Many sensor network applications require sensors ’ locations to function correctly. Despite the recent advances, location discovery for sensor networks in hostile environments has been mostly overlooked. Most of the existing localization protocols for sensor networks are vulnerable in hostile environments. The security of location discovery can certainly be enhanced by authentication. However, the possible node compromises and the fact that location determination uses certain physical features (e.g., received signal strength) of radio signals make authentication not as effective as in traditional security applications. This paper presents two methods to tolerate malicious attacks against beacon-based location discovery in sensor networks. The first method filters out malicious beacon signals on the basis of the “consistency ” among multiple beacon signals, while the second method tolerates malicious beacon signals by adopting an iteratively refined voting scheme. Both methods can survive malicious attacks even if the attacks bypass authentication, provided that the benign beacon signals constitute the majority of the beacon signals. This paper also presents the implementation of these techniques on MICA2 motes running TinyOS, and the evaluation through both simulation and field experiments. The experimental results demonstrate that the proposed methods are promising for the current generation of sensor networks. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General—Security and protection;

Motivated by a probe-vehicle based automotive traffic monitoring system, this paper considers the problem of guaranteed anonymity in a dataset of location traces while maintaining high data accuracy. We find through analysis of a set of GPS traces from 233 vehicles that known privacy algorithms cannot meet accuracy requirements or fail to provide privacy guarantees for drivers in low-density areas. To overcome these challenges, we develop a novel time-toconfusion criterion to characterize privacy in a location dataset and propose an uncertainty-aware path cloaking algorithm that hides location samples in a dataset to provide a time-to-confusion guarantee for all vehicles. We show that this approach effectively guarantees worst case tracking bounds, while achieving significant data accuracy improvements.

Abstract — While many protocols for sensor network security provide confidentiality for the content of messages, contextual information usually remains exposed. Such information can be critical to the mission of the sensor network, such as the location of a target object in a monitoring application, and it is often important to protect this information as well as message content. There have been several recent studies on providing location privacy in sensor networks. However, these existing approaches assume a weak adversary model where the adversary sees only local network traffic. We first argue that a strong adversary model, the global eavesdropper, is often realistic in practice and can defeat existing techniques. We then formalize the location privacy issues under this strong adversary model and show how much communication overhead is needed for achieving a given level of privacy. We also propose two techniques that prevent the leakage of location information: periodic collection and source simulation. Periodic collection provides a high level of location privacy, while source simulation provides trade-offs between privacy, communication cost, and latency. Through analysis and simulation, we demonstrate that the proposed techniques are efficient and effective in protecting location information from the attacker. I.

Abstract—For sensor networks deployed to monitor and report real events, event source anonymity is an attractive and critical security property, which unfortunately is also very difficult and expensive to achieve. This is not only because adversaries may attack against sensor source privacy through traffic analysis, but also because sensor networks are very limited in resources. As such, a practical tradeoff between security and performance is desirable. In this paper, for the first time we propose the notion of statistically strong source anonymity, under a challenging attack model where a global attacker is able to monitor the traffic in the entire network. We propose a scheme called FitProbRate, which realizes statistically strong source anonymity for sensor networks. We also demonstrate the robustness of our scheme under various statistical tests that might be employed by the attacker to detect real events. Our analysis and simulation results show that our scheme, besides providing source anonymity, can significantly reduce real event reporting latency compared to two baseline schemes. Index Terms—security and privacy, source anonymity, statistical test, SPRT, sensor networks I.

Sensors deployed to monitor the surrounding environment report such information as event type, location, and time when a real event of interest is detected. An adversary may identify the real event source through eavesdropping and traffic analysis. Previous work has studied the source location privacy problem under a local adversary model. In this work, we aim to provide a stronger notion: event source unobservability, which promises that a global adversary cannot know whether a real event has ever occurred even if he is capable of collecting and analyzing all the messages in the network at all the time. Clearly, event source unobservability is a desirable and critical security property for event monitoring applications, but unfortunately it is also very difficult and expensive to achieve for resource-constrained sensor networks. Our main idea is to introduce carefully chosen dummy traffic to hide the real event sources in combination with mechanisms to drop dummy messages to prevent explosion of network traffic. To achieve the latter, we select some sensors as proxies that proactively filter dummy messages on their way to the base station. Since the problem of optimal proxy placement is NP-hard, we employ local search heuristics. We propose two schemes (i) Proxy-based Filtering Scheme (PFS) and (ii) Tree-based Filtering Scheme (TFS) to accurately locate proxies. Simulation results show that our schemes not only quickly find nearly optimal proxy placement, but also significantly reduce message overhead and improve message delivery ratio. A prototype of our scheme was implemented for TinyOS-based Mica2 motes.

Abstract-Recent years have seen a large number of proposals affect personal security and mobility. Most recently, we have for anonymity mechanisms operating on the application layer. seen a remarkable upswing of privacy intrusions driven by Given that anonymity is no stronger than its weakest link, attempts to perform identity theft. It is evident that location such proposals are only meaningful if one can offer anonymity information may be used to better target victims of such guarantees on the communication layer as well. ANODR-or ANonymous On Demand Routing- is one of the leading attacks, as well as attacks in the entire spectrum mentioned proposals to deal with this issue. In this paper, we propose a above. To limit the success of such attacks- without having novel technique to address the same problem, but at a lower to re-engineer our entire communication infrastructure- it cost. Our proposal, which we dub Discount-ANODR, is buit is important to develop techniques that implement sufficient around the same set of techniques as ANODR is. Our proposal is im prtantt deveop tehnique stattimlementesuf has the benefit of achieving substantially lower computation and levelsof privac,thoutandingsubstantialschanes of communication complexities at the cost of a slight reduction the network orthe computationalrequirements associatedwith of privacy guarantees. In particular, Discount-ANODR achieves performing routing. source anonymity and routing privacy. A route is "blindly gener- The motivation for this paper is to design a lightweight ated " by the intermediaries on the path between an anonymous

Many sensor network applications require sensors ’ locations to function correctly. Despite the recent advances, location discovery for sensor networks in hostile environments has been mostly overlooked. Most of the existing localization protocols for sensor networks are vulnerable in hostile environments. The security of location discovery can certainly be enhanced by authentication. However, the possible node compromises and the fact that location determination uses certain physical features (e.g., received signal strength) of radio signals make authentication not as effective as in traditional security applications. This paper presents two methods to tolerate malicious attacks against range-based location discovery in sensor networks. The first method filters out malicious beacon signals on the basis of the “consistency ” among multiple beacon signals, while the second method tolerates malicious beacon signals by adopting an iteratively refined voting scheme. Both methods can survive malicious attacks even if the attacks bypass authentication, provided that the benign beacon signals constitute the majority of the beacon signals. This paper also presents the implementation and experimental evaluation (through both field experiments and simulation) of all the secure and resilient location estimation schemes that can be used on the current generation of sensor platforms (e.g., MICA series of motes), including the techniques

Sensor networks are used in a variety of application areas for diverse problems from habitat monitoring to military tracking. Whenever they are used to monitor sensitive objects, the privacy of monitored objects ’ locations becomes an important concern. When a sensor reports a monitored object by sending a series of messages through the sensor network, the route these messages take in theory creates a trail leading back to their source. By eavesdropping on communications, an attacker may be able to move from node to node to follow this trail. Several approaches aimed at discouraging this kind of eavesdropping have been proposed, including mechanisms for constructing “phantom ” routes and approaches that insert fake sources as background noise. A problem with existing approaches is that message latencies become larger and energy costs become higher as a result of introducing protections for the privacy of a source location. This paper proposes a new cyclic entrapment method (CEM) that protects source locations in sensor networks while adding a comparatively low cost in terms of additional message latency and energy.

Abstract not found

Sensor networks may be used in many monitoring applications where the locations of the monitored objects are quite sensitive and need to be protected. Previous research mainly focuses on protecting source location against mote-class attackers who only have a local view of the network traffic. In this paper, we focus on how to protect the source location against laptop-class attackers who have a global view of the network traffic. This paper proposes four schemes— naive, global, greedy, and probabilistic—to deal with laptopclass attacks. The naive solution uses maintenance messages sent periodically to hide real event reports. The global and greedy solutions improve the naive solution by reducing the latency of event delivery without increasing communication overhead. The probabilistic solution further improves the performance by reducing communication overhead without sacrificing location privacy. Experiments show that the probabilistic solution is practical for providing source location privacy against a laptop-class attacker.