomponents.First,themethodforndingallarticulationpointsinGisanalgorithmsuggestedbyandanalyzedin[ 14 ].ItscomplexityisO(E).Second,ndingamaximalindependentsetbyiterativelyaddingverticesthatarenotadjacenttocurrentselectedverticesrequiresonlylineartimeinallthreeheuristicalgorithms.ThenalstepinbothUTMP,NUTMP,andPNUTMParesimilartothecriticalnodedetectionalgorithmproposedin[ 4 ],whichhascomplexityO(jVj2jEj).Asaresult,theoverallcomplexityforUTMPandNUTMParebothO(jVj2jEj).Tovalidateourcomplexityanalysisoftheproposedthreeheuristicalgorithms,weproledtheactualrunningtimeofourC++implementationonvariousnetworksizesandedgedensities.TheexperimentenvironmentweusedisanIntelCore2Duodual-coreprocessorat2.66GHzwith1GBmemory.TheresultsareplottedinFigure 2-11 .Asexpectedfromouranalysis,therunningtimeofourproposedalgorithmsisbelow15secondsforanetworkofsize100.Thisismuchbettercomparingwithover20hours'runningtimeforstandardILPsolver.Aswecanseefromthegure,increasingeitherthenumberofverticesorthenumberofedgescanresultinlongerrunningtime,whichconrmsourcomplexityanalysis.Figure 2-11 providesrunningtimecomparisonresultsbetweenthestandardILPsolverinCPLEXTMandtheproposedheuristicalgorithms.Theexecutionenvironmentisthesamecomputerwith3.20GHzIntel(R)i5CPUand4GBmemory.Asexpected,theheuristicalgorithmsout-performthestandardILPsolverforthemixzoneplacementproblem. 2.9ChapterSummaryInthispaper,weinvestigatedtheoptimalmultiplemixzonesplacementproblemforlocationprivacypreservation.Wemodeledtheareacoveredbylocation-basedservicesasagraph,whereallvertices(POIs)areconsideredascandidatesfor 48

PAGE 49

Figure2-11. ComparisonofexecutiontimebetweenstandardILPsolverandtheproposedheuristicalgorithms mixzonedeployment.Inordertoprotectmobileusersfromsideinformationbasedinferentialattacks,weproposedtousepairwisevertexassociationtocharacterizethelinkabilityofthePOIsalongauser'strajectoryonthemap.Toachievemaximumprivacypreservation,weformulatedtheoptimizationproblemwiththeobjectiveofmaximizingtheoveralldiscontinuityofallpossibletrajectoriesontheroadnetworkandsubjecttodeploymentcost,trafcdensity,anddifferentiatedprivacypriorityconstraints.Foreachroadsegmentandintersection,thetrafcdensityeffectintermsofentropyisalsotakenintoaccount.WedesignedthreeheuristicalgorithmscorrespondingtodifferenttrafcscenariosandprivacypreservationlevelsaspracticalandefcientsolutionstotheNP-hardoptimizationproblem.Throughextensivesimulationsbasedonrealisticmobileuserdatatraces,wedemonstratedthatoursolutionyieldssatisfactoryperformanceinreducingthesuccessrateofinferentialattacks.Themathematicalmodelingandperformanceresultspresentedinthispaperofferboththeoreticalandpracticalguidancetomultiplemixzonesplacementinmobilenetworksforprotectingusers'locationprivacy. 49

PAGE 50

CHAPTER3PRIVACYPRESERVATIONUSINGGAME-THEORETICAPPROACH 3.1ChapterOverviewTheproliferationofLocationBasedService(LBS)inmobilehand-helddeviceshassignicantlybenetedusersinmanyaspectsoftheirdailyactivities,suchasmobilelocalsearch,GPSnavigation,etc.AsLBSevolves,privacyconcernbecomesmoreandmoreimportant.Protectinglocationprivacyisusuallyconsideredasthepracticetopreventothersfromlearningaperson'spastandfuturelocations[ 7 ].Topreventcuriouseavesdroppersandadversarialthird-partyapplicationsfromlearningauser'sactivities,pseudonyms,insteadofrealidentities,aretypicallyusedtocamouageusers'locationinformation.Recentworks[ 60 86 ]havediscoveredthatevensporadiclocationinformationundertheprotectionofpseudonymsissubjecttoprivacythreats.Withtheaidofsideinformation,anadversarycanlaunchinferenceattackstounveilthecorrelationbetweentheusers'realidentitiesandtheirpseudonyms,andfurtherobtainanextendedviewoftheusers'whereaboutstoactagainsttheirwell-being.TheneedtoprotectlocationprivacyisinherentintheLBSsystem.Ontheonehand,usersneedtoreportsufcientlyaccuratelocationinformationtotheLBSserverinordertoreceivehighqualityservices.Ontheotherhand,oncethelocationinformationiscollected,usershavenocontroloverhowtheinformationwillbeusedbythethird-partyLBSapplications.Asaresult,thelocationdataisvulnerabletomaliciousattacksthatcompromisestheprivacyofusers.Tosolvethisproblem,severallocationanonymizationapproacheshavebeenproposedintheliterature.Locationanonymizationreferstothetypeofapproachesthatattempttomakeauser'slocationinformationindistinguishablefromacertainnumberofothers.Commonlyusedtechniquesincludespatial-temporalcloakingorlocationobfuscation.Becauseeitherobscuringoralteringauser'sgeographicpositionmayresultindegradedqualityofserviceinLBS,analternativemethodistoblendanumber 50

PAGE 51

ofdummyidentitieswithfakelocationrecords,knownasdummyusersordummies,intonormalusers'locationreports.Withthehelpofthedummies,theusers'movingpatterncannotbedistinguishedfromatleastk)]TJ /F5 11.955 Tf 12.71 0 Td[(1otherusers,achievingwhatisknownask-anonymity[ 85 ].Thedummyusergenerationapproachisappealingbecauseiteffectivelyachievesk-anonymitywithoutsacricingLBSquality.However,mostexistingsolutionsrelyonatrustedCentralAuthority(CA)[ 58 87 ].Sinceitisdifcult,andsometimesevenimpracticaltodeployaCAwithcompleteinformationaboutalltheusersinvariousLBSsystems,wetackletheproblemofprivacyprotectioninmobilenetworksfromanewangle.Inthispaper,weproposeadistributeddummyusergenerationmethodtograntuserscontrolovertheirownprivacyprotections.Weletusersgeneratedummieswithsimilarmovingpatternsastheirownaccordingtotheirdiverseprivacyneedsatdifferentplaces.Consideringthefactthatself-interestedusersmaynotbesufcientlymotivatedtogeneratedummiesduetothehighcostofdummygenerationusingmobiledevices,weemploygametheorytoanalyzethenon-cooperativebehaviorofLBSusers,andidentifytheequilibriumsolutions.Tothebestofourknowledge,thispaperisthersttoinvestigatethegame-theoreticaspectofdistributeddummygenerationapproachforachievingk-anonymity.Wealsointroduceanovelnotionofpersonalizedprivacyvaluationtodifferentiateusers'diverseprivacyneedsintimeandspace.Insummary,ourcontributionsarelistedasfollows: Toprotectagainstsideinformationaidedinferenceattacks,weproposeadistributedapproachforachievingk-anonymitybylettingusersgeneratedummiesaccordingtotheirprivacyneedsandvaluationatdifferentlocations. Weformallyanalyzethenon-cooperativebehaviorsofself-interestedusersfromagametheoreticperspective,andformulatetwoBayesiangamemodelsinbothstaticandtiming-awarecontexts. WeanalyzethepropertiesofBayesianNashEquilibriaforbothmodels,andproposeastrategyselectionalgorithmtohelpusersobtainoptimizedpayoffs. 51

PAGE 52

Weconductsimulationsbasedonreal-worldlocationprivacydatatrace,andvalidateouranalyticresults.Therestofthepaperisorganizedasfollows.Section 3.2 summarizesrelatedworksintheliterature.Section 3.3 and 3.4 presentthesystemmodel,thethreatmodel,anddenetheproblemtobeaddressedinthispaper.Section 3.5 and 3.6 presentthestaticandthetiming-awaregamemodelformulations.Section 3.7 proposesastrategyoptimizationalgorithm.Section 3.8 validatesouranalyticresultsthroughsimulations.Finally,Section 3.9 concludesthischapter. 3.2RelatedWorkProtectinglocationprivacyinLBShasreceivedsignicantattentionsinrecentyears.ToreceiveLBS,mobileusersneedtoreporttheirlocationtothird-partyapplicationservers.Bettinietal.[ 9 ]pointedoutthatasequenceofsporadiclocationrecordsforapersonconstitutesaquasi-identier,i.e.,datacanbeusedtoidentifyaperson.Severalpriorworks[ 20 46 47 ]havestudiedthevulnerabilityofmobileuserprivacytoinferenceattacks.Specically,inferenceattackthatleveragessideinformationwasinvestigatedbyMaetal.[ 60 ].Inthispaper,wefocusonprotectingusers'privacyagainstsuchsideinformationaidedinferenceattacks.Theconceptofk-anonymitywasrstintroducedbySweeney[ 85 ]tomeasuretheeffectivenessoflocationprivacyprotection.Toachievek-anonymity,mostexistingworksrelyoneitherspatial-temporalcloakingorlocationobfuscationtechniques.Spatial-temporalcloaking[ 10 12 26 33 65 ]referstothetechniquethathidesanindividual'slocationinformationbycollectingkusers'informationandsendtheboundingregionaslocationbasedqueryparameters.Thisapproachisgenerallynotsuitableforthescenariothatusersusethesamepseudonymsforacertainperiodoftime.Onthecontrary,locationobfuscationaltersusers'locationinformation,orincludesfakeorxedlocationsratherthanthetruelocationsofmobileusersasLBSqueryparameters.Representativeapproachessuchas[ 3 19 44 58 ]fallintothiscategory. 52

PAGE 53

Bothspatial-temporalcloakingandlocationobfuscationmayimpairthequalityofLBSduetocoarse-grainedorfakelocationinformation.Inthispaper,weletusersgeneratedummieswithdifferentpseudonymstoachievelocationanonymizationwhilepreservingLBSquality.Dependingonthesystemarchitecture,existingresearchescanalsobeclassiedintocentralizedordistributedschemes.Centralizedschemes,suchas[ 26 31 33 65 88 ],relyonatrustedCentralAuthority(CA)toprocessqueriesfromusers.Thistypeofapproachhasseveraldrawbacks.First,itisdifculttondordeployaCAthatpossessesalluserinformationinvariousLBSsystems.Second,theCAitselfmaybecomeabottleneckwhenthenumberofLBSqueriesbecomesverylarge.Toovercomethesehurdles,wetakethedistributedapproachinthispaper,andallowautonomoususersperformlocationobfuscationbythemselves.Thedistributedlocationanonymizationapproachhasalsobeenadoptedby[ 44 ]and[ 12 ].Kidoetal.[ 44 ]proposedtoletmobileusersgeneratefalseordummylocationsandsendthemalongwithreallocationstoLBSservers.Targetingatadifferentthreatmodel,thisapproachdoesnotrequiredummylocationstoformtrajectoriessimilartorealusers'trajectories.Chowetal.[ 12 ]discussedapeer-to-peerspatialcloakingalgorithm,whereamobileuserndsapeergrouptohelpachievek-anonymitywhenhe/shelaunchesqueriestoLBSprovider.Thisapproachworksonlywhentherearesufcientnumberofuserspresentinthetargetedarea,whileinthispaper,weaddressadifferentproblemthatthetotalnumberofusersislessthank.Gametheoryisthestudyoftheinteractionsamongself-interestedautonomousindividuals.Duetothedistributednatureofamobileenvironment,gametheoryisapowerfultoolforanalyzingprivacyprotectionproblemsforself-interestedmobileusers[ 23 28 29 40 79 ].Inthispaper,weinvestigateanewprivacyprotectionproblemthatevaluateshowk-anonymitycanbeachievebylettingnon-cooperativemobileusers 53

PAGE 54

generatedummies.Ourapproachdiffersfromexistingsolutionsinboththeadversarymodelaswellastheusers'privacyprotectionstrategies. 3.3Preliminaries 3.3.1SystemModelforLocationBasedServices Figure3-1. Systemmodel:Users,Localization/CommunicationServiceInfrastructure,andLBSServers AtypicalLBSsystemusuallyconsistsofthefollowingcomponents:(1)userswithmobiledevices;(2)communicationinfrastructure;(3)localizationinfrastructure;and(4)third-partyLBSapplicationservers,asdepictedinFigure 3-1 .Themobiledevicesheldbyusersarecapableofutilizingthelocalizationinfrastructure,(e.g.,GPSsystemorwirelessaccesspoints),topinpointcurrentgeographicpositions.Inaddition,theycanestablishconnectionswiththecommunicationnetworks,andreportlocationinformationtoLBSservers.Third-partyLBSapplicationserversreceivelocationinformationfromusers,searchfornearbyeventsintheirdatabases,andthenreplythesearchresultsbacktotheusers.Forthepurposeofprivacyprotection,eachuserisusuallyrepresentedbyapseudonyminLBSservers.Thesepseudonymsareeitherobtainedfromanofinecentralauthorityorgeneratedinadistributedfashion[ 25 ].Thecommunicationsoccurredduringtheserviceperiodresultinatrajectorylerecordingfootprintsofusers.WedenethetrajectoryfunctionofauseruiasLui(t).Usinglong-termpseudonymsarevulnerabletoprivacyattacksinsuchapplications,because 54

PAGE 55

oneaccidentalrealidentityleakagewillresultinthewholetrajectory,includingpastandfuturelocations,beingcompromised.Thefollowingnotationsarelistedtoeasethepresentationinthelatersections. Table3-1. NotationsforPrivacyPreservationusingGame-TheoreticApproach SymbolDenition N totalnumberofLBSusersincurrentserviceareauiuseri'spseudonyminLBSsystem ri useri'srealidentityLui(t)ui'strajectoryfunction Sri(t) sideinformationobtainedbyanadversaryPiplayeri i DegreeofPrivacy(DoP)bmaximumDoPforthecaseofkusers i ValuationofPrivacy(VoP)foruseruiccostofgeneratingk)]TJ /F5 11.955 Tf 11.95 0 Td[(1dummyusers i Cost-BenetRatio(CBR)ofui'privacylossrate (t) privacylossfunction~tearliestdummyusergenerationtime F players'typedistributionfprobabilitydensityfunctionofF si Pi'sstrategysi()Pi'sstrategyasafunctionoftype S strategyprole,i.e.,S=fs1,s2,...,sNgS)]TJ /F8 7.97 Tf 6.58 0 Td[(istrategyproleofPi'sopponents Ui Pi'spayofffunction 3.3.2ThreatModelAccordingtothesystemmodel,third-partyLBSapplicationsaregenerallyconsiderednottrustworthy.Afterobtainingusers'trajectoryinformation,theymaydirectlyinvadeusers'privacy,orsecretlysellinformationtootherparties.AnadversaryAreferstoanyentityformedbyoneormoremaliciousparties,whoaimatuncoveringthelocationinformationassociatedwithmobileusers'realidentities,andmakingillegalprotbyleveragingthisinformation.SinceAhasthecompletetrajectoryprolescamouagedbypseudonyms,itisoftencharacterizedasaglobalpassive 55

PAGE 56

Figure3-2. Exampleofaninferenceattackbasedonsideinformation.Thetrajectoriesofu1andu2areobtainedfromlocationreportsofLBS.Sideinformationassociatedwithu2'srealidentityr2isobtainedbyeavesdroppingorcolluding.Comparingthefootprintsinthesetrajectories,anadversaryAisabletorevealthecorrelationbetweenu2andr2withhighprobability.Hence,Acanlearnr2'swholemovingtrajectorybeyondthespanofsideinformation. eavesdropper.Thistypeofadversarybecomesthemajortargetedthreattodealwithintheliterature[ 25 ].Inadditiontothetrajectoryfunctionobtainedbymonitoringauser'slocationreports,AmayalsoacquiresomesideinformationaboutLBSusers.Becausemobileusersarepubliclyobservable,partialtrajectoryinformationmayberevealedwhentheytravelinpublicplaces,e.g.,AlicewaswitnessedtoappearatcafeteriaXat3pm.ThesideinformationisrepresentedasSri(t).Althoughtheselocationdisclosuresmaybesporadicandinaccurate,theyarevaluableauxiliaryinformationforuncoveringusers'realidentitiesinLBSsystems.Byleveragingthesideinformation,anadversaryAcanlaunchinferenceattacks.Specically,Acompareslocationsandtimestampsinthesideinformationandinthelocationtrajectoryle,andidentiestheonesthatmatchwiththehighestprobability.AnillustrativeexampleisdepictedinFigure 3-2 .ThegoalofAistodiscovertherealidentityandpseudonymcorrelationsinthetrajectorylebasedonsideinformationmatching,andtouncoverthecompletefootprintsassociatedwithusers'realidentities.Theconsequenceoftheinference 56

PAGE 57

attackscanbeillustratedusingthefollowingexample.SupposeAobtainsAlice'slocationreportsasfollows:<^a,t1,cafeteriaX>,<^a,t2,hospitalY>.Inaddition,ApossessesthesideinformationthatAliceappearedatsomeplacearoundcafeteriaXattimet1.GiventhesituationthatonlyoneuserpresentsatthecafeteriaXattimet1,Amayconcludethat^aisthepseudonymofAlice.Further,AlearnsthefactthatAlicewenttohospitalYattimet2.NotethatwedonotconsiderthecasethatAactivelystalksaparticularuserinthispaper. 3.3.3LocationPrivacyMetric 3.3.3.1DegreeofPrivacy(DoP)Severalprivacymetricshavebeenproposedinpriorworks,amongwhich,theconceptofk-anonymityiscommonlyaccepted[ 85 ].AccordingtothethreatmodeldescribedinSection 3.3.2 ,k-anonymityisdenedasthestatusthatriismatchedwithasetofpseudonymswithsimilarprobabilities,wherethesizeofpossiblymatchedpseudonymsetisatleastk.Inadditiontok-anonymity,weintroducetheconceptofDegreeofPrivacy(DoP)asaquantitativemeasureforachievedprivacylevel.TheDoPofuserriatsomespecicplace,denotedasi,isevaluatedintermsofanadversary'suncertaintytorevealthecorrelationofpseudonymtorealidentity.Leveragingtheconceptofinformationentropy,wequantitativelyevaluateias i=)]TJ /F8 7.97 Tf 16.63 14.94 Td[(NXd=1p(ri,ud)log2(p(ri,ud)),(3)wherep(ri,ud)indicatestheprobabilityofmatchingritoud.Sincewedonotmakeanyassumptionaboutthesideinformation,theprobabilityofmatchingritoanypseudonymisequal.Therefore,weconsiderusersinthesameareahavethesameDoP. 3.3.3.2ValuationofPrivacy(VoP)DoPcharacterizestheobjectivemeasurementofprivacy.Inordertounderstandthebehaviorsofusers,wealsoneedtodeneusers'willingnesstoprotectprivacy. 57

PAGE 58

Dependingonauser'scontext,e.g.,currentlocationandtime,thewillingnesstoprotectprivacymayvarysignicantly.WeintroducetheconceptofValuationofPrivacy(VoP)toquantifytheusers'subjectiveperceptionofprivacy.DenoteiastheVoPofuiataspeciclocation.iisafunctionoftimetandui'strajectoryfunction,i.e.,i(Lui,t).Ahighervalueofiindicatesahigherprivacyappraisementofuiataparticularplace. 3.4ProblemStatementInthissection,werstdescribethedummyusergenerationprocedureandclarifytheassumptionsusedinthispaper.Next,weidentifythechallengesandproblemstobeaddressedingametheoreticanalysis. 3.4.1DummyUserGeneration Figure3-3. Asnapshotshowinghowdummyusersareusedtoprotectagainsttheinferenceattack.Withoutdummyuseru02,Amaydiscoverthecorrelationbetweenu2andr2withhighprobability.Withthenewlyintroducedu02,theriskofr2'swholetrajectorybeingrevealedisreduced. WeconsiderthescenariowhentherearelessthankuserssimultaneouslypresentwithinanLBSserviceareaduringacertainperiodoftime.Withoutemployinganyprivacyprotectiontechnique,theachievedDoPforusersislessthanthatofk-anonymity.Asaresult,accordingtothethreatmodel,anadversarymayhavehighprobabilitytouncoversomeoftheusers'pseudonymtorealidentitycorrelations.Inordertoprotectprivacy,theseusersmaygeneratedummyuserswithrandomanddisposablepseudonyms,andreporttothethird-partyLBSservers.Wedescribetheprocedurefordummyusergenerationasfollows.Auserrstpicksapseudonymby 58

PAGE 59

eithergeneratingoneorselectingonefromapre-loadedpseudonympool[ 25 44 ].Next,theuserpickssomerandomlocationwithinthecurrentareaandassociatesthelocationwiththepseudonym.Aslongastheuserstayswithinthecurrentservicearea,thesedummyuser'slocationswillkeepupdatedtoLBSserverasifarealuseristraveling.Thisapproacheffectivelyenhancesprivacyfortworeasons.Firstandtheforemost,addingdummyusersincreasesthenumberofpossiblesideinformationmatches,henceeffectivelydecreasesmatchingsuccesspossibilities.Second,whenanadversaryfalselymatchesauser'scurrentlocationwithsomedummypseudonym,furtherlocationinformationexposurecanbeavoidedduetothedisposalofthedummypseudonym.AnillustrativeexampleofhowdummyuserscanhelptostrengthentheprivacyprotectioneffectivenessisillustratedinFigure 3-3 3.4.2ProblemDescriptionAddingdummyusersnotonlyenhancesprivacyprotectionfortheuserswhoactuallyspendeffortstogenerate,butalsobenetsotheruserswithinthesameareawhoarepassivelywaitingforotherstogenerate,i.e.,free-riders.Fromtheperspectiveofusers,dummyusergenerationiscostlyintermsofenergyconsumptionanddatacommunicationoverhead.Therefore,dependingontheperceivedVoPs,generatingdummyusersmaynotbeappealingatalltosomeoftheusers,e.g.,ordinarypeoplehavemuchlowerdemandsofprivacythancelebrities.Giventhecostofgeneratingk)]TJ /F5 11.955 Tf 11.97 0 Td[(1dummyusersrepresentedinc,wedenetheCost-Benet-Ratio(CBR)as: i=c i(Lui,t).(3)Here,weassumeifallswithintherangeof(0,1).Whenformulatingtheinteractionsamongself-interestedusersintoastrategygame,theproblemboilsdowntothefollowing.Uponenteringintoanareaoflessthankusers,whetherausershouldintroducedummyuserstotheLBSservertoprotecthis/herprivacy,orwaitforotheruserstodoso. 59

PAGE 60

WeassumethatthetotalnumberofLBSusersintheserviceareaisacommonknowledgetoallusers.Thereareseveralwaystoaccomplishthis.Forexample,in[ 23 50 ],theauthorssuggestedtoletuserscommunicatewitheachotherbeforemakinganydecisions.Thismethodisappropriateforourapplicationscenariobecausewearetargetingatprivacyprotectionagainstadversarialthird-partyapplicationservers.Forthebenetoftheirownprivacyprotection,itisreasonablefortheusersofthesameLBStocommunicate(maybeusingdifferentpseudonymsthantheonesusedintheapplication),andobtainthetotalnumberofusersincurrentarea.Notethatinthispaper,wedonotconsiderthecasethatanadversarialpersonattacksatthisstage. 3.5TheDummyUserGenerationGameInthissection,wemodelthescenariothatallLBSuserswithinthesameserviceareamakedummyusergenerationdecisionssimultaneouslywithoutbeinginformedofothers'choices.Weformulateanon-cooperativeBayesiangamemodeltocharacterizetheinteractionsamongself-interestedusers,anddenotethisgameastheDummyUserGeneration(DUG)game.ThepropertiesoftheBayesianNashEquilibria(BNE)withregardtotheDUGgameareanalyzedindetails.Thisgamemodel,albeitsimplied,ishelpfultogaininsightsforrationalstrategyselectioninadistributedsetting. 3.5.1GameModelPlayer:IntheDUGgame,theplayersetP=fPij(i2f1,...,NggconsistsofLBSuserscurrentlypresentwithintheservicearea.Notethatthetotalnumberofplayersislessthank.StrategySet:Thestrategysetofaplayerreferstoallavailablemovestheplayerisabletotake.InthegameofDUG,thissetincludes:(1)Cooperate(C),i.e.,togeneratek)]TJ /F5 11.955 Tf 12.99 0 Td[(1dummyusers,or(2)Defect(D),i.e.,onlyreportone'sownlocationandwaitforotherstogeneratedummyusers.LetthestrategyforaplayerPibedenedassi2fC,Dg.RegardingtheCooperatestrategy,anaturalquestiontoaskisthathowmanydummyusersshouldbegeneratedtoguaranteek-anonymity.Inthispaper, 60

PAGE 61

weenforcetheplayerwhochoosestheCooperatestrategytogenerateexactlyk)]TJ /F5 11.955 Tf 12.54 0 Td[(1dummyusers.Thisisbecause:(1)generatingk)]TJ /F5 11.955 Tf 12.27 0 Td[(1usersisabletoaccommodatetheworstcasewhenonlyoneuserpresentsincurrentarea;and(2)usersaresubjecttosuddenterminationofLBS,resultinginasmallercrowdwhichexposeshigherriskofprivacydisclosure.Therefore,enforcingCooperatestrategytogeneratek)]TJ /F5 11.955 Tf 12.14 0 Td[(1userswillprovideguaranteedprivacyprotectionforplayers.Astrategyproleisacollectionofthestrategiesplayedbyallplayers,i.e,S=fs1,...,sng.WeuseS)]TJ /F8 7.97 Tf 6.58 0 Td[(itoindicatethestrategyproleofPi'sopponents.Payoffs:ThepayoffofaplayerPidependsonPi'sownstrategyaswellasthestrategiesadoptedbyPi'sopponents.Brieyspeaking,thepayoffofaplayerequalstotheachievedDoPsubtractingthedummyusergenerationcost.Inourgamemodel,whenPigeneratesk)]TJ /F5 11.955 Tf 12.09 0 Td[(1dummyusers,Pi'sopponentsalsobenetfromthisactionandaccomplishk-anonymity.WeusebtorepresenttheDoPwhenk-anonymityisachieved.Thevalueofbservesasanupperboundoftheachievedprivacylevelforthek-usercase(althoughusersmightgeneratemorethankdummiesintotal,wesimplyignoretheexcessiveDoPbeyondthatofk-anonymity).Inthiscase,apieceofsideinformationcanbematchedwitheachofthekpseudonymswithequalpossibility,wehave b=)]TJ /F3 11.955 Tf 11.29 11.35 Td[(X(1=k)log2(1=k).(3)IfnoneoftheplayerschoosestoCooperateintheDUGgame,theobjectiveofachievingk-anonymityfails.ThefollowingpayofffunctioncomprehensivelycoversallcasesencounteredintheDUGgame,wherenc(S)]TJ /F8 7.97 Tf 6.58 0 Td[(i)denotesthenumberofcooperatingplayersotherthanPi. Ui(;i,si,S)]TJ /F8 7.97 Tf 6.58 0 Td[(i)=8>>>><>>>>:b(1)]TJ /F4 11.955 Tf 11.95 0 Td[(i)si=Cbsi=D;nc(S)]TJ /F8 7.97 Tf 6.59 0 Td[(i)10si=D;nc(S)]TJ /F8 7.97 Tf 6.59 0 Td[(i)=0(3) 61

PAGE 62

Type:Whenmeetingotherplayersinthearea,Pionlyhastheinformationofhis/herownVoP.Inotherwords,aplayer'sinformationaboutothers'payoffsisincomplete.Therefore,theproposedDUGgameisaBayesianGame.Todealwiththeuncertaintiesinherentinthegame,wefollowtheclassicalworkproposedbyHarsanyi[ 32 ],whereaplayernamedNatureisintroducedintothegame.EachplayerisassignedatypeisamplingindependentlyfromsomedistributionF.Theprobabilitydensityisdenotedasf.Fortypespace,wehave2.InBayesiangames,thestrategyspace,possibletypesandtheprobabilitydistributionFareassumedtobecommonknowledge.ThetypeofaplayerPi'scapturesPi'sprivateinformation,i.e.,theCBRiofPiwithtypeiisdenedasi=i=c=i.SincecostsarethesameforallplayersintheBayesianDUGgame,theplayers'strategiesarejointlyinuencedbytheirVoPsandtheirbeliefsabouttheVoPsofothers.Intuitively,ifPibelievesthatotherswillgeneratedummyusers,DefectbecomesthenaturalchoiceforPi.WeadopttheconceptofBestResponsetorepresenttheutilitymaximizingchoiceofrationalplayers. Denition1. [BestResponse]Pi'sbestresponsebsi,giventhestrategiesofotherplayersS)]TJ /F8 7.97 Tf 6.59 0 Td[(i,isthestrategythatmaximizesPi'spayoff.Thatis bsi(S)]TJ /F8 7.97 Tf 6.58 0 Td[(i)=argmaxsiUi(i,si,S)]TJ /F8 7.97 Tf 6.59 0 Td[(i).(3)Inacompleteinformationgame,NashEquilibrium(NE)capturesthesteadystateofthegame,wherenoplayerwillgetbetteroffbyunilaterallychanginghis/herstrategy.IntheBayesianDUGgame,weareinterestedinndinganequilibriumstatethatcohereswithclassicalgametheory.Specically,wehavethefollowingdenitionforthetargetedequilibriumstate, Denition2. [BayesianNashEquilibrium]AstrategyproleS=fs1,s2,...,sngisaBayesianNashEquilibrium(BNE)ifstrategysiforeveryplayeriisthebestresponsethatmaximizestheirexpectedpayoffs.Thatis,givenS)]TJ /F8 7.97 Tf 6.58 0 Td[(iandplayers'beliefsaboutthe 62

PAGE 63

typesofotherplayers)]TJ /F8 7.97 Tf 6.59 0 Td[(i,wehave si(i)2argmaxsiX)]TJ /F9 5.978 Tf 5.76 0 Td[(if()]TJ /F8 7.97 Tf 6.59 0 Td[(i)Ui(i,si,S)]TJ /F8 7.97 Tf 6.59 0 Td[(i)8i(3) 3.5.2BayesianNashEquilibriumofDUGGameInordertoderivetheBNEoftheDUGgame,wedenotedi(i)astheprobabilityofplayerPitochooseDefectwhengiventypei,andcalculatetheexpecteddefectprobability,i,asfollows i=EF(di(i))=Zdi(i)dF(i).(3)GivenPi'stypei,Pi'sresponsetohis/heropponents'strategycanleadtooneofthefollowingpayoffs:(a)IfPichoosesCooperate,i.e.,si=C, Ui(C;i,S)]TJ /F8 7.97 Tf 6.59 0 Td[(i,F)=b(1)]TJ /F4 11.955 Tf 11.96 0 Td[(i)=b)]TJ /F3 11.955 Tf 12.1 3.15 Td[(bc=i.(3)(b)IfPichoosesDefect, Ui(D;i,S)]TJ /F8 7.97 Tf 6.58 0 Td[(i,F)=bEF(1)]TJ /F3 11.955 Tf 11.95 8.97 Td[(Qj6=idj(j))=b(1)]TJ /F7 11.955 Tf 11.96 0 Td[(EF(Qj6=idj(j))=b)]TJ /F3 11.955 Tf 12.1 3.15 Td[(bQj6=ij.(3)CombiningEquation( 3 ),( 3 ),wesummarizethefollowingpropertiesforBNE. Theorem3.1. ForaDUGgamewithNplayers,eachwithatypeidrawnfromsomedistributionF,wheresupp(F)[0,1],thefollowingpropertyholds: si=8>>>><>>>>:CifiQj6=ij(3) 63

PAGE 64

Proof. AccordingtoEquation( 3 )and( 3 )ifPiprefersCooperateoverotherchoices,i.e.,Ui(C;i,S)]TJ /F8 7.97 Tf 6.59 0 Td[(i,F)>Ui(D;i,S)]TJ /F8 7.97 Tf 6.58 0 Td[(i,F),wehavei
PAGE 65

forb=1,theright-handsideisstrictlysmallerthanleft.Whenlefthand-sideequalstorighthand-side,onlyoneintersectionpointexists.Hence,thesymmetricmixedstrategyisunique. ADUGgamefailstoachieveitsprivacyprotectiongoalwhenalltheplayerschoosetheDefectstrategy.TheconclusionofTheorem 3.3 indicatesthatwhenthenumberofplayersbecomelarge,thepossibilityofsuchscenarioisverylow.However,unlikethepurestrategyequilibriadiscussedinTheorem 3.2 ,thesymmetricmixedstrategyequilibriummayresultinmorethanoneplayertochoosetheCooperatestrategy.Inthiscase,althoughk-anonymityisachieved,unnecessarycostisalsopaid. 3.6TheTimingawareDummyUserGenerationGameInthissection,weextendthepreviouslydevelopedDUGgamemodeltoincorporatethetimingofdecisions.Specically,insteadofrequiringLBSusersthatchooseCoop-eratetogeneratedummyusersassoonastheystarttravelingintheservicearea,weconsiderthecasewhereplayersmayintentionallydelaytheirdummygenerationandexpectotherstogeneratedummyusersbeforetheydo.Sinceplayersmakedecisionsbasedontheirdynamicallychangingprivacyneeds,andtheirbeliefsaboutthedummyusergenerationtimeofotherplayers,wecallthenewgamemodelaTiming-awareDUGgame(T-DUGforshort).WestudythecharacteristicsoftheT-DUGgame,andanalyzethepropertiesofthesymmetricBNEforthisgame. 3.6.1ExtensiontoDUGGameTheT-DUGgameisplayedwheneverseveralusers(lessthank)enterintoandexitanareaatapproximatelythesametime.Enteringtimeandexittimearedenedastsandte,respectively.Thevalueofte)]TJ /F7 11.955 Tf 12.4 0 Td[(tscorrespondstothetimedurationwithinthearea.Byincorporatingthetimingfactor,wepresenttheextensiontotheDUGgameasfollows.NotethatthisgamemodelisnotarepeatedDUGgamebecauseaplayerwillnotchoosetogeneratedummyuserstwicewithinasinglegame. 65

PAGE 66

Strategyset:IntheT-DUGgame,thestrategyofaplayerreferstothetimehe/shechoosestogeneratedummyusers.Forexample,aplayerPimaychoosetogeneratekdummyusersattimeti,(tsti<>:b((~t))]TJ /F4 11.955 Tf 11.96 0 Td[(i)ifti=~tb(~t)ifti6=~t(3)Type:ThetypeinformationforeachplayeristhesameasintheDUGgame,wheretypeireferstothehiddeninformationofc=i.ThesamedistributionFwithdensity 66

PAGE 67

fisalsoadopted.IntheT-DUIgame,weconsiderthataplayer'sstrategyissolelydeterminedbyhis/hertype. 3.6.2BayesianNashEquilibriumofT-DUGGameWerepresentPi'sstrategyassi(i)=tiinT-DUG.Becausethestrategyspaceiscontinuous,wedenetheexpectedpayoffforplayerPias: Ui(t;i,F)=E(b((~t))]TJ /F4 11.955 Tf 11.95 0 Td[(iI[t=~t])),(3)whereIisanindicatorfunctionfortheconditionof(t=~t).AccordingtoEquation( 3 ),wehavethefollowingresultregardingtheBNEinT-DUGgame. Theorem3.4. TheT-DUIgamehasauniqueBayesianequilibrium,whereaplayerPiwithtypeichoosesstrategysi(i),denedas si(i)=8><>:)]TJ /F10 7.97 Tf 6.59 0 Td[(1(1)]TJ /F5 11.955 Tf 11.95 0 Td[((N)]TJ /F5 11.955 Tf 11.96 0 Td[(1)(i))i+(N)]TJ /F5 11.955 Tf 11.96 0 Td[(1)(i)<1,teotherwise(3)and (i)=Zi0xf(x) 1)-222(F(x)dx.(3) Proof. WeemployG(t)tobethedistributionoftheearliesttime~tthatanyplayerdecidestogeneratedummyusers,andletthedensityfunctionbeg(t).Sinceaplayer'sstrategyissolelydeterminedbyhis/hertype,wehave G(t)=Pr(minj6=itjt)=1)]TJ /F3 11.955 Tf 11.96 8.96 Td[(Qj6=iPr(tjt)=1)]TJ /F3 11.955 Tf 11.96 8.97 Td[(Qj6=iPr(s(j)t)=1)]TJ /F3 11.955 Tf 11.96 8.97 Td[(Qj6=iPr(js)]TJ /F10 7.97 Tf 6.59 0 Td[(1(t))=1)]TJ /F5 11.955 Tf 11.96 0 Td[((1)-222(F(s)]TJ /F10 7.97 Tf 6.59 0 Td[(1(t)))(N)]TJ /F10 7.97 Tf 6.59 0 Td[(1),(3)thatis G(s())=1)]TJ /F5 11.955 Tf 11.95 0 Td[((1)-221(F())(N)]TJ /F10 7.97 Tf 6.58 0 Td[(1).(3) 67

PAGE 68

Therefore, g(t)=g(s())=(N)]TJ /F5 11.955 Tf 11.95 0 Td[(1)(1)-222(F())(N)]TJ /F10 7.97 Tf 6.58 0 Td[(2)f()=s0().(3)Sinceinastateofequilibrium,playersarenotincentivizedtounilaterallychangetheirstrategies,theirexpectedpayoffshavereachedthemaximumvalue.Theexpectedpayoffisthusgivenby E(U(t;,G))=Zt0b(x)g(x)dx+b(1)]TJ /F7 11.955 Tf 11.95 0 Td[(G(t))((t))]TJ /F4 11.955 Tf 11.95 0 Td[()(3)Byletting dE(U) dt=b(g(t)+(1)]TJ /F7 11.955 Tf 11.95 0 Td[(G(t))0(t))=0,(3)wehave )]TJ /F10 7.97 Tf 6.58 0 Td[(1(s())=)]TJ /F4 11.955 Tf 9.3 0 Td[(g(s())=(1)]TJ /F7 11.955 Tf 11.96 0 Td[(G(s())).(3)SubstitutingG(t)andg(t)withEquation( 3 )and( 3 ),wehave 0(s())=)]TJ /F4 11.955 Tf 16.63 8.08 Td[((N)]TJ /F5 11.955 Tf 11.95 0 Td[(1)f() (1)-222(F())s0().(3)Byintegrationover[0,],weget (s())=1)]TJ /F5 11.955 Tf 11.96 0 Td[((N)]TJ /F5 11.955 Tf 11.95 0 Td[(1)Z0xf(x) 1)-222(F(x)dx.(3)Finally,wehave s()=)]TJ /F10 7.97 Tf 6.58 0 Td[(1(1)]TJ /F5 11.955 Tf 11.95 0 Td[((N)]TJ /F5 11.955 Tf 11.95 0 Td[(1)()).(3) 3.7ADistributedAlgorithmforStrategyOptimizationInthissection,weproposeadistributedalgorithmforLBSuserstochoosethebeststrategybasedonlocalinformationofVoPandtypedistribution.AsdiscussedinSection 3.4 ,anyuserwithinthecurrentareacanserveasacoordinatorandinitializethedummyusergenerationgame.TheprocedureofinitializationcanbeadoptedfromtheSwingprotocolproposedin[ 23 50 ].SimilartotheSwingprotocol,anyuser 68

PAGE 69

whoisinchargeofthegamecoordination(thecoordinator)broadcastsaninitiationmessagetootherusersinproximity.Userswhoarewillingtoparticipateinthegamecannotifythecoordinatorbysendingbackareplymessage.Aftercollectingthetotalnumberofplayers,thecoordinatorbroadcaststhisinformationaswellasthegametype(DUGorT-DUG)toall.Thedecisionofgametypecanberelatedtothesizeofthearea.Forasmallarea,DUGgameissufcient.Uponreceivingthismessagefromthecoordinator,eachuserisabletoproceedtoselectanoptimalstrategybasedonthetheoreticalanalysisestablishedinSection 3.5 andSection 3.6 .Forprivacyprotection,thecoordinationprocedureisconductedwithoutnotifyingtheLBSserver.Inaddition,thesemessagesmaybecamouagedusingdifferentpseudonymsotherthantheonesusedintheLBSpseudonympool.ThecompletedescriptionofthedistributedalgorithmforeachparticipatinguserispresentedinAlgorithm 4 Algorithm4:LBSUserStrategySelectionAlgorithm input:TypedistributionFwithdensityfunctionfoutput:PlayerPi'sstrategysi /* Step#1:Collectgameparameters*/ReceivetotalnumberofplayersNandgamemodel:DUGorT-DUG;Calculatecurrentplayer'sVoP,i;Calculatecurrentplayer'sowntype,i; /* Step#2:Calculateplayer'sstrategy*/ifcurrentgameisDUGgamethen i(EF(di(i));calculatethresholdQj6=ij;determinetheoptimalstrategyaccordingtoEquation( 3 );else (i)(R(c=i)0xf(x) 1F(x)dx;ifi+(N)]TJ /F5 11.955 Tf 11.96 0 Td[(1)(i)<1then generatek)]TJ /F5 11.955 Tf 11.96 0 Td[(1dummyusersattime)]TJ /F10 7.97 Tf 6.58 0 Td[(1(1)]TJ /F5 11.955 Tf 11.96 0 Td[((N)]TJ /F5 11.955 Tf 11.95 0 Td[(1)(i))else donotgenerateanydummyuserendend 69

PAGE 70

3.8PerformanceEvaluationInthissection,wejustifyourtheoreticalanalysisthroughsimulationsleveragingrealisticprivacydatatraces.Weusethefavorableoutcomeratetoevaluatetheperformanceofourproposedstrategyoptimizationalgorithmfordistributedusers.Favorableoutcomerateisdenedasthefractionofthetotaltrialsthatachievesk-anonymity.Inaddition,fortheT-DUGgame,wealsoinvestigatetheachievedDoPvalueandthecorrespondingdummyusergenerationtimeforvariousgamesize.Ourresultsareevaluatedagainstarandomapproach,whereusersrandomlydecidewhethertogeneratedummyusers. 3.8.1AnalysisofDataTrace AEmpiricaldata. BQ-QplotFigure3-4. Statisticalanalysisoftheprivacydatatrace:(a)histogramoftheempiricaldata;(b)Q-QplotoftheempiricaldatasetandB(0.149,0.109). Abdesslemetal.organizedanexperimentinStAndrewsandLondontocollectpeople'sattitudestowardssharinglocationinformationwiththeirfriendsonFacebook.Theexperimentlastedforaboutonemonth,andover40voluntaryparticipantswereinvolved.Intheexperiment,eachtimewhenaneventtookplaceataperson'ssmartphone,e.g.,checkinginatarestaurantortakingapicture,thevolunteerwasaskedwhetherhe/shewouldliketosharethisinformationwithhis/herFacebookfriends. 70

PAGE 71

Theresultsarepubliclyavailableat[ 1 ].Basedonthisdatatrace,weconsidertheVoPsofmobileusersasafunctioninverselyproportionaltothefractionoffriendswithwhomthevolunteeriswillingtosharethelocationinformation.Forexample,auserwhoiswillingtosharethelocationinformationwith1 10ofhis/herFacebookfriendshasmuchhigherVoPthanauserwhoiswillingtosharethelocationinformationwithallfriends.Basedonthisanalysis,weplottheempiricaldistributionofVoPinFigure 3-4A ,anduseR[ 72 ]toperformdistributiontting.WendoutthataBetadistributionwithshapeparameters(0.149,0.109)isclosestforapproximatingtheempiricaldistributionofVoPs,whichconrmsthetheoreticestimationaboutusers'privacyattitudedistributionin[ 23 ]. 3.8.2Results ADUGGame BT-DUGGameFigure3-5. FavorableoutcomerateofDUGandT-DUGgame. WeconductsimulationsforbothDUGandT-DUGgames.Thenumberofplayersinagameisincreasedfrom2to20withasteplengthof2.Theplayers'typedistributionisderivedbythestandardJacobiantransformationfromthedistributionofVoP.ThevaluesofVoP,i,aredrawnfromB(0.149,0.109).Foraspeciclocation,e.g.,hospital,thetypedistributionisassumedtobeknowntoallusersinaBayesiangame.Asdescribedearlier,wecomparethesimulationresultsofouralgorithmwitharandomapproach 71

PAGE 72

AAchievedDoP(normalized) BEarliestdummyusergenerationtime.Figure3-6. AchievedDoPandtimingdecisionsofplayers:b=1(normalized)and'=2. basedon1000simulationruns.InthegameofT-DUG,therandomapproachstandsfortheprocessthateachplayerrstrandomlydecideswhethertogeneratedummyusers.Onceadecisionofgenerationismade,theplayerwillgeneratethedummyusersatarandomtimebetween[ts,te].Foreachsimulation,wheneverthereisatleastoneplayerchoosestogeneratedummyusers,k-anonymityisachieved.TheresultsforthefavorableoutcomerateofouralgorithmandtherandomapproacharedepictedinFigure 3-5 .Notsurprisingly,forbothgames,weobservethatwhentherearemorethan2playersinthegame,ouralgorithmhasamuchhigherfavorableoutcomeratethantherandomapproach.Thisisbecausetherandomapproachdoesnottakeusers'privacypreferenceintoaccount.Conversely,ouralgorithmmaximizespayoffsofusersbyjointlyconsideringone'sattitudetowardsprivacyprotectionandconjectureaboutotherusers'possiblestrategies.Infact,whenthenumberofplayersishigherthan4,thefavorableoutcomerateofouralgorithmisalmost100%.ThisjustiesourtheoreticalanalysisinTheorem 3.3 .Whenthegame 72

PAGE 73

reachesthesymmetricmixedstrategyequilibrium,andthenumberofplayersbecomeslarge,itbecomesalmostimpossibleforallplayerstochoosetheDefectstrategy.FortheT-DUGgame,wefurtherinvestigatetheachievedDoPsaswellastheearliesttimefordummyusergeneration.TheresultsareplottedinFigure 3-6 .ComparingFigure 3-6A withFigure 3-5B ,weobservethatthereisalargerperformancegapbetweenouralgorithmandtherandomapproachintermsofDoPthanthatoffavorableoutcomerate.ThisisbecausethecountingoffavorableoutcomerateneglectstheeffectofdummyusergenerationtimeinT-DUGgame.InT-DUGgame,thesoonerdummiesaregenerated,thelargertheDoPbecomes.ThisresultisfurthersupportedbytheperformancecomparisonoftheearliestdummygenerationtimesinFigure 3-6B ,wherethedummygenerationtimeofouralgorithmismuchearlierthantherandomapproach.Inaddition,inFigure 3-6B ,theearliestdummygenerationtimeofouralgorithmapproacheszerowhenthenumberofplayersincreases.ThisconrmsthetheoreticalresultsinTheorem 3.4 .AnintuitiveexplanationisthatonceaplayerPidecidestogeneratedummies,withthesamegenerationcost,delayinggenerationincurshigherprivacylossforPi.Thus,Piismorelikelytogeneratedummiesasearlyaspossible. 3.9ChapterSummaryInthispaper,weproposedadistributedapproachforLBSprivacyprotection.Inordertoprotectusersfromarecentlyhighlightedthreatmodelandachievek-anonymity,weletdistributedmobileLBSusersgeneratedummiesaccordingtotheirownprivacyneedswhenthetotalnumberofusersinaserviceareaislessthank.Fromagametheoreticperspective,weidentiedthestrategyspaceoftheautonomousandself-interestedusersinatypicalLBSsystem,andformulatedtwoBayesiangamesforthecaseswithandwithouttheeffectofdecisiontiming.TheexistenceandpropertiesoftheBayesianNashEquilibriaforbothmodelswereanalyzed.Basedontheanalysis,wefurtherproposedadistributedalgorithmtooptimizeuserpayoffs.Throughsimulations 73

PAGE 74

basedonreal-worldprivacydatatrace,wejustiedthetheoreticalresultspresentedinthispaper. 74

PAGE 75

CHAPTER4PRIVACYPRESERVATIONUSINGLOGICALCOORDINATES 4.1ChapterOverviewWirelesssensornetworks(WSNs)haveenabledawidespectrumofapplicationsthroughnetworkedlow-costlow-powersensornodes,e.g.,habitatmonitoring[ 62 ],precisionagriculture[ 51 ],andforestredetection[ 93 ].Intheseapplications,thesensornodesconstantlycollectdatafromtheirimmediatevicinity,andreportbacktheirreadingstoadatasinkeitheractivelyorpassively.Thesesensornetworksaredeeplyembeddedintotheenvironmentandoperateunderfewhumaninterventions.AlthoughasignicantamountofresearchhasbeendevotedtoimprovetheenergyefciencyofWSNsandprolongthenetworklifetime,privacyissuesinWSNshavenotbeenthoroughlyaddressed.TheproblemofprivacyprotectioninWSNshasmanyaspects.First,assensornodesaredeployedtoextractinformationfromtheirproximity,thedatacollectedarehighlycorrelatedwiththespecicregion.Therefore,forsensitivedata,suchasthediscoveryofsomescarceanimals,thesourceofthedatashouldbeprotectedagainsttheadversarialhunters.Second,thedatasinkmaybecomethetargetofanadversary.Asdataaggregationandanalysisareperformedatdatasinks,oncethelocationofadatasinkiscompromised,seriousconsequencesmayberesulted.Moreover,withthewidedeploymentofWSNs,thevisionofubiquitouscomputingisbecomingreality.Peoplecarryingtheirmobiledevicescanwalkaroundandcollectsensorreadingsfromthesurroundingenvironmentinrealtime.Asaresult,privacybecomesofgreatimportancewhenpeople'slocationsandactivitiesareinvolved.Finally,becausesensornodesforsuchapplicationstypicallyhavelimitedbatterylife,energysavingisofparamountimportanceinthedesignofsensornetworkprotocols.Toaddresstheseproblems,weproposeanenergyefcient,mobilesinkbaseddatacollectionprotocolthathidesthelocationinformationofbothsensornodesandthemobilesinks,(e.g.,peoplecarryingmobiledevices).Usingourprotocol,mobile 75

PAGE 76

sinksmovecontinuouslyinanareawithrelativelylowspeed,andgatherdataonthey.Controlmessagesarebroadcastatcertainpointsinmuchlowerfrequencythanordinarilyrequiredinexistingdatagatheringprotocols.Thesesojournpositionsareviewedasfootprintsofamobilesink.Consideringeachfootprintasavirtuallandmark,asensornodecanconvenientlyidentifyitshopcountdistancestotheselandmarks.Thesehopcountdistancescombinedrepresentthesensornode'scoordinateinthelogicalcoordinatespaceconstructedbythemobilesink.Eachsensornodegreedilyselectsnexthopwiththeshortestlogicaldistancetothemobilesink.Inthisway,noactualgeographiclocationinformationisleakedduringthedatacollectionprocess,andlocationprivacyofbothsensornodesandmobilesinksareprotected.Ourcontributionsinthischapteraremanifold.(1)Weachievedatacollectionusingmobilesinksbyutilizingauniquelogicalcoordinaterepresentationfortrackingmobilesinks.Asaresult,thelocationinformationofthesensornodesandthemobilesinksareeffectivelyprotected.(2)Wedesignanovellow-complexitydynamicroutingprotocolfordatagatheringwithoneormultiplemobilesink(s),whichsignicantlyreducesaverageroutelengthandcutsdowntotalenergyconsumption.(3)Weconductextensivecomparisonstudiesandsimulationswithpopularexistingsolutionstodemonstratetheeffectivenessofourapproach.Therestofthischapterisorganizedasfollows.Section 4.2 presentsrelatedwork.Section 4.3 discussesnetworkandadversarymodels.DetailedprotocoldesignisintroducedinSection 4.4 .Section 4.5 presentsanalyticalandsimulationresults,anddemonstratestheeffectivenessofSinkTrailalgorithmsintermsofprivacyprotectionandenergyefciency.TheimpactofseveraldesignfactorsofSinkTrailisinvestigatedandanalyzedinSection 4.6 .Section 4.7 concludesthepaper. 4.2RelatedWorkProtectinglocationprivacyinsensornetworkshasbeenaheatedtopicrecently[ 5 27 75 84 ].Manyapproacheshavebeenproposedinthisareatopreserveeithersensor 76

PAGE 77

nodes'locationprivacyordatasinks'locationprivacy.Eventhoughtheclassicsecurityapproaches,e.g.,encryptionofdatapackets,isabletoachievecondentialityandintegrity,locationinformationisvulnerabletotrafcanalysis.Tomakethingsworse,withtheextremelylimitedon-boardenergyresourcesofasensornode,energy-efciencyisalsoanessentialrequirementforalltypesofprotocoldesignsinsensornetworks. 4.2.1DataSourcePrivacyFormanysensornetworkapplicationsthataimatmonitoringortracingaspecictarget,themainpurposeofprotectingdatasource'slocationprivacyistoavoidtheleakageofthetargetlocationtoeavesdroppers.Accordingtothepacketgenerationpattern,theycanbegenerallyclassiedintothefollowingcategories.(1)Theoodingtechnique,e.g.,[ 69 ],suggestseachdatasourcesendpacketsthroughmultiplepathstoavoididenticationoftargetlocationthroughpackettraceback.(2)Therandomwalktechnique,e.g.,[ 39 ],obfuscatestheforwardingpathtoavoidsourceidentication.(3)Thecyclicentrapmentmethod,e.g.,[ 68 ],makespacketstravelinacyclicpattern.Besides,therearesomeresearchworkproposestoprotectsourcelocationprivacybygeneratingfakepacketsfromtimetotimetoconfusetheadversarialeavesdroppers[ 39 89 ].Althoughallthesetechniquescanworkforsomeapplications,theyallrequireextraeffortsfromsensornodesingeneratingorforwardingunnecessarypackets.Asaresult,theyarenotveryenergyefcient.Ourproposedapproachisspecicallydesignedtoachievesourceprotectioninanenergyefcientmanner. 4.2.2DataSinkPrivacySimilartothedatasourceprivacyprotectionapproaches,methodsdesignedtoprotectdatasinks'locationalsofocusonalteringthetrafcpatterns.Multi-pathrouting,multiple-parentrouting,andacontrolledrandomwalkschemeareintroducedin[ 17 ]and[ 18 ].Whilein[ 38 ],redundanthopsandfakepacketsareaddedtoincreasethedifcultyofidentifyingsinklocation.In[ 63 ]and[ 64 ],thesinklocationprotectionagainstaglobaleavesdropperisstudied,andsinklocationsimulationandbackbone 77

PAGE 78

oodingapproachesareproposed.Alltheseexistingapproachesachieveprotectionbysacricingenergyefciencyofroutinginasensornetwork.Inaddition,whenthedatasinkisamobilenode,techniquesproposedforstaticnetworkstructurewillnolongerwork.Unliketheexistingapproaches,westudytheprotectionofamobilesink'slocationprivacyinthischapter. 4.2.3EnergyEfcientRoutingFormobilesinkbaseddatacollection,broadcastingamobilesink'scurrentlocationtothewholenetworkisthemostnaturalsolutiontotrackamovingmobilesink.Thistypeofapproachissink-orientedandsomeearlyresearchefforts,e.g.,[ 13 37 90 ],havedemonstrateditseffectivenessincollectingasmallamountofdatafromthenetwork.Severalmechanismshavebeensuggestedtoreducecontroloverheads.TheTTDDprotocol,proposedin[ 91 ],constructedatwo-tierdatadisseminationstructureinadvancetoenablefastdataforwarding.In[ 35 ]and[ 71 ],aspatial-temporalmulticastprotocolisproposedtoestablishadeliveryzoneaheadofmobilesink'sarrival.Fodoretal.[ 21 ]loweredcommunicationoverheadsbyproposingarestrictedoodingmethod.Luoetal.[ 59 ]proposedthatamobilesinkshouldmovefollowingacircletrailindeployedsensoreldtomaximizedatagatheringefciency.Onebigproblemofthemulticastingmethodsliesinitsoodingnature.Moreover,thesepaperseitherassumethatmobilesinksmoveataxedvelocityandxeddirection,orfollowaxedmovingpattern,whichlargelyconnestheirapplication.TheSinkTrailprotocolwithmessagesuppressionminimizestheoodingeffectofcontrolmessageswithoutconningamobilesink'smovement,thusismoreattractiveinreal-worlddeployment.Anothersolutionutilizesopportunisticdatareporting.Forinstance,in[ 77 ]theauthorsstudieddatacollectionperformancewhenamobilesinkpresentsatrandomplacesinthenetwork.Themethodreliesheavilyonnetworktopologyanddensity,andsuffersscalabilityissueswhenalldatapacketsneedtobeforwardedinthenetwork. 78

PAGE 79

Anothercategoryofmethods,calledmobileelementscheduling(MES)algorithms[ 16 61 82 83 94 96 ],consideredcontrolledmobilesinkmobilityandadvancedplanningofmobilesink'smovingpath.Maetal.[ 61 ]focusedonminimizingthelengthofeachdatagatheringtourbyintentionallycontrollingthemobilesink'smovementtoqueryeverysensornodeinthenetwork.Whendatasamplingratesinthenetworkareheterogeneous,schedulingmobilesinkstovisithot-spotsofthesensornetworkbecomeshelpful.Examplealgorithmscanbefoundin[ 16 82 83 ].AlthoughtheMESmethodseffectivelyreducedatatransmissioncosts,theyrequireamobilesinktocovereverynodeinthesensoreld,whichmakesithardtoaccommodatetolarge-scaleandintroduceshighlatencyindatagathering.Evenworse,ndinganoptimaldatagatheringtouringeneralisitselfanNP-hardproblem[ 52 61 ],andconstrainedaccessareasorobstaclesinthedeployedeldposemorecomplexity.UnlikeMESalgorithms,SinkTrail,withalmostnoconstraintonthemovingtrajectoryofmobilesinks,achievesmuchmoreexibilitytoadapttodynamicallychangingeldsituationswhilestillmaintainslowcommunicationoverheads.SinkTrailusessinklocationpredictionandselectsdatareportingroutesinagreedymanner.Theauthorsin[ 43 ]usedsequentialMonteCarlotheorytopredictsinklocationstoenhancedatareporting.SinkTrailemploysadifferentpredictiontechniquethathasmuchlowercomplexity.Moreover,SinkTraildoesnotrelyontheassumptionoflocation-awaresensornodes,whichcouldbeimpracticalandleadtolocationinformationleakage.TheroutingprotocolofSinkTrailisinspiredbyrecentresearchonlogicalcoordinaterouting[ 11 22 66 73 ].SinkTrailadoptsavectorrepresentationandusespastlocationsofthemobilesinkasvirtuallandmarks.Tothebestofourknowledge,wearethersttoassociateamobilesink'sfootprintsleftatmovingpathwithroutingalgorithmconstruction.Thevectorformcoordinates,calledtrailreferences,areusedtoguidedatareportingwithoutknowledgeofthephysicallocationsandvelocityofthemobilesink. 79

PAGE 80

4.3NetworkandAdversaryModel 4.3.1NetworkModel Figure4-1. Datagatheringwithonemobilesink:largesoliddotsindicatethemobilesink'strailpoints,andsensornodesmaintaintrailreferencesaslogicalcoordinates.Shadedareasstandforobstacles. Weconsideralargescale,uniformlydistributedsensornetworkNdeployedinanoutdoorarea.Foranalysispurpose,weassumeallsensornodesarehomogeneous,althoughthisassumptioncanberelaxedwithsmallmodicationoftheunderlyingcommunicationprotocol.Fig. 4-1 showsanexampledeployment.Nodesinthenetworkcommunicatewitheachotherviaradiolinks.Weassumethewholesensornetworkisconnected,whichisachievedbydeployingsensorsdensely.Wealsoassumesensornodesareawakewhenamobilesinkwantstostartthedatagatheringprocess(achievablebysynchronizedscheduleorashortwakeupmessage).Mobilesinks,e.g.,touristsofanareaorrangersofapark,travelintheareaandcollectdatafromdeployedsensornodes.Thesemobilesinkshaveradiosandprocessorstocommunicatewithsensornodesandprocesssenseddata.Adatagatheringprocessstartsfromthetimemobilesinksissueastartmessageandterminateswhen:either(1) 80

PAGE 81

enoughdataarecollected(measuredbyauserdenedthreshold);or(2)therearenomoredatareportsinacertainperiod.Sincemanysecuritymechanismshavebeenproposedtoensuredatacontents'condentialityandintegrity,weassumethatthesenseddatacanbeencryptedbysensornodesusingexistingapproaches,e.g.,[ 41 42 ]. 4.3.2AdversaryModelInthischapter,wefocusonanadversarywithonlylocalviewofthedeployedsensornetwork.Forexample,byrandomlydeployingsomesnoopingdeviceinanarea,theadversaryobtainsthelocalviewviaeavesdroppingonitsneighbors.Theadversarycanutilizetheroutingpathandnexthopinformationthatarecarriedinthepackets,butitisnotabletodecryptmessagecontents.Thepurposeofanadversaryistodiscoverthelocationofaspeciceventsaswhileasthelocationofamobilesink. 4.3.3PrivacyProtectionGoalSinceourtargetednetworkutilizesmobilesinksfordatacollectionandquery,sinknodesmayappearatanywhereinsidethedeployedarea.Withoutaglobalviewofthetrafcpatterns,anadversarycanonlyrelyonroutinginformationcarriedineachpackettondoutsinkandsourcelocations.Thegoalofprivacyprotectionagainstsuchalocaleavesdropperistohidethelocationinformationinexchangedpackets.Byestablishingalogicalcoordinatesystem,thegoalofprotectinglocationinformationandenergyefcientroutingarejointlyachieved. 4.4SinkTrailProtocolDesignTheSinkTrailprotocolisproposedforsensornodestoproactivelyreporttheirdatabacktooneofthemobilesinksinanenergyefcientandprivacypreservingmanner.Toillustratethedatagatheringprocedureclearly,werstconsiderthescenariowherethereisonlyonemobilesinkinN.ThemultiplemobilesinksscenarioisdiscussedinSection 4.4.2 81

PAGE 82

Table4-1. NotationsforPrivacyPreservationusingusingLogicalCoordinates SymbolDenition ni sensornodeiNtotalnumberofsensornodesinN S mobilesinkMnumberofmobilesinks vi trailreferenceofnodeieijthejthelementinvi dv trailreferencesize,dv=jjvjjbaveragenumberofneighborsofeachnode themostrecentmessagesequencenumberitheithtrailpointofS thecollectionoftrailpointsDtotalnumberoftrailpoints K stepsizeparameterforonemove(astepofKhopcountsisK ) Ti timerdurationofnodei Algorithm5:MobileSink'sStrategy /* ------Initialization------*/msg.seqN 0;msg.hopC 0;AnnouncesstepsizeparameterK; /* ------Movingstrategies------*/whileNotgetenoughdataorNottimeoutdo Movetonexttrailpoint;msg.seqN msg.seqN+1;Stopforaveryshorttimetobroadcasttrailmessage;Concurrentlylistenfordatareportpackets;endEnddatagatheringprocessandexit; 4.4.1SinkTrailProtocolwithOneMobileSink Duringthedatagatheringprocess,themobilesinkmovesaroundinNwithrelativelylowspeed,andkeepslisteningfordatareportpackets.Itstopsatsomeplacesforaveryshorttime,broadcastsamessagetothewholenetwork,andmovesontoanotherplace.WecalltheseplacesTrailPoints,andthesemessagesTrailMessages.ExampletrailpointsareshowninFig. 4-1 .Let betheaveragetransmissionrange.Apparentlytwo 82

PAGE 83

adjacenttrailpointsshouldbeseparatedbyadistancelongerthan ,otherwise,thehopcountinformationwon'tbesignicantlydifferent.Tofacilitatethetrackingofamobilesink,weassumethatthedistancesbetweenanytwoconsecutivetrailpointsaresame(orsimilar),denotedasK ,K1.However,distributionofthesetrailpointsdoesn'tnecessarilyfollowanypattern.Atrailmessagefromamobilesinkcontainsasequencenumber(msg.seqN)andahopcount(msg.hopC)tothesink.Thetimeintervalbetweenamobilesinkstopsatonetrailpointandarrivesatthenexttrailpointiscalledonemove.Therearemultiplemovesduringadatagatheringround.ThetasksofamobilesinkissummarizedinAlgorithm 5 .IntheSinkTrailalgorithm,weusevectorscalledTrailReferencestorepresentlogicalcoordinatesinanetwork.Thetrailreferencemaintainedbyeachnodeisusedasalocationindicatorforpacketforwarding.Alltrailreferencesareofthesamesize.NotationsusedthroughouttheprotocoldescriptionarelistedinTable 4-1 .Thedatareportingprocedureconsistsmainlytwophases.Therstphaseiscalledlogicalcoordinatespaceconstruction.Duringthisphase,sensornodesupdatetheirtrailreferencescorrespondingtothemobilesink'strailmessages.Afterdvhopcountshavebeencollected,asensornodeentersthegreedyforwardingphase,whereitdecidehowtoreportdatapacketstothemobilesink. 4.4.1.1LogicalcoordinatespaceconstructionAtbeginning,allsensornodes'trailreferencesareinitializedto[)]TJ /F5 11.955 Tf 9.3 0 Td[(1,)]TJ /F5 11.955 Tf 9.3 0 Td[(1,...,)]TJ /F5 11.955 Tf 9.3 0 Td[(1]ofsizedv.Aspecialvariablethatisusedtotrackthelatestmessagesequencenumberisalsosetto)]TJ /F5 11.955 Tf 9.3 0 Td[(1.AfterthemobilesinkSenterstheeld,itrandomlyselectaplaceasitsrsttrailpoint1,andbroadcastsatrailmessagetoallthesensornodesinN.Thetrailmessage,,issetto<1,0>,indicatingthatthisisthersttrailmessagefromtrailpointone,andthehopcounttoSiszero. ThenodesnearesttoSwillbetherstonestohearthismessage.Bycomparingwith,ifthisisanewmessage,thenwillbeupdatedbythenewsequencenumber. 83

PAGE 84

Algorithm6:Trailreferenceupdatealgorithm whileDatagatheringprocessisnotoverdo /* ------Receiveatrailmessage------*/;ifmsg.seqN>then msg.seqN;Shiftvitoleftbyoneposition;eidv msg.hopC+1;msg.hopC msg.hopC+1;Rebroadcastmessage;endelseifmsg.seqN=then Compareeidvwith(msg.hopC+1);ifeidv>(msg.hopC+1)then eidv msg.hopC+1;msg.hopC msg.hopC+1;Rebroadcastmessage;endelse Discardthemessage;endendelseifmsg.seqN
PAGE 85

thenthelasthopcounteldinitstrailreferenceisupdated,andthistrailmessageisrebroadcastedwiththesamesequencenumberandanincrementedhopcount.Trailmessagesthathassequencenumberlessthanwillbediscardedtoeliminateoodingmessagesinthenetwork.ThestepsdescribedinAlgorithm 6 summarizestheoperationstoupdateatrailreference.Duringthedatagatheringprocedure,anode'strailreferenceneedstobeupdatedeverytimeanewtrailmessageisreceived. Figure4-2. ExampleexecutionsnapshotofSinkTrail:largesoliddotsindicatetrailpointsanditsmovingpath. Aftereachnodeinthenetworkreceiveddvdistincttrailmessages,thelogicalcoordinatespaceisestablished.AsnapshotofapartofthenetworkNisshowninFig. 4-2 .Trailreferences,suchas[3,1,1]or[2,2,2],areconsideredlogicalcoordinatesofthesensornodesinanetwork. 4.4.1.2DestinationidenticationSinkTrailfacilitatestheexibleandconvenientconstructionofalogicalcoordinatespace.Insteadofschedulingamobilesink'smovement,itallowsamobilesinktospontaneouslystopatconvenientlocationsaccordingtocurrenteldsituationsordesiredmovingpaths.Thesesojournplacesofamobilesink,namedtrailpointsinSinkTrail,arefootprintsleftbyamobilesink,andtheyprovidevaluableinformationfor 85

PAGE 86

tracingthecurrentlocationofamobilesink.Consideringthesefootprintsasvirtuallandmarks,hopcountinformationreectsthemovingtrajectoryofamobilesink.Alogicaldv-dimensionalcoordinatespaceisthenestablished.OneadvantageofSinkTrailisthatthelogicalcoordinateofamobilesinkkeepsinvariantateachtrailpoint,giventhecontinuousupdateoftrailreferences.Thisisbecausethemobilesink'shopcountdistancetoitspreviousdv)]TJ /F5 11.955 Tf 12.05 0 Td[(1footprintsarealwaysK(dv)]TJ /F5 11.955 Tf 11.96 0 Td[(1),K(dv)]TJ /F5 11.955 Tf 11.96 0 Td[(2),...,K,and0toitscurrentlocation.Thereforethelogicalcoordinate[K(dv)]TJ /F5 11.955 Tf 12.47 0 Td[(1),K(dv)]TJ /F5 11.955 Tf 12.47 0 Td[(2),...,0]representsthecurrentlogicallocationofthemobilesink.WecallthiscoordinateDestinationReference.Thisdestinationreferencedoesnotnecessarilyrequireamobilesinktohavelinearmovingtrajectory.Althougharbitrarymovementofamobilesinkmaydeterioratetheaccuracyofdestinationreference,itcanstillserveasaguidelinefordatareporting.HerewesetK=1anddv=3toeaseourpresentation.AlargevalueofKmeansevenlessbroadcastfrequency.Theimpactsofmobilesinks'movingpatternandbroadcastfrequencyareinvestigatedinSection 4.6 .InFig. 4-2 ,assumeSisatthetrailpoint3now,thenitsdestinationreferenceshouldbe[2,1,0].WhenSmovestothetrailpoint4,thecoordinatespaceisupdatedbasedontrailpoints2,3,and4,anddestinationreferenceofthemobilesinkisstill[2,1,0]. 4.4.1.3Greedyforwarding Onceanodehasupdatedthe3elementsinitstrailreference(weusedv=3foreasyunderstandingandclearpresentation),itstartsatimerthatisinverseproportionaltotheright-mostelementinitstrailreference.Forexample,noden5'strailreferenceis[6,7,9]inFig. 4-2 ,thenthedurationofitstimerissettoT5=Tinit)]TJ /F4 11.955 Tf 10.62 0 Td[(9.Here,Tinitandarepredenedconstants.Thechoiceoftimerfunction,Tinit,andmayvary.However,weassumethetimerdurationsaresignicantlylongerthanthepropagationtimeofatrailmessage,sothattimersonallnodesareviewedasstartingatthesametime.Thetimermechanismismainlyusedtodifferentiatedatareportingorders(anotherusageisdiscussedinSinkTrail-Sprotocol);sotheclockoneachsensornodedoesn'tneed 86

PAGE 87

Algorithm7:Greedydataforwardingalgorithm /* ------Startatimer------*/ifAllelementsofthetrailreferenceareupdatedthen StarttimerTi=Tinit)]TJ /F4 11.955 Tf 11.96 0 Td[(eidv;Exchangetrailreferenceswithneighborsend /* ------Whentimerexpires------*/Setdestinationas[(dv)]TJ /F5 11.955 Tf 11.95 0 Td[(1),...,2,1,0]; /* ------Probemobilesink------*/ifAmobilesinkiswithinradiorangethen Senddatatothemobilesinkdirectly;endelse Choosetheneighborclosesttodestinationasthenexthop;Forwardalldatatonexthop;end tobeperfectlysynchronized.Sincetheright-mostelementinanode'strailreferenceisthelatesthopcountinformationfromthisnodetoamobilesink,theinverseproportionaltimersensurethatnodesfarawayfromShaveshortertimerdurationsthanthoseclosetoS,thuswillstartdatareportingrst.Whenanode'stimerexpires,itinitiatesthedatareportingprocess.EverysensornodeinthenetworkmaintainsaroutingtableofsizeO(b)consistingofallneighbors'trailreferences.Thisroutingtableisbuiltupbyexchangingtrailreferenceswithneighbors,asdescribedinAlgorithm 7 ;anditisupdatedwheneverthemobilesinkarrivesatanewtrailpoint.Althoughtrailreferencesmaynotbeglobalidentierssincerouteselectionisconductedlocally,theyaregoodenoughfortheSinkTrailprotocol.Becauseeachtrailreferencehasonly3numbers,thesizeofexchangemessageissmall.Whenanodehasreceivedallitsneighbors'trailreferences,itcalculatestheirdistancestothedestinationreference,[2,1,0],accordingto2-normvectorcalculation,thengreedilychoosesthenodewiththesmallestdistanceasnexthoptorelaydata.Ifthereisatiethenexthopnodecanberandomlyselected.ThecompleteprocedureofgreedyforwardingispresentedinAlgorithm 7 .Takethe 87

PAGE 88

networkinFig. 4-2 asanexample,whennoden8decidestoreportitsdata,itcomparesn4,n5,andn7'svectordistancewith[2,1,0].Sincen5andn7'sdistanceto[2,1,0]isp 133andp 249respectively,andn4'sdistanceisp 90,n4ischosenasthenexthopofn8. 4.4.2SinkTrailProtocolwithMultipleMobileSinks Figure4-3. ExampleexecutionsnapshotofSinkTrailofmultiplemobilesinksscenario. TheproposedSinkTrailprotocolcanbereadilyextendedtomulti-sinkscenariowithsmallmodications.Whenthereismorethanonesinkinanetwork,eachmobilesinkbroadcaststrailmessagesfollowingAlgorithm 5 .Differentfromonesinkscenario,asenderIDeld,msg.sID,isaddedtoeachtrailmessagetodistinguishthemfromdifferentsenders. Algorithmsexecutedonthesensornodesideshouldbemodiedtoaccommodatemulti-sinkscenarioaswell.Insteadofusingonlyonetrailreference,asensornodemaintainsmultipletrailreferencesthateachcorrespondstoadifferentmobilesinkatthesametime.Fig. 4-3 showsanexampleoftwomobilesinks.Twotrailreferences,coloredinblackandred,coexistinthesamesensornode.Inthisway,multiplelogicalcoordinatespacesareconstructedconcurrently,oneforeachmobilesink.Whenatrailmessagearrives,asensornodechecksthemobilesink'sIDinthemessagetodetermineifitisnecessarytocreateanewtrailreference.TheprocedureissummarizedinAlgorithm 8 .InSinkTrailtrailreferencesofeachnoderepresentnodelocationsindifferentlogical 88

PAGE 89

Algorithm8:Trailreferenceupdatealgorithmformultiplemobilesinks whileDatagatheringprocessisnotoverdo /* ------Receiveatrailmessage------*/ifNewmobilesinkIDthen Createvi mID;Create mID;endelse /* ------Messagefromaknownsink------*/ifmsg.seqN> mIDthen Shiftvi mIDtoleftbyoneposition;eidv msg.hopC+1;msg.hopC msg.hopC+1;Rebroadcastmessage;endelseifmsg.seqN= mIDthen Compareeidvwith(msg.hopC+1);ifeidv>msg.hopC+1then eidv msg.hopC+1;msg.hopC msg.hopC+1;Rebroadcastmessage;endelse Discardthemessage;endendelseifmsg.seqN< mIDthen Discardthemessage;endendend /* ------Resetvariables------*/vi prototype [)]TJ /F5 11.955 Tf 9.3 0 Td[(1,)]TJ /F5 11.955 Tf 9.29 0 Td[(1,...,)]TJ /F5 11.955 Tf 9.3 0 Td[(1]ofsizedv; prototype )]TJ /F5 11.955 Tf 24.57 0 Td[(1;; 89

PAGE 90

Algorithm9:Greedydataforwardingalgorithmformultiplemobilesinks /* ------Startatimer------*/ifAllelementsofthetrailreferenceareupdatedthen StarttimerTi=Tinit)]TJ /F4 11.955 Tf 11.96 0 Td[(eidv;Exchangetrailreferenceswithneighbors;end /* ------Whentimerexpires------*/Setdestinationas[(dv)]TJ /F5 11.955 Tf 11.95 0 Td[(1),...,2,1,0]; /* ------Probemobilesink------*/ifAmobilesinkiswithinradiorangethen Senddatatothemobilesinkdirectly;endelse Compareneighbors'trailreferenceswithdestinationreferenceinalreadyestablishedlogicalcoordinates;Choosetheneighborclosesttoanymobilesinkasthenexthop;Forwardalldatatonexthop;end coordinatespaces,whenitcomestodataforwarding,becausereportingtoanymobilesinkisvalid,thenodecanchoosetheneighborclosesttoamobilesinkinanycoordinatespace.Sinklocationineachlogicalcoordinatespaceisstill[2,1,0],asweuseK=1,dv=3.IfeachmobilesinkhasadifferentKvalue,sensornodeswillcalculateneighbors'distancestomultipledestinationreferencesandselectrouteaccordingly.DetaileddescriptionisinAlgorithm 9 .Itiswell-knownthatgeographicroutingandlogicalcoordinatebasedroutingensureloop-freeroutes[ 22 73 ],sodoesSinkTrail.Fig. 4-3 givesusanexampleofdatagatheringinmultiplecoordinatespaces.Fornoden5,itsneighbornoden2'svectordistanceto[2,1,0]withregardtotheredmobilesinkontheleftis2,andp 43totherightgreymobilesink.Andallotherneighborsofn5haslargervectordistancetothetwosinks.Son2isusedasthenexthoptoroutetotheredmobilesink. 90

PAGE 91

Algorithm10:Trailreferenceupdatewithmessagesuppression whileDatagatheringprocessisnotoverdo /* ------Receiveatrailmessage------*/ifmsg.seqN>then msg.seqN;ifeidv=msg.hopC+1then Discardthemessage;endelse Shiftvitoleftbyoneposition;eidv msg.hopC+1;msg.hopC msg.hopC+1;Rebroadcastmessage;endendelseifmsg.seqN=then Compareeidvwith(msg.hopC+1);ifeidv>(msg.hopC+1)then eidv msg.hopC+1;msg.hopC msg.hopC+1;Rebroadcastmessage;endelse Discardthemessage;endendelseifmsg.seqN
PAGE 92

Figure4-4. Anillustrativeexampletoshowthatmobilesink'smovementhaslessimpactonremotesensornodesthanimmediateones. 4.4.3SinkTrail-SProtocol InSinkTrail,oodingtrailmessagestothewholenetworkcanbenontrivialintermsofenergyconsumption.Tofurtheroptimizetheenergyusageandeliminateunnecessarycontrolmessagesinthenetwork,weproposeSinkTrail-SalgorithmasanimprovementtotheoriginalSinkTrail.SinkTrail-Salgorithmismainlybasedonthefollowingtwoobservations.First,inalarge-scalesensornetwork,thesensornodesthatarefarawayfromamobilesinkmaynotbesignicantlyaffectedbyasinglemovementofthemobilesink.TakethesensornetworkshowninFig. 4-4 asanexample,whenthemobilesinkmovesfromtrailpointAtotrailpointB,theyellowsensornodeattheleftbottomcornermaystillhavethesamehopcountdistancetothemobilesink,andtheroutingpathchosenfromlastmoveofthemobilesinkmaystillbevalid.Inthiscase,thetrailmessagescanbesuppressedwithhighprobability.Second,whenanodehasnisheddatareportingandforwarding,trailreferenceupdatingbecomesmeaninglessandresultsinhugewasteofenergy,especiallyforperipheralsensornodes.Toproperlyhandlethesetwosituations,weproposeamessagesuppressionpolicyatasmallcostofextrastatestorageateachsensornode.Eachsensornodewillcomparethecurrenthopcountdistancetoamobilesinkwiththemostrecentlyreceivedone.Ifthesetwoaresame,itindicatesthepathlengththroughthenodetothemobilesinkisstill 92

PAGE 93

same,makingitunnecessarytorebroadcastthistrailmessage.Incaseofthesecondsituation,eachnodemaintainsastatevariableinitsmemory.Whenanodenishesdatareporting,itmarksitselfasnished,andinformsallitsneighbornodes.Anodestopstrailreferenceupdatingandtrailmessagerebroadcastingwheneveritselfandallitsneighborsarenished.Again,thismethodisguaranteedbythetimermechanismthatensuressequentialdatapacketsreportingorderfromnetworkperipheraltoamobilesink'scurrentlocation.Foraccidentalsituationsduetotimerfailure,anewdatapacketmayarriveatanodethathasalreadystoppedtrailreferenceupdating.Inthatcaseoldtrailreferencesareused.Thismaycausealongerroutingpathbuttheresultisstillacceptablefordatareporting.Algorithm 10 presentsadetaildescriptionofSinkTrail-Sprotocol. 4.5PerformanceEvaluationTherearemanymobilesinkorientedapproachesfordatacollectioninsensornetworks,e.g.,DirectedDiffusion[ 37 ],TTDD[ 91 ],andGRAB[ 90 ].Theseprotocols,asinSinkTrail,donotposeanyconstraintonamobilesink'smovement,nordotheyrequireanyspecialsetupphase,generalyreferredtoasSinkOrientedDataDisseminationapproaches(SODD).AlthoughSODDapproachesmayapplydifferentaggregationfunctionsforbetterperformance,similarstrategiescanbeappliedtoSinkTrailaswell.InordertogainmoreinsightsontheenergyefciencyofSinkTrail,andtodemonstratetheadvantageofincorporatingsinklocationtracking,wecomparetheoverallenergyconsumptionofSinkTrailwiththeseprotocols.SimulationresultsforSinkTrail-Sarealsopresentedtoshowfurtherimprovedperformance.Beforeweproceedthefollowingvariablesaredenedforclearpresentationandfaircomparison.WeconsideranetworkNthatconsistsofNsensornodesandMmobilesinks.Allthesensornodesaredatasources.Weassumesensornodesaredeployedinagridtopologyforeaseofunderstanding.However,ouranalysiscanbeextendedtootheruniformlydistributedtopology.Therefore,theedgeofthegridisroughlyp N. 93

PAGE 94

Denotetheenergycostfortransmittingorreceivingacontrolmessagebe1,andthecostforadatapacketbe.Wehave>>sincecomparedtotrailmessages,datapacketsareusuallylargerintermsofdatasize,whichisproportionaltotheenergycostforradiotransmission. 4.5.1PrivacyProtectionTheprivacyprotectionforbothdatasourceandmobilesinksareguaranteedbyusinglogicalcoordinatesinsteadofrealgeographiclocations.Asmobilesinksaremovingaroundinthedeployedarea,allsensornodesneedtoknowiswhichoneofitsneighboringnodesisclosertothemobilesink.Norealgeographiclocationisrequiredandnoinformationbeyondtwohopsisrequired.Foranadversarywithonlylocationviewofthenetwork,thenexthopsofsnoopedpacketsarefrequentlychanged.Therefore,mobilesinks'randommovementsinsideanareaprovidesufcientobfuscationoftheirlocation.Withthelogicalcoordinatesystem,furtherprotectionisadded. 4.5.2CommunicationCostAnalysisInSinkTrail,energyconsumptionmainlyincludesdatapacketforwardingcost,Edata,routingtablemaintenancecost,Erouting,andtrailmessagetransmissioncost,Etrail.Twofactorsaffecttheenergycostofdataforwarding:numberofdatapacketsandtheaverageroutelength.Thenumberofdatapacketsisdeterminedbythenumberofdatasourcesinanetwork,inthiscase,N.Theaverageroutelength,ontheotherhand,mayvarydependingonthelocationsamobilesinkhastraveled.Weestimateanupperboundoftheaverageroutelengthbyconsideringthesituationthatamobilesinkappearsrandomlyatalocationinsidethedeployedeld.Inthiscase,wecanndN 2pairsofsensornodesthatanyonepairofnodes'distancestothemobilesinkaddeduptoatmostp 2N.Thus,theaverageroutelengthshouldbeupperboundedbyN 2p 2N=N. 1Inpractice,energycostfortransmittingandreceivingmightbeslightlydifferent 94

PAGE 95

Weuseacoefcientc,where0
PAGE 96

descriptiveinformationaboutitsdatatothewholenetworkinordertoconstructagridstructureforguidingtheforwarddirectionofquerymessages.Whenamobilesinkqueriesforcertaindata,thisquerymessageisonlyoodedwithinagridcell,thenthepre-constructeddatagridstructurewillhelpthequeryndthecorrespondingdatasource.Accordingtothisdescription,thetotalenergyconsumptionofTTDDincludesthefollowingthreecomponents:energyusedforgridconstructing,Egrid;queryooding,Equery;anddatareporting,Edata0.TheenergycostfordatareportinginTTDDisdeterminedbyamountofdatapacketsandlengthofroutingpaths.SinceinTTDD,datapacketsareroutedtowardsamobilesinkthatappearsrandomlyinthedeployedeld,theaverageroutelengthissimilartoSinkTrail.Therefore,wehave, Edata0=cp 2NN(4)AccordingtoTTDDprotocol,thewholedeployedareaisdividedintosmallcells.Aqueryfordataisonlyoodedinsideonecell.However,asweareconsideringadatacollectionprocessthataimsatgettingallsenseddatainthenetwork,itisreasonabletoarguethatthissinglequerywillaffecteachofthedatasources,thuswillbepropagatedbyallsensornodesinthenetwork.Therefore,wehave, Equery=MNbcast(4)wherebcastisthenumberofsuchquerybroadcasts.Inthegridconstructionphaseeverydatasourceinthenetworkpropagatesadescriptivemessageaboutitsdatatothewholenetwork,sothatcertainnodeswillbecomeanchorsforaparticulardatasource.Sinceeverynodeisapotentialdatasources,theenergycostforthisprocedureis Egrid=NN(4) 96

PAGE 97

Addingtheenergyconsumptionofdifferenttaskstogether,wehave ETTDD=cp 2NN+MNbcast+NN(4)Comparing( 4 )and( 4 ),wecanseethatoneofthedifferencesliesinthesecondterm.SinceDrepresentsthenumberofbroadcastsamobilesinkmakesduringthedatagatheringprocedureinSinkTrail,andbcastindicatesthenumberoftimesasinkinitiatesaqueryinTTDD,thesetwovariablescanbesetasequal.Thereafter,thedifferencecanbeignoredhere.Anotherdifferenceisbetweentheroutinginformationexchangecostandgridconstructioncost.Typically,thenumberofmobilesinksshouldbesignicantlylessthantotalnumberofsensornodes,i.e.,M<
PAGE 98

AAverageroutelength BEnergyconsumption CSTDofroutelength DSTDofroutelengthFigure4-5. PerformancecomparisonbetweenSODDandSinkTrail:(a)Averageroutingpathlength;(b)Totalenergyconsumption;(c)Routelengthvariances:circularsinkmovement;(d)Routelengthvariances:rectangularsinkmovement. NotethatSinkTrail-Sisnotincludedinthissetofcomparison.Anothersetofsimulationresultswillbepresentedlatertoinvestigatetheeffectivenessofmessagesuppression.IntheSODDapproach,wheneveramobilesinkmovestoadifferentlocation,itbroadcastsitscurrentpositiontothewholenetwork.Asthemessagepropagatesaroutingtreeisestablished.Eachnodereportsbackitssenseddatatoparentnodeand 98

PAGE 99

nally,alldataaremergedattheroot.ThisSODDapproachsuffersfromlosingtrackofthesinkwhenlocationupdateisinfrequent.Toensurefaircomparison,abroadcastfrequencyhigherthantypicallyrequiredbySinkTrailisusedtoensureproperterminationofSODD.Weuseonemobilesinkinthissetofsimulations.Themobilesinkmovesinarectangularorcircularfashioninbothalgorithms.Wesetthedatagatheringthresholdto98%.FromFig. 4-5A andFig. 4-5B weobservethatSinkTrailprotocoloutperformsSODDforeveryexperimentalnetworksize.Theenergyconsumptionsavingisonaverage35.06%witharoutelengthdeductionof33.80%foronesinkSinkTrail.Fig. 4-5C andFig. 4-5D showthestandarddeviationoftheroutelengthsgeneratedbySODDandSinkTrailprotocols.Asyoucansee,SinkTrailprotocolresultsinamoreevenroutingpathlengthdistributionthroughoutthenetwork.AlltheseresultsvalidatetheconclusionthatSinkTrailhelpsamobilesinktoachieveenergyefcientdatagatheringinwirelesssensornetworks. ALinearmovement BCircularmovementFigure4-6. PerformancecomparisonbetweenSinkTrailprotocolandSinkTrail-Sprotocol. TodemonstratetheeffectivenessofmessagesuppressioninSinkTrail-S,wesimulatedSinkTrail-SwithcircularandlinearsinkmovingpatternsandcomparetheresultwiththebasicSinkTrailprotocol.Itisworthnotingthatenergycostforinformingneighborsisalsocountedinimplementation.InFig. 4-6 ,weobservethat,although 99

PAGE 100

SinkTrail-Sspendsextracostsonstatestorageandinformingmessagetransmission,themethodeffectivelyreducesenergyconsumptionintheinvestigatedscenarios. 4.6ImpactFactorsofEnergyConsumption 4.6.1ImpactofMovingPatternsofaMobileSink Figure4-7. Mobilesinkmovingpattern:(a)Angulardisplacementiateachtrailpoints.(b)Circularmovingpattern,iis360(c)Randommovingpattern,iisgreaterthan360.(d)Linearmovingpattern,iis0. AAverageroutelength BEnergyconsumptionFigure4-8. Impactofmobilesink'smovingpattern. Firstweexaminehowthemovingpatternofamobilesinkcanaffecttheenergyconsumptionfordatacollection,asdirectionalchangeinamobilesink'smovementisunavoidableduetooccasionalobstaclesdepictedinFig. 4-1 100

PAGE 101

Tonumericallymodelthemovesconductedbyamobilesink,wetracethemovingtrailofamobilesinkonaplainandmeasurethedirectionalchangeateachtrailpoint.Specically,supposeatsometimethemobilesinkarrivesattrailpointi2,wedenetheangulardisplacementiastheangularvariationofmovingdirections.Fig. 4-7 (a)illustratesanexampleofrecordedangulardisplacementsatmultipletrailpoints.Asaresult,theaccumulativeangulardisplacementofamobilesinkbecomesaquantitativemetricforthemovingpattern.InFig. 4-7 (b-d)wedepictthreerepresentativemovingpatternsperformedbyamobilesink.Insimulation,wedistributedsensornodesinagridtopology.Thenetworksizevariedfrom66sensornodesto2626(withstepsize1).Anempiricalradiosignalstrengthtraceisloadedforeachsimulatedsensornodes.Theradiosensitivityparameterisadjustedsothateachnodehasabout5to12neighbors,whichisinaccordancewithrealisticsituations.Wealsodesignatetobe20timesofinthesimulation[ 92 ].TheperformanceofSinkTrailisinspectedintermsofaverageroutelengthandoverallenergyconsumption.Threemovingpatternsincludingcircular,random,andlinearmovesarecompared.TheresultsareshowninFig. 4-8A andFig. 4-8B .Fromthesetwoguresweobservethat,boththeaverageroutelengthandenergyconsumptionincreaseasthenetworksizegrows.Forthethreemovingpatterns,linearmovementincurstheleastenergyconsumptionandtheshortestaverageroutelength.Astothecircularmovementcase,themobilesinkchangesitsdirectionregularlyandsmoothly,leadingtoperformanceclosetothelinearmovementcase.Finally,fortherandommovecase,theresultsvaryinawiderangethatindicatedbythedashedbarsboundingtheaveragevalues.Thisisbecauseitismoredifculttotrackandpredictthebehaviorofarandomlymovingmobilesink.Therefore,SinkTail'soverallperformancemaysuffergreatlywhenthedirectionalchangeisradicalatsometrailpoint.AlthoughSinkTraildoesnotplaceanymovingrestrictioningeneral,changing 101

PAGE 102

directionsstrategicallyinasmoothandregularmannerismorebenecialthanradicalandunpredictablemovinginSinkTrail. 4.6.2ImpactofNumberofMobileSinks AAverageroutelength BEnergyconsumptionFigure4-9. Impactofthenumberofmobilesinks. Weareinterestedinndingouthowthenumberofmobilesinksaffectstheoverallsystemperformance.Inthescenariowithmultiplemobilesinks,severallogicalcoordinatespacesareconstructedconcurrentlyanddatapacketsareforwardedtothedestinationreferenceviatheshortestpathinanycoordinatespace.Itisnaturaltothinkthatincreasingthenumberofmobilesinksreducestheaverageroutelengthandthusreducesthetotalenergyconsumption.Nonetheless,moremobilesinksalsoimposeheavierburdensfortrailmessagebroadcastingandroutinginformationmaintenance.Evenworse,multiplenumberofmobilesinksinanetworkaggravatecontroltrafccongestionandcommunicationdelays,whichwillinturnresultinhigherpacketlossandretransmissionrate.Toacquirevisualizedresultsontheimpact,wesimulatethemultiplemobilesinksscenariousingtheaforementionedsimulationsetup.Thenumberofmobilesinksusedisupto3andtheyareinjectedintothenetworkatthesametime.Forfaircomparisonallthemobilesinksmovedrandomlyviadifferentroutes,and 102

PAGE 103

broadcastedatthesamefrequency.Weaveragedtheresultsof20simulationrunsandtheresultsareexhibitedinFig. 4-9A andFig. 4-9B .Thetrendsshownintheguresconrmouranalysis.Theaverageroutelengthisreducedby46.54%and53.70%for2and3sinksrespectively;whileforthetotalenergycost,usingmoremobilesinksincreasestrailmessagesandroutingtablecosts,therebyyieldto17.6%and33.06%energyconsumptionincrementfor2and3sinksrespectively.Overall,deningroutelengthdeductionoverextraenergycostasperformancepriceratio,wehave2.64for2sinksand1.62for3sinksscenario.Accordingtothis,weconcludethataddingmultiplesinksismoresuitableforapplicationswithtightdatagatheringdeadlines. 4.6.3ImpactofBroadcastingFrequencyTheimpactofsinkbroadcastfrequencyistwo-sided.Ifthemobilesinkbroadcastsitstrailmessagesmorefrequently,sensornodeswillgetmoreup-to-datetrailreferences,whichishelpfulforlocatingthemobilesink.Ontheotherhand,frequenttrailmessagebroadcastresultsinheaviertransmissionoverheads.Supposethetimedurationbetweentwoconsecutivemessagebroadcastingist,wederiveageneralrangeofttoguidetheproperimplementationofSinkTrailandSinkTrail-S.Assumethetrailmessageistransmittedinstantaneously,thentisdeterminedbymobilesink'stravelingtimetmbetweentwoconsecutivetrailingpointsandsojourntimetsateachtrailpoint: t=tm+ts(4)Giventheaveragemobilesinkmovingspeed ,werstformulatethelowerboundfort.Notethatitisuselessforthemobilesinktobroadcastmultipletimesbeforeitmovesoutofasensornode'sradiorange,asallthesebroadcastmessageswillhavethesamehopcounts.Hencetherstrestrictionisthattwotrailpointsshouldbeseparatedbyadistancelongerthansensornode'saverageradiorange ,wehave: tm> (4) 103

PAGE 104

Combining( 4 )and( 4 )makest> +ts.Inaddition,foreachtransmission,thetimedurationshouldbelongenoughforatrailmessagetopermeatethewholenetwork,letthispermeationtimebe',thelowerboundoftismaxf +ts,'g.Ontheotherhand,theupperboundoftisapplicationspecic.Ifthedatagatheringprocessisexpectedtonishintotaltime,thenduringthistime,themobilesinkshouldatleasttraversedallthedvtrailpoints.Thereforewehavet
PAGE 105

broadcasts.Wecanseethatshorterbroadcastinterval,i.e.,morefrequentcontrolmessagebroadcasting,doesbenettheaverageroutelength,astrailreferencesarerefreshedinatimelyfashion.Howeverhigherupdatefrequencypropagatesmoremessages,therebyincurringmoreenergyconsumption,especiallyforlargenetworksize.Itisimportanttondatradeoffpointbalancingdifferentrequirementswhenitcomestorealapplicationimplementation.Basedontheconceptualsensitivityanalysisinthissection,choicesoftheseparameterssettingsdependonspecicapplicationscenariosanduserrequirements.Theanalysisherecanbeusedasaguidelineforrealsystemdesign,andcanalsobeusedasperformancemetricsforcomparisonstudywithotherschemes. 4.7ChapterSummaryWepresentedtheSinkTrailanditsimprovedversion,SinkTrail-Sprotocol,twolow-complexity,proactivedatareportingprotocolsforprivacypreservingandenergy-efcientdatagathering.SinkTrailuseslogicalcoordinatesforlocationprivacyprotectionandtoestablishdatareportingroutes.Inaddition,SinkTrailiscapableofaccommodatingmultiplemobilesinkssimultaneouslythroughmultiplelogicalcoordinatespaces.ItpossessesdesiredfeaturesofgeographicalroutingwithoutrequiringGPSdevicesorextralandmarksinstalled.SinkTrailiscapableofadaptingtovarioussensoreldshapesanddifferentmovingpatternsofmobilesinks.WesystematicallyanalyzedenergyconsumptionsofSinkTrailandotherrepresentativeapproachesandvalidatedouranalysisthroughextensivesimulations.TheresultsdemonstratethatSinkTrailndsshortdatareportingroutesandeffectivelyreducesenergyconsumption.TheimpactofvariousdesignparametersusedinSinkTrailandSinkTrail-Sareinvestigatedtoprovideguidanceforimplementation. 105

PAGE 106

CHAPTER5CONCLUSIONANDFUTUREDIRECTIONS 5.1DissertationSummaryWiththeincreasedpopularityofmobiledevices,moreandmoreapplicationsonthemobileplatformrelyonthecontextualinformationofausertoprovidehighqualityandcustomizedservices.Inthisdissertation,wehavepresentedseveralprivacypreservingtechniquesthatarespecicallydesignedforsuchapplicationsinmobilenetworkenvironment.Inordertoachieveprivacyprotectionwhileincurringminimalcosttousers,werstassumedthatatrustedcentralauthorityisavailable.Basedonthisassuption,weleveragedtheconceptofmixzone,andstudiedtheproblemofoptimallydeployingmultiplemixzonestoachievebetterprivacyprotectionformobileusers.Toformallyinvestigatethisproblem,wemodeledtheareacoveredbylocation-basedservicesasagraph,whereallvertices(POIs)areconsideredascandidatesformixzonedeployment.Wedenedanewprivacymetricthatquantiesthedegreeofprivacybymeasuringthenumberofpairwiselocationassociationsinanarea.Toachievemaximumprivacypreservation,weformulatedtheoptimizationproblemwiththeobjectiveofmaximizingtheoveralldiscontinuityofallpossibletrajectoriesontheroadnetworkandsubjecttodeploymentcost,trafcdensity,anddifferentiatedprivacypriorityconstraints.Foreachroadsegmentandintersection,thetrafcdensityeffectintermsofentropyisalsotakenintoaccount.WedesignedthreeheuristicalgorithmscorrespondingtodifferenttrafcscenariosandprivacypreservationlevelsaspracticalandefcientsolutionstotheNP-hardoptimizationproblem.Simulationresultsbasedonreal-worldmobilitytracedemonstratedthatourapproacheffectivelyreducedtheprivacyrisksofthemobileusers.Sinceatrustedcentralauthoritymightnotbealwaysavailable,wepursuedadistributedapproach.Insteadofrelyingonacentralauthoritytohelpmobileusers 106

PAGE 107

changetheirpseudonyms,welettheusersgeneratedummyusersaccordingtotheirownprivacyrequirements.Thesegenerateddummyuserscanhelpachievelocationanonymizationandobfuscation.Sincedummyusergenerationiscostlytoaresource-constraintmobiledevice,weformulatedagame-theoreticmodeltostudythebehaviorsofmobileusers.Wefurtheridentiedtheequilibriumstatesofourmodel.Ournovelgame-theoreticalmodelissuitableforuser-centricne-grainedprivacypreservingapproachinmobilenetworks.Theseresultsareexpectedtoserveasguidelinesfordesigningincentivemechanismsandstrategyoptimizationalgorithmsformobileusers.Finally,weinvestigatedtheproblemofprivacyprotectionduringinformationretrievalfromdeployedwirelesssensornetworks.Asforalarge-scalesensornetwork,theproblemofprivacyprotectionincludestheprotectionofthecorrelationbetweendataandthecorrespondinggeographicregion,aswellastheprotectionofthelocationprivacyofmobileusersthatactasdatasinkstothesensornetwork.Weproposedanenergyefcient,mobilesinkbaseddatacollectionprotocolthatutilizedthelogicalcoordinatesofbothsinkandsensornodes,insteadofreallocationinformation.Ourproposedprotocolpossessesboththedesirablefeaturesofgeographicgreedyrouting,andlocationprotection.Simulationresultsshowedthatourprotocolhassatisfactoryperformances. 5.2FutureDirectionsWiththefastadvancesofnewtechnologies,sharingofpersonalinformationbecomesincreasinglysimplied.Theresultsofthetechniquesstudiedinthisdissertation,withboththeirlimitationsandtheirpromises,indicatethatitispossibletodesigneffectivecommunicationprotocolsandalgorithmsthatcanhelpusersprotecttheirprivacy.However,therearemanyresearchdirectionswaitingtobeexplored: Sincenewapplicationsformobiledevicesareemergingatfastpace,newtypesofthreatwillappear.Asaresult,thetypesofinformationthatisavailabletotheadversarialapplicationwillchange.Hence,itwouldbenecessarytoextendtheinferenceattackmodeltoincorporatespatial/temporalcorrelationsofothertypes 107

PAGE 108

ofinformation.Inparticular,analyticalmodelsthataccuratelycapturesthestrategyofanadversaryandtheircostwouldbeveryhelpfulindevisingnewprivacyprotectiontechniques. Wediscussedhowprivacythreatsdependonthecontextofmobiledevicesandtheinformationsharedbymobiledevices.Inordertotakethisintoaccountinthedesignofprivacy-preservingmechanisms,weusedtoolsfromotherdisciplinestobettermodeldifferentcontexts.Ourresultsshowthatsuchanapproachcanpositivelyaffectthedesignofprivacyprotocols.Thisisstillarelativelyuntouched,yetburgeoningareaofresearchthatcouldbefurtherexplored. Withthemassivedeploymentofmobilesensingdevices,hugeamountofheterogeneousdataaregeneratedatunprecedentedscaleandcomplexity.Inordertoanalyze,visualize,andextractintelligentinformationfromthesedata,arobustandscalablecommunicationinfrastructureandsufcientcomputationpowerareessentialrequirements.Therefore,Iwouldliketofocusonwiredandwirelessnetworktrafcschedulingandoptimization,andalsoinvestigatetheproblemofutilizingthecloudascomputationalbraintobuildupintelligentandresponsivemobiledistributedsystems. 108

PAGE 109

REFERENCES [1] F.B.Abdesslem,T.Henderson,andI.Parris.CRAWDADdatasetst andrewslocshare(v.2011-10-12).Downloadedfrom http://crawdad.cs.dartmouth.edu/st_andrews/locshare ,Oct2011. [2] StrategyAnalytics.The$10BillionRule:Location,Location,Location. http://www.strategyanalytics.com ,2011. [3] C.Ardagna,M.Cremonini,E.Damiani,S.DeCapitanidiVimercati,andP.Samarati.Locationprivacyprotectionthroughobfuscation-basedtechniques.DataandApplicationsSecurityXXI,pages47,2007. [4] A.Arulselvan,C.W.Commander,L.Elefteriadou,andP.M.Pardalos.Detectingcriticalnodesinsparsegraphs.Computers&OperationsResearch,36(7):2193,2009. [5] BhuvanBamba,LingLiu,PeterPesti,andTingWang.Supportinganonymouslocationqueriesinmobileenvironmentswithprivacygrid.InProc.ofthe17thinternationalconferenceonWorldWideWeb(WWW),pages237.ACM,2008. [6] L.BarkhuusandA.Dey.Location-basedservicesformobiletelephony:astudyofusers'privacyconcerns.InProc.ofthe9thIFIPTC13InternationalConferenceonHuman-Computerinteraction(INTERACT),2003. [7] A.R.BeresfordandF.Stajano.Locationprivacyinpervasivecomputing.IEEEPervasiveComputing,2(1):46,2003. [8] A.R.BeresfordandF.Stajano.Mixzones:Userprivacyinlocation-awareservices.InProc.ofthe2ndIEEEAnnualConferenceonPervasiveComputingandCommu-nicationsWorkshops(PERCOMW),pages127,2004. [9] C.Bettini,X.Wang,andS.Jajodia.Protectingprivacyagainstlocation-basedpersonalidentication.SecureDataManagement,2005. [10] R.Cheng,Y.Zhang,E.Bertino,andS.Prabhakar.Preservinguserlocationprivacyinmobiledatamanagementinfrastructures.InProc.ofthe6thWorkshoponPrivacyEnhancingTechnologies(PETs),pages393,2006. [11] C.H.Chou,K.F.Ssu,H.C.Jiau,W.T.Wang,andC.Wang.Adead-endfreetopologymaintenanceprotocolforgeographicforwardinginwirelesssensornetworks.IEEETransactionsonComputers,2010. [12] Chi-YinChow,MohamedF.Mokbel,andXuanLiu.Apeer-to-peerspatialcloakingalgorithmforanonymouslocation-basedservice.InProc.ofGIS,2006. [13] D.A.Cofn,D.J.VanHook,S.M.McGarry,andS.R.Kolek.Declarativead-hocsensornetworking.InProc.ofSPIE,volume4126,page109,2000. 109

PAGE 110

[14] T.H.Cormen.Introductiontoalgorithms.TheMITpress,2001. [15] MortenDahl,StephanieDelaune,andGrahamSteel.Formalanalysisofprivacyforvehicularmix-zones.InProc.ofthe15thEuropeanconferenceonResearchincomputersecurity(ESORICS),pages55,2010. [16] M.Demirbas,O.Soysal,andA.Tosun.Datasalmon:Agreedymobilebasestationprotocolforefcientdatacollectioninwirelesssensornetworks.DistributedComputinginSensorSystems,pages267,2007. [17] JingDeng,RichardHan,andShivakantMishra.Enhancingbasestationsecurityinwirelesssensornetworks.DepartmentofComputerScience,UniversityofColorado,Tech.ReportCU-CS-951-03,2003. [18] JingDeng,RichardHan,andShivakantMishra.Decorrelatingwirelesssensornetworktrafctoinhibittrafcanalysisattacks.PervasiveandMobileComputing,2(2):159,2006. [19] M.DuckhamandL.Kulik.Aformalmodelofobfuscationandnegotiationforlocationprivacy.IEEEPervasiveComputing,2005. [20] C.FarkasandS.Jajodia.Theinferenceproblem:asurvey.ACMSIGKDDExplorationsNewsletter,4(2):6,2002. [21] KristofFodorandAttilaVidacs.Efcientroutingtomobilesinksinwirelesssensornetworks.InProc.oftheInternationalConferenceonWirelessInternet(WICON),pages1,2007. [22] R.Fonseca,S.Ratnasamy,J.Zhao,C.T.Ee,D.Culler,S.Shenker,andI.Stoica.Beaconvectorrouting:Scalablepoint-to-pointroutinginwirelesssensornets.InProc.ofNSDI,pages329,2005. [23] J.Freudiger,M.H.Manshaei,J.P.Hubaux,andD.C.Parkes.Onnon-cooperativelocationprivacy:agame-theoreticanalysis.InProc.oftheACMConferenceonComputerandCommunicationsSecurity(CCS),2009. [24] J.Freudiger,M.Raya,M.Felegyhazi,P.Papadimitratos,andJ.P.Hubaux.Mix-zonesforlocationprivacyinvehicularnetworks.InProc.ofthe1stInter-nationalWorkshoponWirelessNetworkingforIntelligentTransportationSystems(WiN-ITS),2007. [25] J.Freudiger,R.Shokri,andJ.P.Hubaux.Ontheoptimalplacementofmixzones.InProc.ofthe9thInternationalSymposiumonPrivacyEnhancingTechnologies(PETS),pages216,2009. [26] B.GedikandL.Liu.Locationprivacyinmobilesystems:Apersonalizedanonymizationmodel.InProc.oftheInternationalConferenceonDistributedComputingSystems(ICDCS),pages620,2005. 110

PAGE 111

[27] GabrielGhinita,PanosKalnis,AliKhoshgozaran,CyrusShahabi,andKian-LeeTan.Privatequeriesinlocationbasedservices:anonymizersarenotnecessary.InProc.ofthe2008ACMSIGMODinternationalconferenceonManagementofdata,pages121.ACM,2008. [28] G.GianiniandE.Damiani.Cloakinggamesinlocationbasedservices.InProc.oftheACMworkshoponSecureWebServices,2008. [29] G.GianiniandE.Damiani.Agame-theoreticalapproachtodata-privacyprotectionfromcontext-basedinferenceattacks:Alocation-privacyprotectioncasestudy.SecureDataManagement,2008. [30] GO-Gulf.com.Smartphoneusersaroundtheworld:Statisticsandfacts. http://www.go-gulf.com/blog/smartphone/ ,2011. [31] M.GruteserandD.Grunwald.Anonymoususageoflocation-basedservicesthroughspatialandtemporalcloaking.InProc.oftheInternationalConferenceonMobileSystems,ApplicationsandServices(MobiSys),pages31,2003. [32] J.C.Harsanyi.Gameswithincompleteinformationplayedbybayesianplayers,i-iii.ManagementScience,pages159,1967. [33] BaikHohandM.Gruteser.Protectinglocationprivacythroughpathconfusion.InProc.ofSecureComm,2005. [34] L.Huang,H.Yamane,K.Matsuura,andK.Sezaki.Silentcascade:Enhancinglocationprivacywithoutcommunicationqosdegradation.InProc.oftheInterna-tionalConferenceonSecurityinPervasiveComputing(SPC),pages165,2006. [35] Q.Huang,C.Lu,andG.C.Roman.Spatiotemporalmulticastinsensornetworks.InProc.oftheACMInternationalConferenceonEmbeddedNetworkedSensorSystems(SenSys),page217.ACM,2003. [36] IBM.IBMILOGCPLEXoptimizer[online].Available: http://www-01.ibm.com/software/integration/optimization/cplex-optimizer/ ,2012. [37] C.Intanagonwiwat,R.Govindan,andD.Estrin.Directeddiffusion:Ascalableandrobustcommunicationparadigmforsensornetworks.InProc.oftheInternationalConferenceonMobileComputingandNetworking(MobiCom),pages56.ACM,2000. [38] YingJian,ShigangChen,ZhanZhang,andLiangZhang.Protectingreceiver-locationprivacyinwirelesssensornetworks.InProc.oftheIEEEInterna-tionalConferenceonComputerCommunications(INFOCOM),pages1955.IEEE,2007. 111

PAGE 112

[39] PandurangKamat,YanyongZhang,WadeTrappe,andCelalOzturk.Enhancingsource-locationprivacyinsensornetworkrouting.InProc.of25thIEEEInterna-tionalConferenceonDistributedComputingSystems(ICDCS),pages599.IEEE,2005. [40] R.KarimiAdl,M.Askari,K.Barker,andR.Safavi-Naini.Privacyconsensusinanonymizationsystemsviagametheory.DataandApplicationsSecurityandPrivacyXXVI,pages74,2012. [41] ChrisKarlof,NaveenSastry,andDavidWagner.Tinysec:alinklayersecurityarchitectureforwirelesssensornetworks.InProceedingsofthe2ndinternationalconferenceonEmbeddednetworkedsensorsystems,pages162.ACM,2004. [42] ChrisKarlofandDavidWagner.Secureroutinginwirelesssensornetworks:Attacksandcountermeasures.Adhocnetworks,1(2):293,2003. [43] M.Keally,G.Zhou,andG.Xing.Sidewinder:Apredictivedataforwardingprotocolformobilewirelesssensornetworks.InProc.oftheAnnualIEEECommunicationsSocietyConferenceonSensor,MeshandAdHocCommunicationsandNetworks(SECON),pages1,June2009. [44] H.Kido,Y.Yanagisawa,andT.Satoh.Ananonymouscommunicationtechniqueusingdummiesforlocation-basedservices.InProc.oftheInternationalConferenceonPervasiveServices(ICPS),2005. [45] D.Kotz,T.Henderson,andI.Abyzov.CRAWDADdatasetdartmouth/campus(v.2004-12-18).Downloadedfrom http://www.crawdad.org/dartmouth/campus ,2004. [46] J.Krumm.Inferenceattacksonlocationtracks.IEEEPervasiveComputing,pages127,2007. [47] J.Krumm.Asurveyofcomputationallocationprivacy.PersonalUbiquitousComputing,2009. [48] B.Lee,J.Oh,H.Yu,andJ.Kim.Protectinglocationprivacyusinglocationsemantics.InProc.ofthe17thACMInternationalConferenceonKnowledgeDiscoveryandDataMining(SIGKDD),pages1289.ACM,2011. [49] P.Levis,N.Lee,M.Welsh,andD.Culler.Tossim:accurateandscalablesimulationofentiretinyosapplications.InProc.ofthe1thACMConferenceonEmbeddedNetworkedSensorSystems(SenSys),pages126,2003. [50] M.Li,K.Sampigethaya,L.Huang,andR.Poovendran.Swing&swap:user-centricapproachestowardsmaximizinglocationprivacy.InProc.oftheACMWorkshoponPrivacyinElectronicSociety,2006. 112

PAGE 113

[51] Z.Li,N.Wang,A.Franzen,P.Taher,C.Godsey,H.Zhang,andX.Li.Practicaldeploymentofanin-eldsoilpropertywirelesssensornetwork,.ComputerStandards&Interfaces,2011. [52] B.H.Liu,W.C.Ke,C.H.Tsai,andM.J.Tsai.Constructingamessage-pruningtreewithminimumcostfortrackingmovingobjectsinwirelesssensornetworksisnp-completeandanenhanceddataaggregationstructure.IEEETransactionsonComputers,pages849,2008. [53] X.LiuandX.Li.Privacypreservingtechniquesforlocationbasedservicesinmobilenetworks.InProc.oftheIEEEInternationalSymposiumonParallelandDistributedProcessing(IPDPS)PhDForum,May2012. [54] X.Liu,K.Liu,L.Guo,X.Li,andY.Fang.Agame-theoreticapproachforachievingk-anonymityinlocationbasedservices.InProc.oftheIEEEInternationalConfer-enceonComputerCommunications(INFOCOM).IEEE,2013. [55] X.Liu,H.Zhao,M.Pan,H.Yue,X.Li,andY.Fang.Trafc-awaremultiplemixzoneplacementforprotectinglocationprivacy.InProc.oftheIEEEInternationalConferenceonComputerCommunications(INFOCOM).IEEE,2012. [56] X.Liu,H.Zhao,X.Yang,andX.Li.Sinktrail:Aproactivedatareportingprotocolforwirelesssensornetworks.IEEETransactionsonComputers,62(99):151,Jan.2013. [57] X.Liu,H.Zhao,X.Yang,X.Li,andN.Wang.Trailingmobilesinks:Aproactivedatareportingprotocolforwirelesssensornetworks.InProc.ofIEEEInternationalConferenceonMobileAdhocandSensorSystems(MASS),pages214,Nov.2010. [58] HuaLu,ChristianS.Jensen,andManLungYiu.Pad:privacy-areaaware,dummy-basedlocationprivacyinmobileservices.InProc.ofMobiDE,2008. [59] J.LuoandJ.P.Hubaux.Jointmobilityandroutingforlifetimeelongationinwirelesssensornetworks.InProc.oftheIEEEInternationalConferenceonComputerCommunications(INFOCOM),volume3,2005. [60] ChrisY.T.Ma,DavidK.Y.Yau,NungKwanYip,andNageswaraS.V.Rao.Privacyvulnerabilityofpublishedanonymousmobilitytraces.InProc.oftheInternationalConferenceonMobileComputingandNetworking(MobiCom),2010. [61] M.MaandY.Yang.Datagatheringinwirelesssensornetworkswithmobilecollectors.InProc.oftheIEEEInternationalSymposiumonParallelandDistributedProcessing(IPDPS),pages1,April2008. [62] A.Mainwaring,D.Culler,J.Polastre,R.Szewczyk,andJ.Anderson.Wirelesssensornetworksforhabitatmonitoring.InProc.oftheACMInternationalWorkshop 113

PAGE 114

onWirelessSensorNetworksandApplications(WSNA),pages88,NewYork,NY,USA,2002.ACM. [63] KiranMehta,DonggangLiu,andMatthewWright.Locationprivacyinsensornetworksagainstaglobaleavesdropper.InNetworkProtocols,2007.ICNP2007.IEEEInternationalConferenceon,pages314.IEEE,2007. [64] KiranMehta,DonggangLiu,andMatthewWright.Protectinglocationprivacyinsensornetworksagainstaglobaleavesdropper.MobileComputing,IEEETransactionson,11(2):320,2012. [65] MohamedF.Mokbel,Chi-YinChow,andWalidG.Aref.Thenewcasper:queryprocessingforlocationserviceswithoutcompromisingprivacy.InProc.ofthe32ndInternationalConferenceonVeryLargeDataBases(VLDB),pages763.VLDBEndowment,2006. [66] T.Moscibroda,R.O'Dell,M.Wattenhofer,andR.Wattenhofer.Virtualcoordinatesforadhocandsensornetworks.InProc.oftheJointWorkshoponFoundationsofMobileComputing(DIALM-POMC),pages8,NewYork,NY,USA,2004.ACM. [67] M.J.Osborne.Anintroductiontogametheory.NewYork,2004. [68] YiOuyang,ZhengyiLe,GuanlingChen,JamesFord,andFilliaMakedon.Entrappingadversariesforsourceprotectioninsensornetworks.InProc.ofthe2006InternationalSymposiumononWorldofWireless,MobileandMultimediaNetworks,pages23.IEEEComputerSociety,2006. [69] CelalOzturk,YanyongZhang,andWadeTrappe.Source-locationprivacyinenergy-constrainedsensornetworkrouting.InWorkshoponSecurityofadhocandSensorNetworks:Proceedingsofthe2ndACMworkshoponSecurityofadhocandsensornetworks,volume25,pages88,2004. [70] B.PalanisamyandL.Liu.MobiMix:ProtectingLocationPrivacywithMix-zonesoverRoadNetworks.InProc.oftheInternationalConferenceonDataEngineering(ICDE),pages494,2011. [71] T.Park,D.Kim,S.Jang,S.Yoo,andY.Lee.Energyefcientandseamlessdatacollectionwithmobilesinksinmassivesensornetworks.InProc.oftheIEEEInternationalSymposiumonParallelandDistributedProcessing(IPDPS),pages1,May2009. [72] TheRProject.Rsoftware. http://www.r-project.org/ ,2012. [73] A.Rao,S.Ratnasamy,C.Papadimitriou,S.Shenker,andI.Stoica.Geographicroutingwithoutlocationinformation.InPro.oftheAnnualInternationalConferenceonMobileComputingandNetworking(MobiCom),pages96.ACMNewYork,NY,USA,2003. 114

PAGE 115

[74] WalkerSands.QuarterlyMobileTrafcReport. http://www.walkersands.com/quarterlymobiletraffic ,2013. [75] TScottSaponas,JonathanLester,CarlHartung,SameerAgarwal,TadayoshiKohno,etal.Devicesthattellonyou:Privacytrendsinconsumerubiquitouscomputing.InUsenixSecurity,volume3,page3,2007. [76] J.H.SchillerandA.Voisard.Location-basedservices.MorganKaufmann,2004. [77] D.ShahandS.Shakkottai.Obliviousroutingwithmobilefusioncentersoverasensornetwork.InProc.oftheIEEEInternationalConferenceonComputerCommunications(INFOCOM),pages1541,2007. [78] H.Shin,J.Vaidya,V.Atluri,andS.Choi.EnsuringprivacyandsecurityforLBSthroughtrajectorypartitioning.InProc.oftheInternationalConferenceonMobileDataManagement(MDM),pages224.IEEE,2010. [79] R.Shokri,G.Theodorakopoulos,C.Troncoso,J.P.Hubaux,andJ.Y.LeBoudec.Protectinglocationprivacy:Optimalstrategyagainstlocalizationattacks.InProc.oftheACMConferenceonComputerandCommunicationsSecurity(CCS),2012. [80] R.Shokri,C.Troncoso,C.Diaz,J.Freudiger,andJ.P.Hubaux.Unravelinganoldcloak:k-anonymityforlocationprivacy.InProc.ofthe9thAnnualACMWorkshoponPrivacyintheElectronicSociety,pages115.ACM,2010. [81] DanielJSolove.Ataxonomyofprivacy.UniversityofPennsylvaniaLawReview,pages477,2006. [82] A.A.Somasundara,A.Ramamoorthy,andM.B.Srivastava.Mobileelementschedulingforefcientdatacollectioninwirelesssensornetworkswithdynamicdeadlines.InProc.ofthe25thIEEEInternationalReal-TimeSystemsSymposium(RTSS),pages296,Washington,DC,USA,2004.IEEEComputerSociety. [83] O.SoysalandM.Demirbas.DataSpider:AResilientMobileBasestationProtocolforEfcientDataCollectioninWirelessSensorNetworks.InProc.oftheInterna-tionalConferenceonDistributedComputinginSensorSystems(DCOSS),SantaBarbara,California,USA,2010. [84] VijaySrinivasan,JohnStankovic,andKaminWhitehouse.Protectingyourdailyin-homeactivityinformationfromawirelesssnoopingattack.InProceedingsofthe10thinternationalconferenceonUbiquitouscomputing,pages202.ACM,2008. [85] L.Sweeney.k-anonymity:amodelforprotectingprivacy.InternationalJournalonUncertainty,FuzzinessandKnowledge-basedSystems,10,2002. [86] M.TerrovitisandN.Mamoulis.Privacypreservationinthepublicationoftrajectories.InProc.oftheInternationalConferenceonMobileDataManage-ment(MDM),pages65,2008. 115

PAGE 116

[87] M.T.Tran,I.Echizen,andA.D.Duong.Binomial-mix-basedlocationanonymizersystemwithglobaldummygenerationtopreserveuserlocationprivacyinlocation-basedservices.InProc.ofARES,2010. [88] T.WangandL.Liu.Privacy-awaremobileservicesoverroadnetworks.Proc.oftheVLDBEndowment,2(1):1042,2009. [89] YiYang,MinShao,SencunZhu,BhuvanUrgaonkar,andGuohongCao.Towardseventsourceunobservabilitywithminimumnetworktrafcinsensornetworks.InProc.oftheACMConferenceonWirelessNetworkSecurity(WiSec).Citeseer,2008. [90] F.Ye,G.Zhong,S.Lu,andL.Zhang.Gradientbroadcast:Arobustdatadeliveryprotocolforlargescalesensornetworks.WirelessNetworks,11(3):285,2005. [91] FanYe,HaiyunLuo,JerryCheng,SongwuLu,andLixiaZhang.Atwo-tierdatadisseminationmodelforlarge-scalewirelesssensornetworks.InProc.oftheAnnualInternationalConferenceonMobileComputingandNetworking(MobiCom),pages148,NewYork,NY,USA,2002.ACM. [92] M.Younis,M.Youssef,andK.Arisha.Energy-awareroutingincluster-basedsensornetworks.InProc.ofthe10thIEEEInternationalSymposiumonModeling,AnalysisandSimulationofComputerandTelecommunicationsSystems(MASCOTS),pages129,2002. [93] L.Yu,N.Wang,andX.Meng.Real-timeforestredetectionwithwirelesssensornetworks.InProc.oftheInternationalConferenceonWirelessCommunications,NetworkingandMobileComputing(IWCMC),volume2,pages1214.IEEE,2005. [94] M.Zhao,M.Ma,andY.Yang.Mobiledatagatheringwithspace-divisionmultipleaccessinwirelesssensornetworks.InProc.oftheIEEEInternationalConferenceonComputerCommunications(INFOCOM),pages1283,April2008. [95] M.Zhao,M.Ma,andY.Yang.Efcientdatagatheringwithmobilecollectorsandspace-divisionmultipleaccesstechniqueinwirelesssensornetworks.IEEETransactionsonComputers,2010. [96] M.ZhaoandY.Yang.Boundedrelayhopmobiledatagatheringinwirelesssensornetworks.IEEETransactionsonComputers,2010. 116

PAGE 117

BIOGRAPHICALSKETCH XinxinLiuwasbornin1983inAnyang,HenanProvince,China.ShegrewupinAnyangandattendedHenanExperimentalMiddleSchoolinZhengzhou.Followinghighschool,XinxinenrolledintheSoftwareCollegeofJilinUniversity(JLU),Changchun,China,inFall2002.XinxinreceivedherB.E.degreeinSoftwareEngineeringfromJLUinsummer2006.Insummer2010,XinxinearnedherM.S.degreeinComputerSciencefromOklahomaStateUniversity.XinxinenrolledinDepartmentofComputer&InformationScience&EngineeringinUniversityofFloridainFall2010,andreceivedherPh.D.inComputerEngineeringinMay2013.Herresearchinterestsincludesecurityandprivacyinwirelesssensornetworks,cyber-physicalsystems,andmobilesocialnetworks.XinxinisastudentmemberofACMandIEEE. 117