Location Privacy Preservation in Collaborative Spectrum Sensing Shuai Li, Haojin Zhu, Zhaoyu Gao, Xinping Guan, Shanghai Jiao Tong University Kai Xing University of Science and Technology of China and Xuemin (Sherman) Shen University of Waterloo Presenter: Haojin Zhu Associate Professor Computer Science & Engineering Department Shanghai Jiao Tong University Outline • Background – Cognitive Radio Networks – Spectrum Sensing – Collaborative Spectrum Sensing • • • • • Existing Researches on Spectrum Sensing Security Location Privacy Leaking Problem Privacy Preserving Collaborative Spectrum Sensing Experiment Results Conclusion Cognitive Radio Cognitive Radio：access the spectrum dynamically Traditional Spectrum Allocation Primary User (PU) PU uses the spectrum exclusively Cognitive Radio Secondary User (SU) SUs can access the idle spectrum Cognitive Radio is proposed to increase the efficiency of channel utilization under the current static channel allocation policy. Spectrum Sensing Spectrum Sensing：In order to identify the idle spectrum, secondary users should sense the spectrum first. Spectrum 1 Spectrum 2 …………………. Spectrum n Which one is idle? Collaborative Spectrum Sensing But, spectrum sensing accuracy is often degraded by: □Fading □Shadowing Collaborative Spectrum Sensing is proposed to overcome these challenges. □Receiver Uncertainty Step1: SUs sense the spectrum individually Step2: SUs submit the sensing reports to a fusion center Collaborative sensing is also facing a series of security threats! Step3: Fusion center combines these reports Existing Research in Spectrum Sensing Security • 1 Attack: Primary Emulation Attack (JSAC'08, Oakland S&P'10, ) • 2 Attack: Sensing Data Falsification Attack (INFOCOM'08, TMC 2011, NDSS 2011) • 3 Attack: Selfishness in Collaborative Sensing (ACM MC2R) None of existing works consider the privacy issues in CR networks before! Outline • Background • The Location Privacy Leaking Problem • Privacy Preserving collaborative Spectrum Sensing – Privacy Preserving Sensing Report Aggregation – Distributed Dummy Report Injection Protocol • Experiment Results • Conclusion Exploiting Spectrum Sensing Reports for Involuntary Geo-localization- An Attacker Point of View The Good Side: Exploit spatial diversity for spectrum sensing SU SU Different Locations Correspond to Different Sensing Reports due to Spatial Diversity. SU SU A Converse Question: Could we exploit correlation of CR sensing reports and their physical location to make an involuntary geolocalization of SU. Attack I: Single Report Location Privacy (SRLP) Attack Test bed Setup and Experiment Approach: 1. Using USRP to detect the TV radio signal of 13 sampling regions. 2. The attacker using classification algorithm to obtain spectrum characteristics of each region (the cluster centroids). 3. Geo-localization a user by comparing the distance of the sensing data and the various cluster centroids. Single Report Location Privacy (SRLP) Attack: the adversary tries to compromise the location privacy of a CR user by correlating his sensing report and physical location. Attack II: Differential Location Privacy Attack in Aggregation Mode Inspired from database security concept, differential privacy. In the context of CR security: Untrusted Fusion Center (Aggregator), secondary users may frequently join or leave the networks Even under the presence of privacy Aggregation Aggregation Result: Result: preserving ′ = = + + + + + aggregation solution We could get − ′ = , then based on SRLP attack, we could infer its location. Experimental Results for the Attack Result I: Significant location-dependent fluctuation in the RSS sensing of three Digital TV (DTV) channels. Result II: the attackers could localize a user within 10-50 meters accuracy with 90% successful rate by choosing a proper parameter How to enable the collaborative spectrum sensing without location privacy leaking? Formal Definition on Location Privacy in Collaborative Spectrum Sensing We define the uncertainty of the adversary and thus the location privacy level of a node involved in a successful privacy preserving spectrum sensing by adopting the the probability entropy concept as follows: that user a is Total number located in the of regions region b If the attacker could uniquely identify the location of the user, we can get | = 1 and = 0. Otherwise, the entropy is maximum for a uniform probability distribution | . Outline • Background • The Location Privacy Leaking Problem • Privacy Preserving collaborative Spectrum Sensing – Privacy Preserving Sensing Report Aggregation – Distributed Dummy Report Injection Protocol • Experiment Results • Conclusion Privacy Preserving collaborative Spectrum Sensing (PPSS) Privacy Preserving Sensing Report Aggregation Protocol (PPSRA) Conceal each user’s sensing reports in aggregation (thwarting SRLP attack) Distributed Dummy Report Injection protocol (DDRI) Conceal the user’s sensing reports when he leaves or joins the aggregation (thwarting the DLP attack) Protocol I: PPSRA Objective: Allowing the aggregator to obtain the aggregation results without knowing the individual sensing report. E() is an homomorphic encryption such as Paillier or NDSS’11. Each data is encrypted by multiplying to prevent aggregator from recovering the individual data. By letting 1 1 2 2 …… =0 = 0, we obtain = () Aggregation Result = = ( )() ( ) = 0 = . ( ) =0 Phase I: Phase II: Decrypt it for the aggregation result. Phase III: Individual Encryption Multiplying the encrypted data Decryption for the result 1. =0 =0 E. Shi, T. Chan, E. Rieffel, R. Chow, and D. Song, “Privacy-preserving aggregation of time-series data,” in Proc. of NDSS’11, 2011. Protocol II: Distributed Dummy Report Injection protocol (DDRI) Differential Location Privacy Attack: Traditional differential privacy protection approach needs to add a large noise to the sensing reports, which will seriously degrade the collaborative sensing performance, obviously deviating from the original goal of collaboration. Distributed Dummy Report Injection protocol Our Approach: Using some public available sensing data (dummy report) to replace the noises LEAVE/JOIN Broadcast the fusion center’s sensing results Send his own sensing results Send the center’s sensing results 1 i i Our dummy report based approach will not pollute the aggregation result. Distributed Dummy Report Injection protocol The introduced randomness in aggregation result can successfully confuse the attacker. Distributed Dummy Report Injection protocol Question 1: How much randomness has been introduced? Question 2: What’s the impact introduced to collaborative sensing (the actual number of the sensing nodes)? Distributed Dummy Report Injection protocol Question 3: What’s the impact introduced to collaborative sensing (the weight of the dummy report)? In general, we will demonstrate that our scheme can generate sufficient randomness to protect the user’s differential location privacy. It has limited impact on collaborative sensing performance Outline • Background • The Location Privacy Leaking Problem • Privacy Preserving collaborative Spectrum Sensing – Privacy Preserving Sensing Report Aggregation – Distributed Dummy Report Injection Protocol • Experiment Results • Conclusion Experimental Results After executing our PPSS protocol, the entropy rises to a high level. This demonstrate that PPSS can well protect the user’s location privacy. Experimental Results It demonstrates that a small i is enough to protect the user’s location privacy. Meanwhile, a small i means little impact on collaborative sensing. Experimental Results This experiment result further demonstrates the practicality of our PPSS protocol. Outline • Background • The Location Privacy Leaking Problem • Privacy Preserving collaborative Spectrum Sensing – Privacy Preserving Sensing Report Aggregation – Distributed Dummy Report Injection Protocol • Experiment Results • Conclusion Conclusion and Future Work • We identify and formulate a new security threat in collaborative sensing • We introduce PPSS to protect secondary users’ location privacy in collaborative sensing. • We evaluate the effectiveness and efficiency of PPSS by implementation in a real experiment. • Our future work includes investigating the privacy issues in database-driven CR networks.