Milcom 2015 Track 3 - Cyber Security and Trusted Computing

A Cross-Layer Defense Scheme for Countering Traffic Analysis

Attacks in Wireless Sensor Networks
Jon R. Ward and Mohamed Younis
Department of Computer Science and Electrical Engineering
University of Maryland, Baltimore County
Email: {jward3, younis}@umbc.edu

Abstract—In most Wireless Sensor Network (WSN) applications the by conventional security mechanisms that achieve
sensors forward their readings to a central sink or base station (BS). confidentiality, integrity, and authentication [2]. To date,
The unique role of the BS makes it a natural target for an adversary’s research in the field of anonymous communication has focused
attack. Even if a WSN employs conventional security mechanisms on routing protocols that attempt to hide true routes from source
such as encryption and authentication, an adversary may apply traffic
to sink [3][4]. Although anonymous routing methods may
analysis techniques to locate the BS. This motivates a significant
need for improved BS anonymity to protect the identity, role, and largely mitigate the threat of discovering data paths from packet
location of the BS. Published anonymity-boosting techniques mainly headers, an adversary may deduce significant information by
focus on a single layer of the communication protocol stack and analyzing link-layer, pair-wise node relationships from which
assume that changes in the protocol operation will not be detectable. the location and role of the BS can be inferred [5][6]. A variety
In fact, existing single-layer techniques may not be able to protect the of approaches have been proposed to mitigate this threat at either
network if the adversary could guess what anonymity measure is of the network, link, and physical layer.
being applied by identifying which layer is being exploited. In this In [7][8], Ward and Younis proposed a physical-layer (PHY)
paper we propose combining physical-layer and network-layer approach that leverages distributed beamforming to increase the
techniques to boost the network resilience to anonymity attacks. Our
BS’s anonymity. Distributed beamforming has recently received
cross-layer approach avoids the shortcomings of the individual single-
layer schemes and allows a WSN to effectively mask its behavior and attention as a method for improving the communication range,
simultaneously misdirect the adversary’s attention away from the data rate, and energy efficiency, providing physical-layer
BS’s location. We confirm the effectiveness of our cross-layer anti- security, and reducing interference in distributed wireless
traffic analysis measure using simulation. networks [9]. In distributed beamforming, multiple WSN nodes
cooperate and share their individual antennas to form a virtual,
Keywords: anonymity, location privacy, wireless sensor networks
multi-antenna system. Multiple nodes transmit simultaneously,
I. INTRODUCTION accounting for wireless channel conditions and precisely control
the signal phase, such that all signals constructively combine at
In recent years, Wireless Sensor Networks (WSNs) have become
the destination. This property has been demonstrated to increase
valuable assets to both the commercial and military communities
BS anonymity when applied to a WSN using our Distributed
with applications ranging from industrial control on a factory
Beamforming protocol for increased BS ANonymity (DiBAN)
floor to reconnaissance of a hostile border [1]. A WSN is
[8]. DiBAN successfully corrupts the adversary’s Evidence
composed of many sensor nodes deployed over a wide area for
Theory (ET) analysis such that the actual BS is not implicated as
applications such as border monitoring, industrial control, and
the WSN’s sink.
home automation. WSNs are often composed of inexpensive
While DiBAN successfully increases BS anonymity, its PHY
sensors that achieve extended lifetime by limiting hardware and
design provides an opportunity for integration with other higher-
protocol energy consumption. In a typical WSN, sensors
layer anonymity-boosting techniques. Furthermore, combining
periodically send their data to an in-situ base station (BS).
DiBAN with other anti-traffic analysis measures mitigates two
Therefore, the BS is a natural focal point for an adversary since
shortcomings of DiBAN. First, when DiBAN diminishes the
the unique role of the BS would likely allow the most impactful
adversary’s confidence in the BS’s location, the adversary’s
attack possible against the target WSN to be launched with the
suspicion of other nodes as being the BS is artificially increased
least effort. That is, the adversary assumes that achieving a
in an unpredictable manner related to relative deployed node
Denial of Service (DoS) attack against the BS would cripple the
locations. A higher-layer anonymity-boosting technique could
larger WSN since the BS not only serves as the data sink, but
be used to predictably misdirect the adversary’s attention away
also provides other basic control and management services such
from the BS. Second, DiBAN’s effectiveness may decrease if
as protocol synchronization, interfacing with other networks, and
an adversary evolves his or her traffic analysis beyond ET. Our
operator notifications, without which the WSN ceases to
integrated countermeasure confuses the adversary’s analysis in a
function. Furthermore, employing a backup BS in the WSN
controlled manner such that adversary believes the target WSN
may be infeasible and does not protect the WSN from attack
employs no anti-traffic analysis measure and therefore the
since the adversary could still attack the substitute BS.
adversary is unmotivated to evolve the attack strategy.
Therefore, the most successful protection for the BS against a
In this paper we introduce a cross-layer anonymity-boosting
malicious adversary’s attack is to remain anonymous in role,
technique that incorporates controlled routing of deceptive
identity, and location. However, such protection is not provided

978-1-5090-0073-9/15/$31.00 ©2015 IEEE 972

 Milcom 2015 Track 3 - Cyber Security and Trusted Computing

transmissions within DiBAN, which we call Deceptive DiBAN key concepts of [10][13][14] within DiBAN to boost anonymity
(D-DiBAN). While the focus of this paper is to describe and to a level that cannot be achieved solely by either technique.
analyze the specific D-DiBAN technique, the combined layered
methodology that we use to create D-DiBAN may be applied to III. SYSTEM AND ADVERSARY MODELS
form other cross-layer traffic analysis countermeasures. Our A. Network Model
validation results demonstrate that D-DiBAN successfully We consider a typical homogeneous WSN model where all
misdirects the adversary’s attention away from the actual BS sensor nodes have similar capabilities including battery life,
location while simultaneously decreasing the adversary’s radio type, and network protocols. Node locations remain static
confidence in the BS’s actual location in a manner not and no mobility is considered in this paper. The BS serves as a
achievable with individual, single-layer countermeasures. The sink of all data traffic originated at the sensor nodes. Only one
remainder of this paper is organized as follows: Section II BS is present in the network. We assume that nodes know their
summarizes related work. Section III discusses the assumed positions relative to the BS and adjacent nodes [1].
system model. Section IV presents the evidence theory Furthermore, nodes know the transmit power level required to
framework. Section V summarizes the DiBAN and presents our reach all next-hop neighbors. Least-cost, multi-hop routes are
D-DiBAN cross-layer approach. Section VI presents anonymity pursued for delivering data packets to the BS, where the required
and energy consumption validation results. Finally, the paper is transmit power to reach each destination is used as the link cost.
concluded in Section VII. We also assume that all nodes, including the BS, use omni-
II. RELATED WORK directional antennas and that the RF propagation environment is
ideal and characterized by the Friis free space path loss equation.
While quite a few anonymity-boosting techniques have been This assumption establishes a method for a node to determine
proposed in the literature, the authors are unaware of approaches the nodes from which it can receive transmissions and could be
that combine the effects of multiple layered techniques. augmented with other propagation models with no modification
Consequently, we independently describe previous work related to our cross-layer protocol design.
to anonymity assessment and anti-traffic analysis measures. Precautionary measures are assumed to be employed in the
Anonymity assessment: Studies on defining a quantitative design and the operation of the BS to avoid exposing it to an
method to measure anonymity, which is inherently a qualitative eavesdropping adversary. For example, a BS maintains a
figure of merit, produced three general methods to quantify transmission power level equivalent to other nodes in the WSN
anonymity at the link layer: entropy [5], the GSAT test [5], and and limits its involvement in control traffic (e.g., new route
Belief [5][6]. The entropy and GSAT methods require imposing discovery and acknowledgements), in order to keep itself
specific restrictions on the adversary in terms of a priori undistinguishable via traffic analysis from other sensor nodes.
probability of the BS location being known or that the adversary An adversary’s only option to identify and locate the BS is
is able to physically confirm the existence of the BS in the through traffic analysis. All transmissions contain encrypted
predicted location. The Belief metric, which is based on ET, headers and payloads. We assume that the WSN uses a Time
imposes none of these assumptions and has thus received Division Multiple Access (TDMA) Medium Access Control
significant attention as a metric to characterize anonymity. We (MAC) protocol with minimal control traffic; no specific PHY
discuss ET and the Belief metric in Section IV and use this protocol is assumed for the target WSN.
framework to assess BS anonymity in this paper.
B. Adversary Model
Anti-traffic analysis measures: Many techniques have been
The target WSN is assumed to serve a critical application that
proposed to boost BS anonymity. J. Deng et al. [10] present
an adversary opts to disrupt. After identifying and locating the
multiple approaches including a uniform WSN packet sending
BS, an adversary’s objective is to exploit the BS (e.g., achieve
rate and establishment of fake routes to confuse the adversary.
DoS). The adversary is assumed to be a completely passive
Similarly, Mehta et al. [11] propose altering network routes by
eavesdropper with global presence throughout the WSN [1].
including fake sinks in the WSN. Two techniques were
The adversary has the ability to localize the source of all radio
proposed in [5]; the first requires that the BS retransmits a subset
transmissions in the network deployment area to the resolution
of the frames it receives with different intensities such that the
of a square cell using well-known signal localization techniques
BS appears as any other node to the adversary. The second
such as Angle of Arrival (AoA) and received signal strength
technique assumes a mobile BS that can relocate itself to a more
(RSS) [1]. Although the adversary intercepts data frames, it is
secure location [5]. The approach of [12] boosts the BS
assumed that the cryptosystem is sufficiently robust that the
anonymity by increasing the transmission power used by all
adversary cannot apply cryptanalysis to recover the underlying
network nodes and correspondingly growing the number of
payload or header contents. The adversary employs ET to
potential message recipients. The anonymity-boosting technique
analyze traffic and determine the location of the BS.
of [10][13][14] is based on establishing paths between fake
sources and sinks to increase transmissions in the WSN to IV. EVIDENCE THEORY AND BELIEF METRIC
distract the adversary. Finally the DiBAN PHY approach [8]
Evidence theory (ET) is fundamentally a traffic analysis model
exploits distributed beamforming to boost BS anonymity. Our
that has been shown to be an effective means for assessing
cross-layer D-DiBAN, described in Section V.B, integrates the
location anonymity [6]. Each time a frame is intercepted during

973
 Milcom 2015 Track 3 - Cyber Security and Trusted Computing

transmission from a source to a destination, it is considered as an corresponding Belief metrics for each cell that contains
evidence of the existence of a point-to-point communication link at least one sensor and is implicated by an evidence ) , ) as
between the source and all its neighbors. The adversary applies a possible message destination. At time %( 0,3,5
ET by observing the network over a period of time, considering 0.866, 1,4 0.133, and 7,8 0.733. The
all possible recipients of a transmission, correlating the detected evidences in Table 1 resulting from two transmissions is an
transmissions, and accumulating evidences that implicate a insufficient set to produce meaningful and are included for
certain sensor as the BS [5][6]. Two pieces of prior information illustrative purposes only.
are required by the adversary to apply ET: a method to localize Table 1: Collected evidence for the illustrative example
transmitters and knowledge of the RF propagation environment
Transmission Evidence 1 2 3 2
such that the adversary can determine which sensors are within
1 %& 1,4 , 1,0 , 1,5 , 1,3 1 0.25
reception range of all transmissions based on RSS.
2 %' 4,1 , 4,5 , 4,7 , 4,3 , 1 0.1
The adversary begins by intercepting all point-to-point 4,0 , 4,8
transmissions, represented as evidence , where represents Derived %( 1,4,7 , 1,4,5 , 1,4,3 , 1,4,8 , 1 0.066
a point-to-point link between two sensors, and . The 1,4,0
adversary then derives composite paths by correlating all pair-
wise evidences. An end-to-end path that contains two or more V. CROSS-LAYER ANTI-TRAFFIC ANALYSIS MEASURE
sensors is represented by and its associated evidence is In this section we summarize the use of distributed beamforming
calculated as: to increase BS anonymity using the DiBAN protocol. We then
min , | | 2, 1 describe how D-DiBAN integrates a network-layer anonymity-
⊆

where | | represents the number of sensors that compose the

boosting technique into the existing DiBAN protocol to further
strengthen its effect through cross-layer optimization.
inferred end-to-end path [6]. The normalized evidence
/∑ expresses the proportion to which all
A. Summary of Distributed Beamforming in a WSN
evidences collected by the adversary support the claim that a
Distributed beamforming exploits the broadcast nature of
particular element of the set of all WSN sensors is part of the
wireless transmissions since all frames destined for a particular
communication path . The Belief metric represents the
receiver may be overheard by neighboring nodes. As illustrated
adversary’s confidence in the existence of a path of length that
in Figure 2(i), these neighbors may serve as helper relays by
ends at a specific sensor and is represented as
cooperating with a given transmission source ) such that the
. 2 transmitted signal arrives at the destination ) from a diverse set
| ⊆ of transmitters. Because each relay 45 transmits the same
The Belief metric is the method by which we assess BS message as ) with precise time and carrier synchronization, the
anonymity in this paper. A small Belief metric corresponds to signals constructively combine at the destination ) under ideal
decreased adversary confidence or higher anonymity in a BS’s timing and carrier synchronization conditions [9].
location and conversely a larger Belief metric corresponds to
increased adversary confidence or lower BS location anonymity.
To decrease the computational complexity required to calculate
the Belief metric, we further impose a restriction that the
adversary partitions the area into a ! × ! grid composed of "#
square cells, which is equivalent to relaxing the adversary’s
destination localization requirements to only the fidelity of a cell
[6]. Consequently, the Belief metrics generated using the
simplified cellular-based analysis refer to one of "# cells within (i) (ii)
the adversary’s analysis grid instead of a particular sensor. Figure 2: (i) Example of distributed beamforming in a network, and
Figure 1 shows an illustrative example, where two (ii) DiBAN protocol sequence diagram [8]
consecutive frames are transmitted, the first from cell 1 to 4 and
the second from cell 4 to 7 with the target WSN deployment area The DiBAN protocol, proposed in [8], satisfies these three
partitioned into "# 9 cells. The adversary collects pair-wise requirements such that a WSN may successfully implement
evidences at times %& and %' and calculates the derived evidence distributed beamforming. We represent the ideal received signal
for composite paths in Table 1 at time %( . The adversary applies at ) that is transmitted by source ) and |6| helper relays 45 as:
Equation (2) to the evidence collection at time %( to calculate the |?|@'
789 % ≜ 7;9,89 % < ∑5A& 7=> ,89 %
BCD;9 % E;9, 89 F;9,89 G 5 (HIJ KL M K LN K
O<
|?|@'
B C∑5A& D=> % E=>,89 F=>,89 G 5 (HIJ KL M K LN K
O < % , (3)

Figure 1: Example of an adversary applying ET with "# 9 cells

974
 Milcom 2015 Track 3 - Cyber Security and Trusted Computing

where B is the real operator used for complex baseband the adversary is discouraged from evolving the attack model
notation, D % is the baseband pulse shape, E is the complex because from the adversary’s point of view the current traffic
channel gain, F is the channel impulse response, PQ is the carrier analysis strategy is effective. DiBAN coordinates with helper
frequency, R % is a phase modulation term, S % is an aggregate relays to precisely control its transmission power level at the
phase shift term, and % represents the thermal noise present at PHY to prevent the adversary from collecting implicating
receiver ) . 789 % is composed to two terms, the received evidence ( ) , ) ). We include a network-layer anonymity-
transmission from the source ) (i.e., 7;9 ,89 (%)) and the sum of boosting technique within DiBAN that leverages previous work
received transmissions from the |6| recruited relays 45 ∈ 6 given to allow helper relays to route deceptive transmissions
|?|@' [10][13][14].
by ∑5A& 7=>,89 (%). D-DiBAN adds two cross-layer enhancements to the
The significance of Equation (3) in the context of achieving standard DiBAN in Figure 2(ii). First, in steps (A) and (B) of
BS anonymity at the PHY is that distributed beamforming DiBAN the sender ) selects a suitable set of relays 45 ∈ 6. In
allows the received signal component 7;9,89 (%) from ) ’s D-DiBAN one of the relays 45 is randomly selected to transmit a
|?|@'
transmission to be decreased by ∑5A& 7=>,89 (%) yet maintain the deceptive transmission to a fake sink node X) . We nominate a
same effective non-cooperative received power level at ) when specific node X) to be the recipient of all routed deceptive
the phase offset S(%) is constant. Therefore if ) and 45 ∈ 6 transmissions to predictably control the flow of traffic towards a
transmit only at the required power to reach ) at a specific specific destination. A variety of criteria could be used to select
signal to noise ratio (SNR), each transmitter may decrease its the fake sink node and its location. Mehta et al. [11] and D.
Ying et al. [13] propose approaches for selecting and placing
power by 10log(|6| + 1) dB and successfully prevent the
( ) , ) ). multiple fake sinks in the WSN. Since the objective of our
adversary from identifying the evidence
cross-layer methodology is to introduce a traffic pattern to
Correspondingly, excluding ( ) , ) ) from the adversary’s
appear as though no anonymity boosting measure is being
evidence set increases BS anonymity because it reduces the
applied, we select a single fake sink node to give the illusion that
implicating contributions resulting in ( = ) ).
it is the BS. We impose the condition that fake sink is to be
Figure 2(ii) illustrates the DiBAN protocol sequence
located in a cell that does not contain the actual BS. This
diagram applied at each hop by a node ) that desires to use
condition prevents the fake sink from contributing implicating
distributed beamforming to boost BS anonymity when
evidence to the cell containing the BS during the adversary’s ET
transmitting a legitimate message to next-hop destination ) .
analysis. The second enhancement is to repurpose the Ack
First ) must select a suitable set of helper relays 45 ∈ 6 using transmitted in step (F) of the DiBAN protocol to also serve as a
the handshaking shown in steps (A) and (B). Once a set of deceptive transmission. Upon receipt of a successful
helper relays have been recruited, ) transmits an unmodulated transmission in D-DiBAN, ) sends an Ack to ) as in standard
carrier in step (C) and transmits its data payload to 45 ∈ 6 in step DiBAN; however, instead of the Ack transmission ending at )
(D). The distributed beamforming transmission occurs in step and implicating ) as a sink, ) then forwards the Ack to the fake
(E). Following step (E) in standard DiBAN the destination ) sink node X) .
transmits an Ack to ) in step (F) to indicate that the cooperative DiBAN successfully unlinks a source ) from a destination
message was correctly received [8].
) using distributed beamforming, as described in Section V.A
Although DiBAN successfully diminishes the adversary’s and illustrated in Section V.C; however, a more sophisticated
confidence in the BS’s location, the adversary’s suspicion of adversary could evolve the attack strategy beyond ET analysis to
other nodes as being the BS is artificially increased in an correlate the cooperative transmission that produces orphaned
unpredictable manner, relative to deployed node locations. As evidence (i.e., step (E)) with the observed gratuitous Ack to
shown in Figure 2(ii), multiple senders transmit messages that improve his or her traffic analysis approach. An advanced
generate a variety of evidences at each hop when boosting adversary may analyze DiBAN to understand the protocol and
anonymity through cooperation. During the adversary’s decrease its effectiveness at boosting anonymity. D-DiBAN
analysis, these transmissions generate unpredictable peaks in the addresses this shortcoming of DiBAN by using a helper relay 45
adversary’s Belief curve that we would like to predictably and the Ack from ) at each hop to misdirect the adversary’s
control to further misdirect the adversary’s attention away from attention away from the actual BS location towards the fake sink
the BS. By predictably manipulating the adversary’s analysis
node X) . The deceptive transmissions to the fake sink node X)
and hiding the fact that the target WSN employs an anti-traffic strengthen the adversary’s perception that the target WSN is not
analysis countermeasure, the adversary is discouraged from
employing anonymity-boosting techniques and that the highest
adopting a different attack strategy.
calculated Belief value ( ) corresponds to the cell containing
B. D-DiBAN Cross-Layer Approach the BS. In fact, D-DiBAN generates the largest relative ( )
The incorporation of a network-layer anonymity-boosting corresponding to the cell containing the fake sink node. D-
technique within DiBAN provides an opportunity to achieve DiBAN’s cross-layer design increases BS anonymity by
complementary effects that simultaneously boost the BS’s simultaneously decreasing the adversary’s confidence in the
anonymity while predictably misdirecting the adversary’s BS’s actual location and predictably misdirecting the adversary’s
attention away from the BS’s actual location. Correspondingly, attention towards a specific fake sink node X) .

975
 Milcom 2015 Track 3 - Cyber Security and Trusted Computing

C. Illustrative D-DiBAN Example ) , X) . Second, the DiBAN technique uses helper relays to
Figure 3 shows an example of the adversary’s ET analysis of a prevent the adversary from collecting evidence that implicates
single-hop transmission using D-DiBAN at two time instances, the actual destination ) as the BS. It is worth noting that
where the adversary partitions the target deployment area into 36 introducing fake sinks creates additional Belief peaks in the
cells and we zoom in on cells 21 through 35. First we consider analysis and does not diminish the Belief of the BS cell
the deceptive transmission in Figure 3(i). The source node in [10][13][14]. A unique advantage of D-DiBAN is
cell 29 has chosen a set of helper relays within cells 28 and 34 deemphasizing the BS cell through low Belief while diverting
(i.e., L= {28,34}). At time %& cell 28 transmits a deceptive the adversary’s attention to another cell with artificially elevated
transmission labeled “DT” to the fake sink in cell 21 and Belief. In Section VI we validate the performance of D-DiBAN
produces the evidence set shown in Table 1. The length of the using simulation.
black arrow represents the reception range of a deceptive
VI. VALIDATION EXPERIMENTS
transmission from cell 28 to cell 21 transmitted at time %& .
A. Simulation Environment
We evaluate the effectiveness of D-DiBAN using a custom
Monte Carlo computer simulation written in C. Results are
subjected to 90 percent confidence interval analysis and found to
stay within 10 percent of the sample mean. A set of sensor
nodes is uniformly spread over a grid of size 1000 x 1000 m2
and the BS location remains constant while randomly triggered
sensors send data over the multi-hop network to the BS. This
simulation considers only the link-layer relationships of the
(i) (ii) communicating wireless nodes from the perspective of the
Figure 3: (i) Example of a deceptive transmission within D-DiBAN, adversary. The adversary divides the target network into a grid
and (ii) cooperative transmission using distributed beamforming of 36 cells of size 167 x 167 m2, where the numbering scheme
for the advesrary’s cell-based ET analysis is shown in Figure 3.
Table 1: Collected evidence in the example network We define the receiver sensitivity of each WSN node to be
Transmission Evidence Set 1(YZ , [Z 3 YZ , [Z _100 dBm, a typical value for WSN motes, and the required
Deceptive 28,21 , SNR for error-free demodulation is 10 dB. All sensor nodes
1 0.33
transmissions %& 28,22 , 28,27 know their relative locations and are capable of estimating basic
Cooperative %' 28, None , 29, None ; ,8
0 0 CSI and `a 9 9 required to reach the next-hop destination at the
34, None
SNR threshold. The maximum transmision power per node is
For the cooperative transmission, the three cooperating nodes limited to 30 dBm. Distributed beamforming is applied to each
transmit to ) in cell 35 at time %' , and each decreases its hop and occurs each time |6| b 1 is available. We consider two
transmission power by 10 log 3 4.77 dB, while still reaching BS locations and the number of nodes 100 and 200. In
in cell 35 with a coherently-combined signal that achieves one case the BS is located in cell 35 and we specify the fake sink
)
sufficient SNR. to be located within cell 21. Similarly, in a second case the BS
The adversary collects three evidences from the single is located in cell 21 and we specify the fake sink to be located
deceptive transmission at time %& . Each evidence is unique and within cell 35. Each time a sensor routes a legitimate message to
), ) 1 and we calculate ), )
its next-hop destination using DiBAN, we randomly select one
therefore we assign
' of the |6| relays 45 ∈ 6 to be a deceptive source that routes the
^
by normalizing ) , ) using the current evidence set that deceptive transmission toward the fake sink.
contains three evidences. The adversary applies Equation (2) to
) , ) to calculate Belief metrics
the collection of to B. Simulation Results
evaluate anonymity [5][6]. We observe that 28,21 We present the anonymity and average communication energy
implicates the fake sink, cell 21, and the other deceptive performance results for three different WSN configurations:
evidences implicate nodes that surround the fake sink. We baseline that employs no anti-traffic analysis measures, DiBAN,
observe from the cooperative transmission that only orphaned and D-DiBAN. Figure 4 demonstrates the Belief calculated for
evidences are collected as compared to the baseline case in each cell in the adversary’s analysis grid, where the BS is placed
Figure 1 and Table 1 due to the decreased range of each in cell 21 and cell 35 contains the fake sink node. We observe
individual transmission. Correspondingly, the actual endpoint of that the baseline Belief curve varies between approximately 0
cell 35 which contains destination ) is not implicated because and 0.04 except for cell 21, which reaches approximately 0.13.
distributed beamforming increases BS anonymity by unlinking When the WSN employs no anonymity-boosting technique, the
) and 45 ∈ 6 from ) . adversary is clearly drawn to cell 21 since 21 is the
In this example we see the complementary anonymity- highest peak in the grid.
boosting mechanisms provided by D-DiBAN. First the Next the WSN employs DiBAN and we observe that
deceptive transmissions purposely and controllably implicate a 21 is decreased significantly to less than 0.02 and is
fake sink node X) within cell 21 by producing evidence among the cells with the lowest Belief in the grid. The

976
 Milcom 2015 Track 3 - Cyber Security and Trusted Computing

adversary’s attention is no longer drawn to cell 21 when DiBAN any traffic analysis countermeasure considered.
is employed; however, the adversary’s attention is not
predictably drawn to any other cells. For example, cell 28
achieves the highest Belief when only DiBAN is employed, yet VII. CONCLUSIONS AND FUTURE WORK
this peak is the result of cell 28 being adjacent to cell 21 and This paper presented a novel approach to increase BS anonymity
being implicated by traffic en route to cell 21 and not because by designing a cross-layer anonymity-boosting technique that
we intentionally amplify ( = 28) for the purposes of incorporates a network-layer technique into the DiBAN PHY
deceiving the adversary. When D-DiBAN is employed, we approach. We used simulation to demonstrate that our D-
observe that ( = 21 is increased slightly due to any DiBAN approach increases BS anonymity by achieving two
implicating evidence generated by the deceptive D-DiBAN simultaneous effects that hide the BS’s location and distract the
transmission, yet 35 is increased significantly to a level adversary with deceptive transmissions that terminate at the fake
of 0.07 to distract the adversary by becoming the highest peak. sink node. The increased energy consumption of D-DiBAN is
Figure 5 demonstrates that similar results to those shown in modest compared to the baseline and DiBAN techniques.
Figure 4 can be achieved for any selection of BS and fake sink Moreover, the cross-layer methodology that we establish when
node location. In Figure 5 we place the BS in cell 35 and cell 21 developing D-DiBAN may be applied to published higher-layer
contains the fake sink node. The baseline case that employs no anonymity boosting techniques to result in cross-layer
anonymity-boosting technique allows the adversary to easily countermeasures that are more effective than the sum of their
identify the BS’s location as observed by 35 of parts. Future work shall consider additional cross-layer designs
approximately 0.07, which is relatively the highest value. The using network and link layer traffic analysis countermeasures.
Belief results for the DiBAN and D-DiBAN configurations
REFERENCES
follow the same trends as results in Figure 4. In this case D-
DiBAN decreases 35 which is associated with the BS to [1] H. Karl, A. Willig, “Protocols and Architectures for Wireless Sensor
Networks,” John Wiley and Sons, 2005.
approximately 0.01 and amplifies the fake sink’s 21 to [2] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and D. Tygar, “SPINS: Security
approximately 0.07, the highest relative peak. Figure 6 presents Protocols for Sensor Networks,” Proc. of the 7th ACM Int’l Conf.
additional results with the same configuration of Figure 5 with [3] S. Seys and B. Preneel, “ARM: Anonymous Routing Protocol for Mobile Ad
200 to confirm that the trends shown in Figure 4 and
hoc Networks,” Proc. of the 20th IEEE Conf. on Advanced Info. Networking
and Applications, Vienna, Austria, Apr 2006.
Figure 5 are not dependent on a specific node density. [4] J. Kong, H. Xiaoyan, M. Gerla, "An Identity-Free and On-Demand Routing
The average energy consumption of a traffic analysis Scheme against Anonymity Threats in Mobile Ad Hoc Networks," IEEE
countermeasure should be considered along with its increased Transactions on Mobile Computing, vol.6, pp.888,902, Aug. 2007.
[5] U. Acharya and M. Younis, “Increasing Base-Station Anonymity in Wireless
anonymity performance. Table 2 presents the average Sensor Networks,” J. of Ad-hoc Network, 8(8), pp. 791–809, Nov 2010.
communication energy consumption of the three anti-traffic [6] D. Huang, “On Measuring Anonymity for Wireless Mobile Ad-hoc
analysis measures considered in this paper in addition to the Networks,” Proc. of LCN’06, Tampa, FL, November 2006.
baseline configuration with deceptive transmissions. [7] J.R. Ward, M. Younis, “On the Use of Distributed Beamforming to Increase
Base Station Anonymity in Wireless Sensor Networks,” Proc. of the Int’l
Table 2: Average communication energy consumption for four WSN Conf. on Computer Communications and Networks (ICCCN), July 2013.
anti-traffic analysis measures with 100 [8] J. R. Ward, M. Younis, “Increasing base station anonymity using
distributed beamforming,” Ad Hoc Networks, Available online, Jan. 2015.
BS and Fake Baseline Baseline with DiBAN D-DiBAN [9] R. Mudumbai, G. Barriac, U. Madhow, “On the Feasibility of Distributed
Sink Location (µJ) DT (µJ) (µJ) (µJ) Beamforming in Wireless Networks,” IEEE Transactions on Wireless
Communications, 6(5), pp. 1754–1763, May 2007.
BS cell = 21 [10] J. Deng, R. Han, S. Mishra, “Decorrelating Wireless Sensor Network
10.6 12.3 11.5 13.6
Fake sink cell = 35 Traffic to Inhibit Traffic Analysis Attacks,” Pervasive and Mobile
BS cell = 35 Computing Journal, vol. 2, pp. 159 – 186, Apr. 2006.
11.5 13.5 11.7 14.7 [11] K. Mehta, D. Liu, M. Wright, “Protecting Location Privacy in Sensor
Fake sink cell = 21
Networks Against a Global Eavesdropper,” IEEE Transactions on Mobile
DiBAN requires only a small increase in energy consumption Computing, Vol. 11, No. 2, pp. 320-336, February 2012.
[12] Y. Ebrahimi, and M. Younis, “Increasing Transmission Power for Higher
compared to the baseline case, a result previously published in Base-station Anonymity in Wireless Sensor Network,” Proc. of the IEEE
[8], due to the ability of cooperative nodes to decrease Int’l Conf. on Comm. (ICC 2011), Kyoto, Japan, June 2011.
transmission power. D-DiBAN only requires slightly higher [13] D. Ying, D. Makrakis, H.T. Mouftah, “Anti-Traffic Analysis Attack for
energy overhead than DiBAN and less than 10 percent energy Location Privacy in WSNs,” EURASIP Journal on Wireless
Communications and Networking, 2014:131, August 2014.
overhead increase than the baseline with deceptive transmissions [14] Y. Ebrahimi, and M. Younis, "Using Deceptive Packets to Increase Base-
configuration, yet achieves the most anonymity improvement of station Anonymity in Wireless Sensor Networks," Proc. of the Wireless
Comm. & Mobile Comp. Conf. (IWCMC’11), Istanbul, Turkey, July 2011.

Figure 4: Belief metric for 100, Figure 5: Belief metric for 100, Figure 6: Belief metric for 200,
BS in cell 21, and fake sink in cell 35 BS in cell 35, and fake sink in cell 21 BS in cell 35, and fake sink in cell 21

977