Tracking Games in Mobile Networks

GameSec 2010November 22, Berlin

Mathias Humbert, Mohammad Hossein Manshaei, Julien Freudiger and Jean-Pierre Hubaux

EPFL - Laboratory for Computer communications and Applications (LCA1)

P2P Wireless Communications Smartphones equipped with

advanced communication capabilities (WiFi & Bluetooth)

=> enable P2P communication between mobile users

Application examples:

2

Vehicular networks Mobile social networks

Location Privacy Problem

Identifiers of mobile devices unveiled Cryptographic credentials MAC addresses

External eavesdropper can monitor users’ identifiers and track them

3

MessageIdentifi

er

Local Adversary

Countermeasure: Mix Zones

4

AB

DC

E

F

I

J

KGChange identifiers in

regions called mix zones [1]

• Public/private keys used to sign messages

• MAC addresses

2 types of mix zones• Active mix zone

(M): temporal + spatial decorrelations

• Passive mix zone (P):temporal decorrelation [2]

Temporal decorrelation: change identifiers

Spatial decorrelation: remain silent (necessary only if the adversary installed an eavesdropping station at the same place) [1] Beresford, A.R., Stajano, F.: Location privacy in pervasive computing. IEEE

Pervasive Computing (2003)[2] Buttyán, L. et al.: On the effectiveness of changing pseudonyms to provide location privacy in VANETs. Security and Privacy in Ad-hoc and Sensor Networks (2007)

Mixing Effectiveness

5

4

At some intersection i:

pi13

pi12pi

14

pi2

4

pi2

1

pi23

pi32pi

34

13602680

69650194

3835930

3 e

nte

rin

g

road

s

4 exiting roads

Number of vehicles per hour

Normalized entropy-based metric [3]:

1

2

3

5933

38pi

13 = 3/(3+593+38)pi

12 = 593/(3+593+38)pi

14 = 38/(3+593+38)

Ri1=

3Ri

2= 3Ri

3= 2 k: entering roads

j: exiting roadsNormalized traffic intensity of entering road k

Passive mix zones:• mi = 0 if adversary at same place• mi = 1 if no adversary

[3] Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. PET 2002

Tracking GamesPlacement of active/passive mix zones versus placement of eavesdropping stations

6: Eavesdropping station (E) : Active mix zone (M) : Passive mix zone (P)

Strategic behaviors of attacker and defenders=> game theory to model the interactions between players and predict their best strategies 2 knowledge levels• complete information• incomplete info.

Game Model

7

Road network with K intersections

2 players: {mobile nodes, adversary}

Nodes’ strategies sn,i (intersection i): Active mix zone (cost = ci

m) ci

m = cip + ci

q = pseudonyms cost + silence cost

Passive mix zone (cost = cip)

Abstain

Adversary’s strategies sa,i : Eavesdrop (cost = cs) Abstain

Payoffs:

Eavesdrop (E) Abstain (A)

Active mix zone (M)

(λimi-cip-ci

q ; λi(1-mi)-cs)

(λi-cip-ci

q ; 0)

Passive mix zone (P)

(-cip ; λi-cs) (λi- ci

p ; 0)

Abstain (A) (0 ; λi-cs) (0 ; 0)

0 ≤ λi, mi, cim,

cs ≤ 1Adversary

Nodes

• mi ->1 if efficient mixing• mi ->0 if weak mixing

can be represented by a urban/central

authority

Analytical ResultsComplete Information Game

8

One intersection

• Either one pure Nash equilibrium (NE) or one mixed NE• Depending on traffic parameters mi, λi and players’

costs cim, ci

p and cs

• 4 possible pure NE: (M, E), (P, A), (A, E) and (A,A)• 2 pure NE never appear: (M, A) and (P, E)K intersections with limited number of

eavesdropping stations• Algorithm deriving a single Nash equilibrium

• Union of NE at K intersections (supergame [4])• Removal of exceeding eavesdropping stations• Update of nodes’ best response

[4] Friedman, J.W.: A non-cooperative equilibrium for supergames. The Review of Economic Studies (1971)

Analytical ResultsIncomplete and Asymmetric Information

Game:- Nodes do not know the adversary’s power

=> nodes’ belief on this power modeled as a probability distribution f(θ) [5]

9

One intersection• Existence of a pure Bayesian Nash

equilibrium (BNE) • Depending on traffic parameters mi, λi , players’ costs

cim, ci

p , cs and accuracy of nodes’ belief f(θ) on adversary’s type

• All possible pure BNE: (M, E), (P, A), (A, E) , (A, A), (M, A) and (P, E)

K intersections with limited number of eavesdropping stations• Algorithm deriving a single Bayesian Nash

equilibrium• Similar steps as the algorithm for complete information

game• Nodes do not know adversary’s strategy (eavesdropping

stations placement) => have to “guess” it based on their belief

[5] Harsanyi, J.: Games with incomplete information played by Bayesian players. Management science (1967)

Numerical Results

Real traffic data of Downtown Lausanne

10

• Low costs for both players

• 17

(M, E)

• 6

(A, E)

• 0

(P, A)

• 0

Mixed-strategy

• 2

(M, E)

• 3

(A, E)

• 18

(P, A)

• 0

Mixed-strategy

• 2

(M, E)

• 3

(A, E)

• 5

(P, A)

• 13

Mixed-strategy

• 2

(M, E)

• 3

(A, E)

• 18

(P, A)

• 0

Mixed-strategy

• Unlimited number (Γ=23) of eavesdropping stations

• Adversary’s higher cost• Limited number (Γ=5) of eavesdropping stations

Numerical Results

Incomplete Information Game:Probability density functions f(θ) of

nodes’belief on adversary’s cost cs: U(0,1) or

β(2,5)

11

Scenario\Bayesian NE

(M, E)

(P, E)

(A, E)

(M, A)

(P, A)

(A, A)

U(0,1); cs= 0.2; Γ= 23

10 13 0 0 0 0

U(0,1); cs= 0.2; Γ= 5 1 4 0 0 18 0

β(2,5); cs= 0.2; Γ= 23

16 3 4 0 0 0

β(2,5); cs= 0.2; Γ= 5 1 0 4 0 18 0

β(2,5); cs= 0.5; Γ= 23

2 0 2 14 3 2

β(2,5); cs= 0.5; Γ= 5 1 1 2 0 17 2

E = EavesdropA = Abstain

M = Active mix zoneP = Passive mix zoneA = Abstain

Adversary’s

strategies

Nodes’ strategi

es

Conclusion Possible to predict the best response of mobile users with

respect to a local adversary strategy

2 algorithms to reach (Bayesian) NE in both complete and incomplete information games In incomplete information game, nodes’ lack of information about the

adversary’s strategy leading to a significant decrease in the achievable location privacy level or a needless cost increase

Concrete application on a real city network Adversary and mobile nodes adopting complementary strategies

Future work Enrich the analysis by including the spatial interdependencies between

the different road intersections Evaluate the interactions between the attacker and defenders by using

repeated games12

Backup slides – NE at one intersection

13

Backup slides – K intersections

14

Backup slides – Algorithm 1

15

Backup slides – Bayesian Game

16

where

Backup slides – Bayesian NE

17

Backup slides – Algorithm 2

18