Trade-offs of source location protection in globally attacked sensor networks: A case analysis

This paper studies source location anonymity in a large monitoring wireless sensor network with a single data collector, and under a global attack. The qualifier ”global” indicates the capability of the eavesdropper (attacker) to capture all network transmissions, and to discern their time and location. We propose a scheme for generating fake network traffic to disguise the real event notification. This scheme is particularly effective for the protection of the monitored asset in delay-intolerant applications monitoring rare and spatially sparse events. Unlike earlier work on this topic, we jointly consider the protection strength, events´ dynamics, probability of the attacker´s exposure during the attack, notification latency, network overhead, and scalability. The efficiency of the scheme that provides statistical source anonymity is achieved by partitioning network nodes randomly into several node groups. Members of the same group collectively emulate both temporal and spatial distribution of the event. Under such framework, we aim to better model the global eavesdropper, especially her way of using statistical tests to detect the real event. In addition, our approach aims to reduce the per-event work spent to generate the fake traffic while, most importantly, providing a guaranteed latency in reporting the event. The latency is controlled by decoupling the routing from the fake-traffic schedule. A good dummy-source group design also provides a robust protection of event bursts. This is achieved at the expense of the significant overhead as the number of dummy-source groups must be increased to the reciprocal value of the false alarm parameter used in the statistical test. Ultimately, our message is that designing a protection scheme to meet multiple requirements, imposed by realistic application scenarios, involves trade-offs among several performance measures, and calls for an evaluation framework that recognizes these challenges. We believe that the proposed source anonymity protection strategy, and the evaluation framework, are well justified by the abundance of the applications that monitor a rare event with uniform spatial distribution.