On Non-Cooperative Location Privacy: A Game-theoreticAnalysis Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux David C. Parkes CCS 2009.
Post on 13-Dec-2015
217 Views
Preview:
Transcript
On Non-Cooperative Location Privacy: A Game-theoreticAnalysis
Julien Freudiger, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux
David C. Parkes
CCS 2009
2
Pervasive Wireless Networks
Human sensors
Vehicular networks Mobile Social networks
Personal WiFi bubble
3
Peer-to-Peer Communications
1
MessageIdentifier
2
WiFi/Bluetooth enabled
Signature || Certificate
4
Location Privacy Problem
1
Passive adversary monitors identifiers used in peer-to-peer communications
10h00: Millenium Park11h00: Art Institute
13h00: Lunch
5
Previous Work
• Pseudonymity is not enough for location privacy [1, 2]
• Removing pseudonyms is not enough either [3]
Spatio-Temporal correlation of traces
MessageIdentifier
[1] P. Golle and K. Partridge. On the Anonymity of Home/Work Location Pairs. Pervasive Computing, 2009[2] B. Hoh et al. Enhancing Security & Privacy in Traffic Monitoring Systems. Pervasive Computing, 2006[3] B. Hoh and M. Gruteser. Protecting location privacy through path confusion. SECURECOMM, 2005
Pseudonym Message
6
Location Privacy with Mix Zones
Mix zone
2121
xy?
Temporal decorrelation: Change pseudonym
[1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. Percom, 2004
Why should a node participate?
Spatial decorrelation: Remain silent
Mix Zone Privacy Gain
7
( )
| 2 |1
( ) log ( )n t
i d b d bd
A T p p
t- t=T
1
2
x
y
B D
( )n t Number of nodes in mix zone
Cost caused by Mix Zones
• Turn off transceiver
• Routing is difficult
• Load authenticated pseudonyms
8
+
+
=
9
Problem
Tension between cost and benefit of mix zones
When should nodes change pseudonym?
10
Method
• Game theory– Evaluate strategies– Predict evolution of security/privacy
• Example– Cryptography– Revocation– Privacymechanisms
Rational BehaviorSelfishoptimization
Security protocolsMulti-party computations
11
Outline
1. User-centric Model
2. Pseudonym Change Game
3. Results
Mix Zone Establishment
• In pre-determined regions [1]
• Dynamically [2]– Distributed protocol
12
[1] A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. PercomW, 2004[2] M. Li et al. Swing and Swap: User-centric approaches towards maximizing location privacy . WPES, 2006
User-Centric Location Privacy Model
Privacy = Ai(T) – PrivacyLoss
13
2t1t
Privacy
Traceable
t
Ai(T1)Ai(T2)
14
Pros/Cons of user-centric Model
• Pro– Control when/where to protect your privacy
• Con– Misaligned incentives
15
Outline
1. User-centric Model
2. Pseudonym Change Game
3. Results
1
2
Assumptions
Pseudonym Change game– Simultaneous decision
– Players want to maximize their payoff
– Consider privacy upperboundAi(T) = log2(n(t))
16
• Strategy– Cooperate (C) : Change pseudonym– Defect (D): Do not change pseudonym
Game Model
• Players– Mobile nodes in transmission range– There is a game iif
17
( ) 1n t
18
Pseudonym Change Game
t
C
D
C
t1 Silent period
3
1
2
Payoff Function
19
If C & Not alone, thenui = Ai(T)- γ
If C & Alone, thenui = ui
-- γ
If D, thenui = ui
-
ui = privacy - cost
Sequence of Pseudonym Change Games
20
5
6
E2
23
4E1
7
8
9
C3
1
E2E1
1t 2tE3
3tt
ui
Ai(T1)- γ
Ai(T2)- γ
γ
21
Outline
1. User-centric Model
2. Pseudonym Change Game
3. Results
C-GameComplete information
Each player knows the payoff of its opponents
22
2-Player C-Game
23
Two pure-strategy Nash Equilibria (NE): (C,C)&(D,D)
One mixed-strategy NE
Best Response Correspondence
24
2 pure-strategy NE
1 mixed-strategy NE
n-Player C-Game
• All Defection is always a NE
• A NE with cooperation exists iif there is a group of k users with
25
2log ( ) ik u
TheoremThe static n-player pseudonym change C-game has at least 1 and at most 2 pure strategy Nash equilibria.
, i in the group of k nodes
C-Game Results
Result 1: high coordination among nodes at NE
• Change pseudonyms only when necessary
• Otherwise defect
26
I-GameIncomplete information
Players don’t know the payoff of their opponents
27
Bayesian Game Theory
Define type of playerθi = ui-
28
)( if Predict action of opponents based on pdf over type
29
Environment
Lowprivacy
High privacy
Middle privacy
• A threshold determines players’ action
• Probability of cooperation is
Threshold Strategy
30
0( ) ( ) ( )
i
i i i i iF Pr f d
tC
Dθi
θi
~
2-Player I-Game Bayesian NE
Find threshold θi* such that
Average utility of cooperation =
Average utility of defection
31
~
32
Result 2: Large costincreasescooperationprobability.
33
Result 3: Strategiesadapt to yourenvironment.
34
Result 4: A large number of nodes n provides incentive not to cooperate
Conclusion
Rational behavior in location privacy protocol– Propose a user-centric model of location privacy
– Introduce Pseudonym Change game
– Derive existence of equilibrium strategies
– Evaluate effect of non-cooperative behavior
Outcome: Protocol for distributed pseudonym changes among rational nodes
Future: Evaluate performance of protocol
35
lca.epfl.ch/privacy
37
BACKUP SLIDES
Payoff Function
38
( ) ( , ) ( , )i i i i i i iu A T t T t T
If , then( ) ( ( ) 0)i C is C n s
:
( , , , ) : ( )i
i i i i i
T t
u t T C s A T
If , then( ) ( ( ) 0)i C is C n s
( , , , ) : max(0, )i i i iu t T C s u
If , then( )is D( , , , ) : max(0, )i i i iu t T D s u
where the payoff function at the time immediately prior to tthe strategy of the opponents of iis
(s )C in the number of cooperating nodes besides i
C
D
Best Response Correspondence
39
2 pure-strategy NE
1 mixed-strategy NE
Type
• Incomplete information =>imperfect information [1]
• Type captures the private information of players
• Assume type is distributed with probability
known to all players
• Each player can predict the behavior of its opponents with40
i i i iA
)( if
)( if
Bayesian Game Theory
[1] J. Harsanyi. Games with Incomplete Information Played by Bayesian Players . Management Science , 1967
41
Result 3: Strategies adapt to environment.
42
PseudoGame Protocol
top related