Mingyan Li

AMOEBA: Robust Location Privacy Scheme for VANET

Communication messages in vehicular ad hoc networks (VANET) can be used to locate and track vehicles. While tracking can be beneficial for vehicle navigation, it can also lead to threats on location privacy of vehicle user. In this paper, we address the problem of mitigating unauthorized tracking of vehicles based on their broadcast communications, to enhance the user location privacy in VANET. Compared to other mobile networks, VANET exhibits unique characteristics in terms of vehicular mobility constraints, application requirements such as a safety message broadcast period, and vehicular network connectivity. Based on the observed characteristics, we propose a scheme called AMOEBA, that provides location privacy by utilizing the group navigation of vehicles. By simulating vehicular mobility in freeways and streets, the performance of the proposed scheme is evaluated under VANET application constraints and two passive adversary models. We make use of vehicular groups for anonymous access to location based service applications in VANET, for user privacy protection. The robustness of the user privacy provided is considered under various attacks.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks

We consider a scenario where a sophisticated jammer jams an area in a single-channel wireless sensor network. The jammer controls the probability of jamming and transmission range to cause maximal damage to the network in terms of corrupted communication links. The jammer action ceases when it is detected by a monitoring node in the network, and a notification message is transferred out of the jamming region. The jammer is detected at a monitor node by employing an optimal detection test based on the percentage of incurred collisions. On the other hand, the network computes channel access probability in an effort to minimize the jamming detection plus notification time. In order for the jammer to optimize its benefit, it needs to know the network channel access probability and number of neighbors of the monitor node. Accordingly, the network needs to know the jamming probability of the jammer. We study the idealized case of perfect knowledge by both the jammer and the network about the strategy of one another, and the case where the jammer or the network lack this knowledge. The latter is captured by formulating and solving optimization problems, the solutions of which constitute best responses of the attacker or the network to the worst-case strategy of each other. We also take into account potential energy constraints of the jammer and the network. We extend the problem to the case of multiple observers and adaptable jamming transmission range and propose a intuitive heuristic jamming strategy for that case.

Swing & swap: user-centric approaches towards maximizing location privacy

In wireless networks, the location tracking of devices and vehicles (nodes) based on their identifiable and locatable broadcasts, presents potential threats to the location privacy of their users. While the tracking of nodes can be mitigated to an extent by updating their identifiers to decorrelate their traversed locations, such an approach is still vulnerable to tracking methods that utilize the predictability of node movement to limit the location privacy provided by the identifier updates. On the other hand, since each user may need privacy at different locations and times, a user-centric approach is needed to enable the nodes to independently determine where/when to update their identifiers. However, mitigation of tracking with a user-centric approach is difficult due to the lack of synchronization between updating nodes. This paper addresses the challenges to providing location privacy by identifier updates due to the predictability of node locations and the asynchronous updates, and proposes a user-centric scheme called Swing that increases location privacy by enabling the nodes to loosely synchronize updates when changing their velocity. Further, since each identifier update inherently trades off network service for privacy, the paper also introduces an approach called Swap, which is an extension of Swing, that enables the nodes to exchange their identifiers to potentially maximize the location privacy provided by each update, hence reducing the number of updates needed to meet the desired privacy levels. The performance of the proposed schemes is evaluated under random and restricted pedestrian mobility.

Mitigation of Control Channel Jamming under Node Capture Attacks

Availability of service in many wireless networks depends on the ability for network users to establish and maintain communication channels using control messages from base stations and other users. An adversary with knowledge of the underlying communication protocol can mount an efficient denial of service attack by jamming the communication channels used to exchange control messages. The use of spread spectrum techniques can deter an external adversary from such control channel jamming attacks. However, malicious colluding insiders or an adversary who captures or compromises system users is not deterred by spread spectrum, as they know the required spreading sequences. For the case of internal adversaries, we propose a framework for control channel access schemes using the random assignment of cryptographic keys to hide the location of control channels. We propose and evaluate metrics to quantify the probabilistic availability of service under control channel jamming by malicious or compromised users and show that the availability of service degrades gracefully as the number of colluding insiders or compromised users increases. We propose an algorithm called GUIDE for the identification of compromised users in the system based on the set of control channels that are jammed. We evaluate the estimation error using the GUIDE algorithm in terms of the false alarm and miss rates in the identification problem. We discuss various design trade-offs between robustness to control channel jamming and resource expenditure.

Optimal Jamming Attack Strategies and Network Defense Policies in Wireless Sensor Networks

We consider a scenario where a sophisticated jammer jams an area in which a single-channel random-access-based wireless sensor network operates. The jammer controls the probability of jamming and the transmission range in order to cause maximal damage to the network in terms of corrupted communication links. The jammer action ceases when it is detected by the network (namely by a monitoring node), and a notification message is transferred out of the jammed region. The jammer is detected by employing an optimal detection test based on the percentage of incurred collisions. On the other hand, the network defends itself by computing the channel access probability to minimize the jamming detection plus notification time. The necessary knowledge of the jammer in order to optimize its benefit consists of knowledge about the network channel access probability and the number of neighbors of the monitor node. Accordingly, the network needs to know the jamming probability of the jammer. We study the idealized case of perfect knowledge by both the jammer and the network about the strategy of each other and the case where the jammer and the network lack this knowledge. The latter is captured by formulating and solving optimization problems where the attacker and the network respond optimally to the worst-case or the average-case strategies of the other party. We also take into account potential energy constraints of the jammer and the network. We extend the problem to the case of multiple observers and adaptable jamming transmission range and propose a meaningful heuristic algorithm for an efficient jamming strategy. Our results provide valuable insights about the structure of the jamming problem and associated defense mechanisms and demonstrate the impact of knowledge as well as adoption of sophisticated strategies on achieving desirable performance.

Probabilistic Mitigation of Control Channel Jamming via Random Key Distribution

The use of distinct, dedicated communication channels to transmit data and control traffic introduces a single point of failure for a denial of service attack, in that an adversary may be able to jam control channel traffic and prevent relevant data traffic. Hence, it is of interest to design control channel access schemes which are resilient to jamming. We map the problem of providing resilient control channel access under jamming to that of secure communication channel establishment. We propose the use of random key distribution to hide the location of control channels in time and/or frequency. We evaluate performance metrics of resilience to control channel jamming, identification of compromised users, and delay due to jamming as a function of the number of compromised users.

Design of secure multicast key management schemes with communication budget constraint

We study the problem of distributing cryptographic keys to a secure multicast group with a single sender and multiple receivers. We show that the problem of designing key distribution model with specific communication overhead can be posed as a constraint optimization problem. Using the formulation, we show how to minimize the number of keys to be stored by the group controller. An explicit design algorithm with given key update communication budget is also presented.

Impact of Public Key Enabled Applications on the Operation and Maintenance of Commercial Airplanes

Making airplanes network-enabled can significantly increase the efficiency of aircraft manufacturing, operation and maintenance processes. Yet these benefits cannot be realized without addressing the potential for network-induced security threats. This paper addresses challenges that emerge for network-enabled airplanes that use public key cryptography-based applications. In particular, we focus on the electronic distribution of airplane software and data. We present both an ad hoc approach, without trust chains between certificates, and a structured approach employing a PKI. Both approaches facilitate public key-enabled applications, and both levy operational requirements on airlines. We describe the integration of these requirements into existing airline ground infrastructure and processes, to minimize operating overhead. The presented work is based on ongoing collaborative efforts among Boeing, FAA and EASA, to identify needs of the airlines for operating and maintaining network-enabled airplanes.

Electronic distribution of airplane software and the impact of information security on airplane safety

The general trend towards ubiquitous networking has reached the realm of airplanes. E-enabled airplanes with wired and wireless network interfaces offer a wide spectrum of network applications, in particular electronic distribution of software (EDS), and onboard collection and off-board retrieval of airplane health reports. On the other hand, airplane safety may be heavily dependent on the security of data transported in these applications. The FAA mandates safety regulations and policies for the design and development of airplane software to ensure continued airworthiness. However, data networks have well known security vulnerabilities that can be exploited by attackers to corrupt and/or inhibit the transmission of airplane assets, i.e. software and airplane generated data. The aviation community has recognized the need to address these security threats. This paper explores the role of information security in emerging information technology (IT) infrastructure for distribution of safety-critical and business-critical airplane software and data. We present our threat analysis with related security objectives and state functional and assurance requirements necessary to achieve the objectives, in the spirit of the well-established Common Criteria (CC) for IT security evaluation. The investigation leverages our involvement with FAA standardization efforts. We present security properties of a generic system for electronic distribution of airplane software, and show how the presence of those security properties enhances airplane safety.

Challenges for IT Infrastructure Supporting Secure Network-Enabled Commercial Airplane Operations

[Abstract] The numerous benefits of enabling commercial airplanes to communicate over networks are only obtained at the price of introducing security threats to onboard systems. A primary threat arises from the opportunity for corruption of safety-critical and business-critical airplane loadable software distributed via networks from off-board systems. The FAA recognizes that the unprecedented use of such applications in networkenabled airplanes impacts well-established safety regulations and guidance. In this paper, we present a framework for securing airplane software distribution and overview the main challenges. For facilitating integration into existing certification guidelines for airplanes, we employ the Common Criteria standard based approach to security evaluation of IT infrastructure for airplane network applications. Additionally, we present some open problems in network-enabled airplane security.