Hiding Contextual Information for Defending a Global

Received July 15, 2018, accepted September 9, 2018, date of publication September 13, 2018, date of current version October 8, 2018. Digital Object Identifier 10.1109/ACCESS.2018.2869947

Hiding Contextual Information for Defending a Global Attacker QIAN ZHOU , XIAOLIN QIN , AND XIAOJUN XIE 1 College 2 Jiangsu

of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 210016, China Key Laboratory of Internet of Things and Control Technology, Nanjing 211106, China

Corresponding author: Xiaolin Qin ([email protected]) This work was supported in part by the National Natural Science Foundation of China under Grant 61373015, Grant 61300052, and Grant 41301047, and in part by the State Key Laboratory Projects for Smart Grid Protection and Operation Control, Science and Technology Funds from National Electric Net Ltd.: The Research on Key Technologies of Distributed Parallel Database Storage and Processing based on Big Data.

ABSTRACT As wireless sensor networks are mostly deployed in harsh and hostile environments, lack of human maintenance, it has become a severe challenge to offer security or privacy service, especially when facing a powerful attacker. For defending a global attacker, dummy message injection methods are employed by every node in WSN to enhance location privacy, which leads to significant overhead. Based on random walk model, we propose a novel scheme Chess-Board Alternation (CBA) which partition WSN into two sets, and each set operates active in an alternating fashion. We also prove CBA’s outstanding performance, including delivery time, energy consumption, and privacy theoretically and experimentally. In comparison with existing approaches, CBA can not only achieve perfect privacy but also decrease energy cost by 50% and the transmission latency from the source to the sink by more than 40%. INDEX TERMS Wireless sensor network, global attacker, contextual information, location privacy, random walk, information privacy. I. INTRODUCTION

Wireless sensor networks (WSNs) typically consist of a large number of small sensor nodes which are self-organized as an ad hoc network to monitor a certain area. Location privacy is an essential issue for these applications, such as wildlife habitat monitoring, security and military surveillance, and target tracking [1]–[3]. Classic content-based privacy security, which refers to confidentiality, authentication, and integrity, has been utilized to protect sensitive information from unauthorized parties. However, the communication patterns alone would leak the context-based [1], [2] information, which disclose the critical location information in a sensor network. The challenge of location privacy preserving is that transmission path from source to sink must remain untraceable even by analyzing the whole traffic in the WSN. For instance, in a WSN for monitoring hostile enviroment, as shown in Fig. 1, an electric sensor carried by an unmanned scout car transmits data through the WSN to the monitor center (sink). The first sensor that receives the signal of the monitoring asset, such as the unmanned scout car, is called the source node. To avoid being visually positioned by the attacker, sensors could be designed as tiny as a particle of dust [3].

VOLUME 6, 2018

FIGURE 1. Attacking by global traffic analysis based on contextual information.

Unfortunately, attacker can still predict the entire network topology according to sensors’ transmission attributes, such as the received signal strength indication (RSSI) and the direction of the packets, the inter-packets time, the packet

2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

51735

Q. Zhou et al.: Hiding Contextual Information for Defending a Global Attacker

occurrence time, etc., to infer the source location. Moreover, attackers are classified as local or global according to their attacking capability [7]. Unlike a local attacker [4], [5] who can only eavesdrop within a certain range and back-trace the routing path until it reaches the source, a global attacker [2], [6], [8], who can make use of temporal context and the correlation between packets, learns the entire network traffic information. To analyze the entire network traffic, a global attacker might not be a specific object, which combines networking resources (including many distributed observers, storage and computers). On carrying the signal detection equipment, each observer (including sensors and communicating equipment) is able to detect the strength and direction of the transmitted signals and send the contextual information to a global attacker. As shown in Fig. 1, many mobile observers (malicious nodes) are distributed in the forest, eavesdropping on the WSN. With the traffic analysis techniques collected by these observers, the global attacker will infer the network topology and construct the process of event transmission according to the contextual information. Therefore, the source location privacy is under substantial threat, and we must protect its location privacy during data transmission, thereby avoiding economic or resource loss. As the attacker is invisible to the entire network, existing solutions can enhance privacy at the cost of a significant increase in energy consumption and delay. For a global attacker with topological routing information, it is easier to analyze the network traffic [8]. Although the STaR method [9] uses the intermediate node as bait, a global adversary can still easily pinpoint the source and sink, and its low performance in privacy will be shown by comparison in our experimental section. When the privacy methods do not use dummy packets, such as the phantom routing [5], the global attacker can obviously pinpoint the location of the source node, based on the earliest transmission time of a phantom flooding. When a local attacker in [5] with a hearing range more than three times that of the sensors, the capture likelihood is as high as 97%. Clearly, if all the traffic in the network is real event messages, it is unlikely to achieve source privacy under such a strong attack model. Therefore, we use network-wide dummy messages to achieve global privacy. The most intuitive method for perfect privacy protection is to make each node send packets at a constant rate, regardless of whether the packet is a dummy or real [8]. The attendant problem is that it is infeasible to send packets at a constant rate in real applications, and the high rate causes a high-energy cost, whereas a low rate leads to heavy latency. Polling solutions, such as the minimum connected dominating sets (MCDS) method [10], seem to achieve perfect privacy by confusing the adversary, with less energy cost after the selection of sensor nodes for the polling sets. Unfortunately, since the computation of a single MCDS is a typical NP-complete problem [11], once the network topology changes, reconstruction and reorganization will lead to a costly update. Moreover, if no active sensors are nearby when 51736

the event happens, it will cause serious delay of packets to the sink. Therefore, network connectivity is also an important topic in WSN [3], [13]. Generally, the network is assumed to be dense when the security routing is applied, namely, the relay node is always on the path. However, as wildlife reserves cover a large area, dense deployment of sensors would cause excessive redundancy and an increased budget, while sparse deployment leads to more serious problems such as terrible link quality. In order to avoid the complexity of network initialization, network is deployed offline and divided into grid in [14], which makes the attacker unable to identify which cell the source belongs to. Meanwhile, a global adversarial model based on general traffic analysis techniques is employed, similar to the one assumed in [8], [10], and [13], which is used as a baseline for comparing different methods of privacy preservation. This method employs contextual information such as the time and location of packets captured by multiple eavesdroppers to carry out the global attack. Compared to the early version of this work [14] in which the source location is fixed, this version presents a new scheme chessboard alternation (CBA) for more complex environment in WSN. CBA can not only be employed for the scenario when monitoring mobile objectives, but also improve the flexibility of the network based on the random walk mathematical model [15], [16]. Additionally, it demonstrates the superior performance of our scheme by comparing it to existing approaches in regard to privacy and cost. The remainder of this paper is organized as follows. Section II is a detailed description of the network, and the attack and energy model are introduced in detail. Our mechanisms are proposed in Section III, including the design ideas and implementation. Section IV presents the experimental results and a performance evaluation. In Section V, we conclude our work and propose future work. In Section VI, we elaborate on the related technologies and work.

II. PROBLEM DESCRIPTION A. NETWORK MODEL

In a homogeneous wireless sensor network, there are W nodes, each sensor has the same computing and storage capacity. Node Vi , where 1 ≤ i ≤ W , knows its own location V (xi , yi ) as well as the sink’s. The communication range of sensors is γ . All sensors are deployed in a free plane space, and the distance between sensors is the Euclidean distance. If there are a few neighbors in a sparse network, an attacker is easier to precisely locate the sender near him. Therefore, the nodes of network in our study are densely connected, which means the attacker can not visually infer the topology geographically by locating the existence of sensors with global camera view. From the view of the external attacker, the format and size of each packet P˙ is the same. And the content is encrypted based on elliptic curve, which can only be decrypted by the sink. Each sensor node’s identity information is encrypted VOLUME 6, 2018


to prevent an attacker from revealing the content of the packets, therefore he cannot distinguish between true packets and pseudo ones. The packets are associated with a hash ˙ for every receiver to filter the dummy packets. digest H (P),

TABLE 1. Important symbols in this paper.

FIGURE 2. Grid distribution.

In our study, the network is further divided into cells by m rows and n columns, with at least a sensor node in each grid. Each node is labeled as NID (c, r), where ID for a node’s identifier, (c, r) indicates that node NID locating in the grid of the rth row and the cth column, and r and c are integers, 0 < r < m, 0 < c < n, (m, n) are the number of cells to measure the length and width. All data will be encrypted, and it is assumed that an attacker does not know it. Fig. 2 shows the distribution of sensor nodes in the network, where V1 and V2 denote NV1 (4, 4) and NV2 (4, 4), respectively. For the broadcasting characteristic of wireless sensors, a sensor can communicate with all the neighboring nodes in each nearest grids within the communication range. In addition, there is at least one node in each neighboring grid which can receive the packet, as shown in Fig. 2. In the same grid, there may be multiple nodes, so every node is identified by its own ID. The period of the network is 1, namely, at the end of each 1, no more than one packet is sent. Table 1 lists some important symbols in this paper. B. ATTACK MODEL

The features of the attacker in this article is described as follow: (1) As a passive and external listener, he will not have any substantial change to the network’s function. In other words, he cannot control or destroy any sensor nodes. (2) An attacker well-equipped with instruments such as spectrum analyzer, according to the transmission angle and signal strength of the received data, determines the location of the sender, then moves directly to it. (3) A global attacker can not visually find the existence of sensors, but he knows all traffic in the network. By the context traffic information, he can infer the location the data source and the sink node. How does he know all the data transmitting over such a large area? One method is taking advantages of multiple observers. (4) With infinite computing and power resource, the attacker like a command center, can deduce the source location by analyzing the global network traffic information observed and uploaded by each eavesdropper through the VOLUME 6, 2018

FIGURE 3. Heterogeneous Eavesdroppers intercepting packets globally.

whole WSN. Each observer can detect the signals sent by the sensors nearby, and the adversarial eavesdropper range can be heterogeneous, which means they are not necessarily unitdisk. For instance, the observing area as shown in Fig. 3. can be oval or irregular in shape. Specifically, according to the packet rate of the global network, and the spatial and temporal correlation between packets, the attacker can infer the location of the data source and the destination node, revealing the location of the monitoring asset. For each observer αi ∈ A, he intercepted the ˙ t(P), ˙ ξ (αi )) at time t, where ξ (αi ) is the packet Oαi (H (P), area that an attacker observers. Generally once the signal is 51737


intercepted, the attacker can determine the approximate location `(Vi ) of the sender and the grid location Vi (r, c) where the sender belongs, according to the receiving antenna angle and the strength of the signal. Once the location of the target of interest is confirmed, the attacker moves to the location to check whether it is true. If it is, the attacker will capture the target successfully, otherwise continue to observe and analyze traffic pattern of the entire network. Before an attacker carries out traffic analysis, it is necessary to pre-process the data provided by different observers. At time t, there are some repeated packets intercepted by observers, as shown in Fig. 3, both α1 and α2 intercept the packets from V2 , Oα1 (H (P˙ i ), t(P˙ i ), ξ (α1 )) and Oα2 (H (P˙ j ), t(P˙ j ), ξ (α2 )), respectively. According to the observer’s eavesdropping range ξ (α), RSSI(Received Signal Strength Indicator) and the receiving direction, the attacker can infer the location of the packet: `(P˙ i (α1 )) = `(P˙ j (α2 )) = V2 (r, c), and t(P˙ i (α1 )) = t(P˙ j (α2 )). Thus, P˙ i (α1 ) = P˙ j (α2 ), indicating that the observer α1 and α2 intercept the same packet from V2 , and the redundant packets are removed. In this scenario, α1 can distinguish V2 from V5 , because V2 and V5 are not within a cell, and α2 can not distinguish V2 from V6 , for `(V2 ) = `(V6 ). Then, the attacker sorts these non-repeated packets by the intercept time. If the condition meets the requirement of the formula(1), the received packets belong to the same event Eˆ k . Thresholds Dmax and Dmin reflect bounds on the minimum and maximum delays for relaying packets from rough location `(u) to `(v). The bounds are calculated as a function of the minimum and maximum distance between two areas measured in hops and the per-hop relay delay, as Formula(2) and Formula(3) shown: Dmin < t(P˙ i+1 ) − t(P˙ i ) < Dmax

(1)

where γ is the sensor communication radius and delay is an estimate of the packet transmission delay between two hops. The lower and upper threshold prevent false label recorded at distant parts of the WSN, due to event concurrence. These two bounds are defined as: dmin (`(u) − `(v)) (2) Dmin = delay γ dmax (`(u) − `(v)) Dmax = delay (3) γ If the intercept interval D of two consecutive packets P˙ i and P˙ i+1 , where D = t(P˙ i+1 ) − t(P˙ i ), is within a normal packet delay range from `(Vi ) to `(Vi+1 ), these two packets are associated with the same event Eˆ k , labeled as O(H (P˙ i ), t(P˙ i ), `(Vi ), Eˆ k ) and O(H (P˙ i+1 ), t(P˙ i+1 ), `(Vi+1 ), Eˆ k ), respectively. Or else, they are labeled as O(H (P˙ i ), t(P˙ i ), `(Vi ), Eˆ k ) and O(H (P˙ i+1 ), t(P˙ i+1 ), `(Vi+1 ), Eˆ k+1 ), which are associated with two different events. ˆ to which P˙ i belongs, packets with For the same event E, their location tags are arranged in chronological order according to the time correlation. The sender whose packet is captured at the minimum time min{t(P˙ i ), P˙ i ∈ Eˆ k } is estimated to 51738

be the source node with the location of P˙ ∗ .`(V ). As multiple events happened in the same physical locations of source sensors are delivered to the sink, the source locations Lsource will be repeatedly verified by the deduced results. Detailed process is shown as Algorithm 1. Algorithm 1 Traffic Analysis Processs by a Global Attacker Input: Oαi (H (P˙ i ), t(P˙ i ), ξ (αi )); Output: Source location: Lsource ; ˙ i ), RRSI (P˙ i )); 1: Compute `(Vi )(ξ (αi ), direction(P ˙ i ), t(P˙ i ), `(Vi ))); 2: Elimination of redundancies(Oαi (H (P ˙ i+1 ) − t(P˙ i ) < Dmax then 3: if Dmin < t(P 4: Label O(H (P˙ i ), t(P˙ i ), `(Vi ), Eˆ k ); 5: Label O(H (P˙ i+1 ), t(P˙ i+1 ), `(Vi+1 ), Eˆ k ); 6: else 7: Label O(H (P˙ i ), t(P˙ i ), `(Vi ), Eˆ k ); 8: Label O(H (P˙ i+1 ), t(P˙ i+1 ), `(Vi+1 ), Eˆ k+1 ); 9: end if ˆ k do 10: for each event E 11: P˙ ∗ = arg min{t(P˙ i ), P˙ i ∈ Eˆ k }; 12: Lsource .add(P˙ ∗ .`(V )); 13: end for

C. PRIVACY MODEL

For a location privacy preserving scheme, the degree of privacy can be achieved in terms of information entropy to measure [8], and the privacy criteria is defined as follows: Definition 1 (Privacy Criteria): let ∈ Rn be the privacy ¨ be the information deduced by information of interest, and O ¨ ∈ Rn . The probability of the source node in O ¨ the attacker, O ¨ ¨ where |O| ¨ is the number of can be estimated as P(O)·||/| O|, ¨ is for the capturing probability the source predicted, and P(O) ¨ Here we formally define the of a source node in the area of O. privacy criteria to measure the level of privacy. O ¨ || 1 X 1 1 2= − log2 = · log2 ¨ ¨ ¨ ¨ || P(O) |O| |O| P(O) ¨

(4)

|O|

Intuitively, the denser the sensor distribution is, the higher the degree of privacy will be. Because when there are more nodes in a dense sensor network, the attacker can infer more ¨ Thus, the value of |O|/|| ¨ suspicious source nodes O. will become bigger as the number of real source nodes || is fixed. In addition, assumed that the probability of events occurring nearby a node is the same, privacy is inversely proportional ¨ namely, if P(O) ¨ is to the source capturing probability P(O), smaller, the privacy is higher. Therefore, the higher the value of privacy criteria 2, the better privacy the network has. As for the same number of nodes with different spatial distributions covering the same area of square space, the nodes in Fig. 4(a) are deployed randomly in the field, while Fig. 4(b) shows the grid distribution of nodes, where the distance between the nodes is equal. Suppose there are two sensor nodes which would be captured as the source node in a VOLUME 6, 2018


(a)

(b)

FIGURE 4. Node distribution in each grid.

squared field, as shown in Fig. 4, blue area is for one node’s sensor area with the size of S(blue) , and the rest red area is another sensor’s with the size of S(red) , thus, ¨ = P(O)

S(blue) + S(red) 1 1 = + S(blue) S(red) S(blue) · S(read)

(5)

¨ of the grid distribution in Fig.(a) is more than that of P(O) the random distribution. Because S(blue) + S(red) is the given squared area S, S(blue) · S(red) = S(blue) · (S − S(blue) ), only when S(blue) approaches to S/2, the value of S(blue) · S(red) is maximized. Therefore, in a fixed space, with the given ¨ of the uniform distribution is number of sensor nodes, P(O) at a minimum. We note that the capturing rate of the source node in any dimension space is a direct measure of privacy. For example: , 2 ∈ R2 , then measure for the location privacy and the deployment of sensors are in two-dimensional space. Some corresponding parameters to define 2 can be set according to specific applications. In this article, we choose the communication range of the sensor to standardize. D. ENERGY MODEL

Although there is a great variety of wireless sensors, most of them rely on battery power, and the natural environment where sensors are generally deployed, is harsh with few people living there, such as forests, battlefield or mine. It is not convenient to replace the battery, so how to maximize use of limited energy is quiet a challenge. As shown in Fig. 5, the nodes in a WSN have two possible steady states including sleeping and active. The active state also includes two transient states: idling and working. For working state, there are two transient states, namely, sending and receiving. Hence, the total energy consumption Eall in a network is the sum of the energy consumption of idling Eidle , sleeping cost Esleep and working energy Ework : Eall = Eactive + Esleep Eactive = Eidle + Ework Ework = Esend + Ereceive

(6) (7) (8)

The research has shown that for wireless sensors, the energy cost of executing 3 million of general program VOLUME 6, 2018

FIGURE 5. Possible states of a sensor node in WSN.

instructions is equivalent to transmitting data in the distance of 100 meters [17]. Thereby the energy is mainly consumed by the data transmission, which is related to the power of the sensor electronic components, increasing by the distance of transmission: Esend (Vi , Vj ) = a + ξamp · d χ Ereceive (Vj ) = b

(9) (10)

Esend (Vi , Vj ) indicates the energy required to transmit 1bit data from Vi to Vj , and Ereceive (Vj ) represents the energy used to receive 1bit data. Here d denotes the distance between Vi and Vj , χ for the path loss exponent, a and b for the energy consumption of the electronic power of communication, ξamp indicating the energy radiated by the power amplifier. When the given amount of data is sent, for the fixed routing algorithm, the energy relates to the distance between nodes. Obviously, the shorter the path is, the less energy will be consumed. III. OUR SOLUTION

In this section, we propose a method for resisting the traffic analysis of the global attacker for source location privacy. The method proposed in this paper is applied for both static and mobile objects. At the end of the scheme, we analyze the privacy and network overhead. 51739


A. CHESS BOARD ALTERNATION

Definition 2: There are five possible states defined by an enum. SLEEP and ACTIVE are steady states, while SEND and RECEIVE are transient. IDLE is also a transient state for listening to receive possible signal that has not been sent. enum{ INIT = 0, SLEEP = FSM _Steady.(1), ACTIVE = FSM _Steady.(2), SEND = FSM _Transient.(1), RECEIVE = FSM _Transient.(2), IDLE = FSM _Transient.(3), }; All the sleep nodes are labeled as set dark, while all the active nodes are labeled as set light. All sensors in dark area work in silent mode, and those in light grid are in active mode, as shown in Fig. 6.

¨ be light. To hide ((2k + 1)T˜ , (2k + 2)T˜ ), let 5 be dark and 5 the location of the real sender, all the sensor nodes in the light state send a packet periodically at the end of each 1. If no real packet is in memory, then a dummy packet is sent, and the dummy packet will be discarded by the receiver. The same traffic pattern confuses the attacker, thus preventing him from distinguishing where an event has occurred. The ID of a node can only be decrypted by the sink, and the node is denoted N (c, r).

FIGURE 7. Epoch changes during packet delivery.

FIGURE 6. Chess-board alternation scheme.

The network is divided into cells according to the network model in Section 2. For an arbitrary node N (ID, (c, r)), ¨ which operate active in an alternating we have sets 5 and 5 fashion. The collection here is redefined as: 5 = {N |0 ≡ (r + c)(mod2)} ¨ = {N |1 ≡ (r + c)(mod2)} 5

(11) (12)

where 0 < r ≤ m, 0 < c ≤ n. Only the source node knows its own location Nsource (rsource , csource ), and each sensor node knows the location of the sink S(cs , rs ). Let an epoch T˜ = µ1, where µ is an integer greater than 1. ¨ that remain active in an We partition the WSN to 5 and 5 alternating fashion. Let k be an integer and k ∈ [0, +∞], in the interval (2k T˜ , (2k + 1)T˜ ), let the nodes in set 5 remain ¨ the active state, marked as light, and the nodes in set 5 remain the sleep state, marked as dark. In the time interval 51740

When in an epoch, as shown in the Fig. 7, the source node is light, and the current node are neither at the same column nor at the same row as the next hop. In order to guarantee that the next-hop node for a real packet’s delivery is active and the real path length from source to sink is the shortest, the concept of simple random walk is introduced here, which is defined as follows: Definition 3 (Simple Random Walk): Let n > 0 and X , Y be integers. A path {S0 , S1 , . . . , Sn } from (0, 0) to (Xn , Yn ) is a polygonal line, whose vertices are: (0, S0 ), (1, S1 ) . . . , (Xn , Sn ), where Xn = n, S0 = 0, Sn = Yn and Sk − Sk−1 = εk = ±1, (k = 1, 2, . . . , n). When the following conditions are satisfied: Let Z , Z1 , Z2 . . . , Zn be independent identically distributed, with • P{Z = 1} + P{Z = −1} = 1, • S0 := 0, • Sn := Z1 + Z2 + . . . + Zn (n ≥ 1) Then {S0 , S1 , . . . , Sn } is a simple random walk on the integers. CBA has two cases in the delivery rules of real packets. Fist, when in an epoch, real packets are transmitted according to the simple random walk as described above. In the second case, the epoch is changing during the transmission of real packets, meaning that the time when a real packet has been VOLUME 6, 2018


sent but has not been received by the next hop, as shown in the Fig. 7. Let the source node as the coordinate origin Nsource (0, 0), as defined above that an epoch T˜ = µ1, where µ is an integer greater than 1, and a packet is sent at the end of each 1, there is at most one epoch during an one-hop transmission time. The packet travels one cell in the same row with the path(0, Y0 ), (1, Y1 ), . . . , (Xi , Yi ), (Xi+1 , Yi ), . . . , (Xn , Yn ), where 0 < i < n. Therefore, the path length is not related to epoch occurring, no matter where the sink is, packets are reachable to the sink. The shortest path h is the coordinate difference between the source and the sink, if rs ≥ cs , h = |rs − rsource |, and if rs < cs , h = |cs − csource |. The reach-ability and the shortest path length of CBA are proved by the following proposition. Proposition 1: Packets starting from the source node Nsource (0, 0), with a simple random walk in the network, can always reach the sink with the shortest path X , where the sink S(X , Y ), X ≥ Y > 0. Proof: Assuming that a random walk by definition from the source node to (X¯ , Y¯ ), let p be the number of εk = +1, and q be the number of εk = −1, such that X¯ = p + q and Y¯ = p − q, then there is a path consisting of p consecutive upwards steps and q consecutive downwards steps which will start at (0, 0), and end at (X¯ , Y¯ ), and then p = (X¯ + Y¯ )/2, q = (X¯ − Y¯ )/2. The Sink’s location is (X , Y ), where X ≥ Y > 0. If both X and Y are even or odd, then (X + Y ) and (X − Y ) are both even, as defined above, we obtain X¯ = X and Y¯ = Y , namely there is path from the source to the sink after X simple random walk. If one of X and Y is even, and the other is odd, we have X¯ = X − 1, and Y¯ = Y , such that both (X¯ + Y¯ ) and (X¯ − Y¯ ) are even. After X − 1 steps of random walk the path arrives at (X −1, Y ), according to the characteristics of sensor communication. Only one hop is needed from (X − 1, Y ) to the sink (X , Y ), as we can see that after X − 1 + 1 = X hops packet arrives at the sink. In addition, this is the shortest path to the sink, if by random walk we reach other neighbors of the sink such as (X , Y − 1), it needs X + 1 steps to reach the sink. Compared with SP(shortest path) routing used in CBA, simple random walk can not only achieve the shortest path length, but also avoid overwhelming overhead for initialization, because when an epoch changes, SP routing needs to apply flooding to update the whole network. Moreover, in the same epoch, there are different paths to the sink, which allows the routing protocol to enhance the robustness of the network. Proposition 2: A packet P˙ has a simple random walk in the network from (0, 0) to sink (X , Y ), so the number of the transmission path is given by:  !  X   if X = p + q and Y = p − q   p ! NX ,Y =  X −1   if X − 1 = p + q and Y = p − q   p (13) VOLUME 6, 2018

Proof: We saw above that there is a path from (0, 0) to (X , Y ), if and only if there exists non- negative integers p, q such that X = p + q and Y = p − q, where both X and Y are even or odd. Of the X steps, choose the p for which εk = +1 and, for the remaining steps, but εk = −1. This describes the totality p+q X of such path; thus the number of paths is = . p p If one of X and Y is even, and the other is odd, the last step is (X − 1, Y ) before reaching the sink. Of the X − 1 steps, choose the p for which εk = +1 and, for the remaining steps, but εk = −1. This describes the totality of such path; thus X −1 the number of paths is . Thus, the number of paths p from (0, 0) to (X , Y ) is given by NX ,Y . So, during the process of packet delivery, namely from the source to the sink, the epoch changes at most once, when a packet travels in parallel from one node (Xi , Yi )to the next hop (Xi+1 , Yi ) along the sink direction. The other hops are chosen in a random walk manner, as we can see, there are NXi ,Yi + N(X −Xi+1 ),(Y −Yi ) paths in total. B. PRIVACY ANALYSIS

According to the Kerckhoffs’ principle, the attacker knows exactly how the network is classified and the alternative ˆ P) ˙ happening at scheme. Suppose that there is an event E( time t 0 , if Nsource (rsource , csource ) is at light epoch, it will send ˙ where a real packet P˙ instead of dummy packets at t(P), ˙ = t 0 , while if Nsource is dark at time t 0 , E( ˆ P) ˙ will be sent t(P) ˙ 6= t 0 . According to the attack in the next epoch, where t(P) model in algorithm 1, the attacker cannot infer which set the source node belongs to. It is impossible to determine in which ˙ Therefore, since the global epoch the source node sends P. ˆ the location of attacker cannot classify P˙ into a valid event E, ˆ P) ˙ at t(P) ˙ is protected. E( For instance, an event is sent from V1 and V4 . Obviously, a unprotected technique, such as SP(Shortest Path) in Fig.8(a), will be attacked easily, because t(P˙ 2 ) − t(P˙ 1 ) satisfies formula (1), which can be known by the attacker that ˆ Similarly, all the packets in P˙ 1 and P˙ 2 are the same event E. WSN are belong to the same event with the knowledge by α2 , α3 and α4 . Thus, the place where the very earliest packet is sent is the source location V1 . For the location privacy of V1 , CBA is employed in a 3 × 3 network as shown in Fig.8b, where the nodes in the dark area are in sleep mode and those in light area are active. Each node need to send 3 packets in all before the event(real packet) is received by V4 . There is a global attacker who has four eavesdroppers distributed in WSN. According to the attack model in session 2, there are three steps the eavesdroppers will do. Firstly, he labels the packets intercepted in WSN. α1 intercepts the packets from V1 and V2 , labeled as Oα1 and Oα2 respectively. And then `(V ) is computed with the ˙ RRSI (P). ˙ Because t(P˙ 1 ) = information of ξ (α), direction(P), t(P˙ 4 ) < t(P˙ 2 ) = t(P˙ 5 ) < t(P˙ 3 ) = t(P˙ 6 ), and t(P˙ 2 ) − t(P˙ 1 ) or t(P˙ 6 ) − t(P˙ 3 ) does not satisfy formula(1), there is 51741


is proved as follow: Eactive + Esleep ECBA = 0 EGN E active + E 0 sleep

(14)

where Eactive and Esleep are for the energy cost of active and sleeping states in CBA, and E 0 active and E 0 sleep are for active and sleeping states in GN. Because there is no sleep mechanism employed in GN, the energy consumption in sleeping 0 state is zero, namely Esleep = 0. Suppose that for GN and CBA, the nodes in the whole network use the same data transmission rate, and the same running time Tall . Due to the formula E = I · V · Tall , where I represents current draw, and V is for voltage, every sensor in CBA and GN has the same I and V , the duty cycle of the whole network in CBA is 50%, which is half of GN. Therefore, 2Eactive = E 0 active , thus: Eactive + Esleep Eactive + Esleep ECBA = = 0 EGN E active 2Eactive =

Esleep 1 + 2 2Eactive

(15)

Esleep Esleep = Eactive Eidle + Ework

(16)

And

Every node has the same voltage, so FIGURE 8. Privacy analysis when traffic analysis technique is used in a 3 × 3 network. (a) Shortest Path routing. (b) CBA scheme.

TABLE 2. Packets intercepted by an eavesdropper α1 .

Esleep Isleep Tsleep = Eactive Iidle Tidle + Iwork Twork

(17)

Duty cycle is 50% · Tall , so Tsleep = Tactive = 12 Tall . As in a normal sensor platform such as TelosB [18], Iidle < Iwork , thus, Isleep Tsleep Esleep Isleep Tsleep = < Eactive Iidle (Tidle + Twork ) Iidle Tactive Isleep 5.1µA ≈ 0.0028 (18) = = Iidle 1.8mA + 1µA We obtain:

no time correlation between packets in CBA. Similarly, α2 , α3 and α4 also can not classify the packets they intercepted into a valid event Eˆ based on the time correlation. Therefore, the location of source V1 is protected.

Esleep ≈0 Eactive

(19)

Esleep 1 1 ECBA = + ≈ = 50% EGN 2 2Eactive 2

(20)

Hence,

Thus, we proved that CBA saves energy as much as 50% compared with that of GN.

C. ENERGY ANALYSIS

Communication costs most energy in the network as we have discussed in energy model. Smaller number of active sensors result in less communication overhead because less communication occurs. The nodes in WSN are partitioned into two sets which remain active in an alternating fashion. Therefore, CBA can save about 50% of energy for the reason that only half of nodes are active at anytime, compared with global traffic normalization approach(GN), which employs all nodes in WSN to send dummy packets. This conclusion 51742

D. LATENCY ANALYSIS

At the end of each 1 every light sensor will send a packet, true or false. Once a real packet arrives, it will be sent in priority instead of dummy packets. Suppose that starting from the source node, a real packet is transmitted to the sink by h hops. The latency of delivery is related to path length, the size of the package, the quality of wireless communications and 1. Larger 1 leads to less communication, but more latency. However, 1 could be set appropriately according to VOLUME 6, 2018


FIGURE 9. The worst and best latency. (a) The worst case. (b) The best case.

the specific application. The transmission process of a packet is illustrated in Fig. 9. In the worst case as shown in Fig. 9(a), when the packet arrives at the next hop where a packet is delivering. So the packet has to wait until the next 1, for the path length is h, so the latency after h hops is h·1, if the epoch changes during the transmission, another epoch T˜ is needed, the worst latency is h · 1 + T˜ = 1 · (µ + h) from the source to the sink. The best case is the real packet is delivered immediately after it arrives at the next hop as shown in in Fig. 9(b). The average latency will be discussed below. In fact, the network synchronization clock drift will also lead to latency, which is beyond the scope of this article. Assumed that the clock drift is less than 1, the snapshot is illustrated Fig. 10(a). It is equivalent to the case that a packet is sent in the arbitrary time within each 1, as shown Fig. 10(b), and each transmission is independent. Proposition 3: When one packet is sent in each interval 1, the average delay is : 0.58 · h · 1. Proof: As shown in the snapshots of Fig. 10, a packet, starting from V 1, goes through b hops, and the delivery time of each hop is t1 , t2 , . . . tb . After 1, the average hops that a packet passes starting from V 1 is U¨ . The value of U¨ is dependent on the sequence of t1 , t2 , . . . tb , under b! combination with equal probability, this is because the clock offset of each node within each 1 is random and independent. Thus, only if t1 , t2 , . . . tb , the probability of random variable that a packet travels b hops during 1 is as follow: 1 P U¨ = b = . b!

(21)

In the same way, satisfying t1 , t2 , . . . tb , the probability of random variable that a packet travels b − 1 hops during 1 VOLUME 6, 2018

FIGURE 10. Average latency. (a) Snapshot during 1. (b) Random time during 1.

is as follow: 1 P U¨ = b − 1 = b!

b! −1 . (b − 1)!

For an arbitrary number of hops β ≤ −1, we obtain: b! 1 b! β! − P U¨ = β = b! β! (β + 1)! (β + 1)! β = . (β + 1)!

(22)

(23)

Thus, the expectation of U¨ is computed: b−1 X b β2 + E U¨ = b! (β + 1)! β=1

b−1

=

X β2 1 + . (b − 1)! (β + 1)!

(24)

β=1

Because

1 (b−1)!

and

b−1 P β=1

β2 (β+1)!

are converging series, so E(U¨ )

is converging. For all b ≥ 1, the convergence value of E(U¨ ) computed through numerical analysis is 1.7183. In conclusion, in the time of 1, the average hops that a packet travels from the V 1 is 1.7183. Thus, after h hops the average latency is τ=

h·1 = 0.58 · h · 1. E(U¨ )

(25) 51743


Ideally, the minimum latency for the shortest path is 1, whereas the latency is apparently related to the length of the shortest path h. When the downstream packet is transmitted before a real packet arrives, the worst latency is h · 1 + T˜ = 1(µ + h), and in the worst, the source node now needs to wait for the next epoch. By the proposition 3 proved above the average latency is 0.58 · h · 1. IV. PERFORMANCE EVALUATION

A simulator Castalia based on OMnet++ is applied in this study, to verify the efficiency of our methods. The network field is divided into n × n unit cells, where n = 50, with the sides that are 20m in length, so the whole network covers an area of 1000m×1000m. 4000 sensors randomly distributed in each cell, and the number in each grid is δ, where δ ≥ 1. Note that each node can receive signals from the nodes in eight adjacent cells, and the sink node is randomly deployed in the network. It is assumed that there is only an attacker in the network, and the eavesdropper reception range and the sensor transmission range are both set at 60m. The MAC protocol is based on 802.15.4, and the packet size is 1280 bytes. The network is event driven, with only one object monitored in the WSN. When CBA is applied, the object can be mobile, namely, the event occurs randomly in the network. The simulation is performed 50 times, and each time a total of 500 new packets are sent from the source node. The global attacker knows all the network traffic with no need to find the source by hops. Once he inferred one possible source, he will check the area and determine whether the target exists. If the target is captured, simulation is over. If the object is not found, it will continue until time runs out. We assume that the beacon does not cost additional energy, but dummy packets does. TTL of dummy packets is zero, with only one hop. A. PRIVACY

Based on the attack model presented in Section 3, we propose the privacy criteria to measure the performance of privacy. Here we choose phantom path (PP) [5], which only works for the local attacker, ‘‘StaR’’ scheme [1], minimum connected dominating sets (MCDS) [10], and global traffic normalization approach (GN) [8], to compare with our scheme: CBA. As shown in Fig. 11(a), Phantom path (PP) is chosen as a baseline, with the least privacy criteria, and the attacker promptly pinpoints the source node and the path to the sink according to the earliest transmission time. Although STaR scheme uses the intermediate nodes as the fake nodes, the global attacker can still locate the source, as well as the path to the sink node. As the false sources decrease the capturing probability, the privacy criteria is slightly higher than PP, but still a big gap compared with GN, MCDS, much less CBA. GN and MCDS successfully hide context information. Furthermore, CBA has more privacy criteria, that is because we are trying to keep the homogeneousness of the network based on the deployment. As the network area n increases, the privacy rises accordingly. 51744

FIGURE 11. Comparison of privacy with existing methods. (a) Privacy with the change of network size n. (b) Privacy with the change of node number δ in each grid.

In a given network area, we increase the average number of sensors in each grid δ, as shown in Fig. 11(b). The privacy criteria of STaR and PP is not affected by the node distribution. As δ increases, the privacy of CBA, MCDS and GN is on rise because under denser sensor deployments, more sensors are deduced to be possible sources. However, when δ reaches 3, the average number of neighbors of each sensor node is 24, and the privacy performance will no longer increase when the node density reaches a certain degree. This is due to the fact that denser nodes lead to more overlaps in the area covered by them, then the average area of each sensor becomes smaller. Hence, in a small area, the capturing probability P is high, which is inversely proportional to the privacy criteria 2. B. ENERGY COST

In the last experiments, we studied the communication overhead and end-to-end latency to transmit real packets to the sink. We compared our methods with MCDS and GN, because only those two achieve the similar VOLUME 6, 2018


privacy performance. According to the formulae (9) and (10), we use the following parameters as shown in table 3. TABLE 3. Parameters setting.

sends packets at a random time within each 1. In our experiment, GN has the longest latency for the strict standard time. When the network size is small with a small number of nodes, the intersection of MCDS has few nodes, and there may be not any active nodes near the source, so changing routing paths cause more latency for waiting and re-delivery. As the routing path increases, the latency of MCDS is reduced, but still higher than that of CBA, as shown in Fig. 13(a). That is because in our two methods the routing nodes will not deviate from the shortest path when epoch alternates.

As shown in formula (19), the proportion of Esleep is so small that we ignore it in the experiment, namely Eall ≈ Eactive . For fair comparison, we choose the same size and rate of packets, and each node has an average of ten neighbors. For these three schemes we compared, every active node sends packets (dummy and real) in the same way. That is, all nodes of an active subset send packets at a fixed rate, so the ratio of Eidle to Ework is also fixed. Then we can get Eactive = Eidle + Ework = (k + 1) · Ework . In view of this reason, we only need to consider the energy consumption in working state Ework in the experiment. The energy cost increases as the network scales out. GN consumes the most energy as all nodes keep sending packets all over the network, while for MCDS the trend of increase slows down as n increases. When the network area is small, the overhead of connected subsets alternation is expensive, while with the increase of network, the sensors on the shortest path likely belong to different CDSs because they are within the same neighborhood, so the increasing trend of energy cost is in decline. The energy cost of CBA is half of GN, because only half of the nodes in each epoch is active, which is verified by simulations, as shown in Fig. 12.

FIGURE 13. Comparison of latency with existing methods. (a) Latecy with the change of network size n. (b) Latecy with the change of node number δ in each grid.

FIGURE 12. Comparison of energy cost with existing methods in working state as network size n changes.

C. LATENCY

The end-to-end latency is defined as the time spent for delivering real packets to the sink. The routing delay is related to the routing algorithms, such as the number of hops and re-delivery times. For the sake of fair comparison, we let CBA and GN send packets at the same rate, namely the same 1. GN sends packets at the end of every fixed time 1, while CBA VOLUME 6, 2018

As shown in Fig. 13(b), with the increase of δ, the latency of these four methods is decreased, for more density of the network increases the communication quality and connectivity, and reduces the time of re-delivery. However, with the continued increase of δ, MCDS fluctuates in terms of latency. At first, there is a slight increase in latency, this is due to the fact that the polling of MCDS increases the length of routing path and the latency. As the increase of nodes, the latency dropped sharply after the network becomes stable, because under denser sensor deployments, more sensors can detect an event. Sensors on the shortest path tend to belong to 51745


different CDSs because they are within the same neighborhood. Therefore, the buffering delay is reduced, but the latency is higher than CBA for the polling cost. Furthermore, because only one node is selected in every grid as the relaying node, the increasing δ has no effect on the latency, and the reduction of latency is as high as 40%. V. CONCLUSION

In this study, we propose a methods CBA, for resisting a global attacker based on a grid partitioning of the network. CBA is flexible for application scenarios, including monitoring a static and a moving object. It makes use of polling different sets of nodes to reduce the network overhead significantly while ensuring the source location privacy. Our method is targeted for a dense connected network. However, in practice, there may be more complicated scenarios, such as holes occurring in the network. Therefore, we will study the robustness of the network in the future. VI. RELATED WORK

Two intuitive feature of location privacy in WSN is un-observability [15] and unlink-ability [6], namely, the attacker cannot determine the occurrence time of the real packets, and cannot determine the relationship between the sender and the receiver. Research on source location privacy (SLP) in WSN has been drawing significant attention. Attackers come in two manners, local and global, according to their ability [1], [7], [7], [9], [20]. A local attacker whose location is still invisible like a ghost to the entire network, can analyze network traffic to infer the source location. Previous studies have shown that there are mainly three techniques for hiding traffic. The present techniques for preserving the privacy of a source location against a local attacker are primarily implemented by changing or increasing the current routing path, such as in phantom routing [5], multi-path routing [1], [9], dummy sources injection and other security routing mechanisms. Phantom routing was first proposed by Kamat et al. [5] in his Panda-Hunter model, which includes the first step to have a random walk to a phantom source, followed by the shortest path or flooding to the sink in the end. However, with increasing random walk hops, the packets tend to be near the source node [2], [22], indicating that a random walk phase would in turn reveal the source location. Shortly thereafter, improved algorithms, such as GROW [19], were proposed to reduce the transmission delay and improve security, resulting in a larger energy cost. The idea based on TDMA in [20] is that slots are assigned such that the first message an attacker hears will always come from a node along the fake path rather than from towards the source, bringing about much more delay and energy consumption. The other two schemes are the dummy packets mechanism [8], [10] and the pseudo source node mechanism [5], [30]. These two methods can resist more powerful attackers, but because the number and location of pseudo nodes are randomly distributed, unnecessary energy consumption is unavoidable. 51746

To further reduce the overhead of data transmission, according to the characteristics of the IEEE 802.15.4 MAC layer, Shao et al. [4] used the payload of beacons to transmit data. This scheme can hide contextual information successfully, but it brings new challenges to network performance. A beacon interval can be adjusted adaptively according to the network traffic, such as in T-MAC and S-MAC [23], [31] changing the duty ratio to increase the throughput. According to [4], the short interval between beacons will cause too much synchronization overhead, whereas long intervals will result in longer guardian time for the time drift. With the development of hardware, the attacker will not be visible to the wireless sensor network. Using the characteristics of attacker perceiving [24], nodes relatively far from the attacker are chosen as the shortest path to the sink, which gives birth to a new idea for solving this type of problem. Moving object recognition technology [25], [29] in resisting the attacker, enhances the certainty of strategy, instead of randomness. However, authorized moving objects can be allowed to enter the WSN, such as scientists for detecting data in the field. A simple authentication mechanism [26]–[28] can exclude unauthorized migration of mobile objects. Compared with a local attacker [24] who can receive the information in his vicinity, multiple local attackers can cooperate with each other to get a wider range of network information [10]. As the attackers’ ability increases, a global attacker [8], [10] is aware of the traffic of the entire network. To oppose a more powerful attacker, it is obvious that greater cost is required. The naive solution [8]is to have each node sends packets periodically, regardless of whether they are real packets or dummy packets. For every node has a time trigger, and a packet is sent in every interval. Through the verification mechanism, the nodes only accept the real packets, and all dummy packets are discarded. This scheme leads to so much delay and energy consumption that it only stays in the conceptual stage. To balance between the delay and communication overhead, the interval for sending packets is set according to particular applications, which is difficult to implement in pratical applications. Multi-path routing [21], [32] can enhance the load balance and quality of service (QOS), but a global attacker can quickly distinguish a false source from limited information [11]. Using statistical models, source anonymity was first proposed by Yang et al. [13], and unfortunately a powerful adversary will attack this method using statistical methods because the real packet delay is generally of the mean of the distribution. By reducing the amount of communication in each period, Proano et al. [10] applied the connected dominating sets of the WSN to operate in a polling way. However, the generation of a connected dominating set is a typical NP problem [11]. Once the topology changes, it will bring more overhead for updating information. In addition, The source node may only belong to one of the connected dominating sets, which is active in one epoch after several cycles, and as there are many dominating sets, the event is transferred when the source is active in its epoch. VOLUME 6, 2018


Therefore, the serious delay is not suitable for real-time applications. As shown above, most of these approaches are practical for a delay-tolerant network (DTNs: delay/disruption-tolerant networks), whereas we expect a generic and simple solution to preserving contextual privacy in an event-driven network. REFERENCES [1] L. Lightfoot, Y. Li, and J. Ren, ‘‘STaR: Design and quantitative measurement of source-location privacy for wireless sensor networks,’’ Secur. Commun. Netw., vol. 9, no. 3, pp. 220–228, 2016. [2] M. Chaudhari and S. Dharawath, ‘‘Toward a statistical framework for source anonymity in sensor network using quantitative measures,’’ in Proc. Int. Conf. Innov. Inf., Embedded Commun. Syst. (ICIIECS), 2015, pp. 1–5. [3] D. Spiryakin, A. Baranov, and V. Sleptsov, ‘‘Design of smart dust sensor node for combustible gas leakage monitoring,’’ in Proc. Federated Conf. Comput. Sci. Inf. Syst. (FedCSIS), 2015, pp. 1279–1283. [4] M. Shao, W. Hu, S. Zhu, G. Cao, S. Krishnamurth, and T. La Porta, ‘‘Crosslayer enhanced source location privacy in sensor networks,’’ in Proc. 6th Annu. IEEE Commun. Soc. Conf. Sensor, Mesh Ad Hoc Commun. Netw. (SECON), Jun. 2009, pp. 1–9. [5] P. Kamat, Y. Zhang, W. Trappe, and C. Ozturk, ‘‘Enhancing sourcelocation privacy in sensor network routing,’’ in Proc. 25th IEEE Int. Conf. Distrib. Comput. Syst., Jun. 2005, pp. 599–608. [6] M. M. E. A. Mahmoud and X. Shen, ‘‘A cloud-based scheme for protecting source-location privacy against hotspot-locating attack in wireless sensor networks,’’ IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 10, pp. 1805–1818, Oct. 2012. [7] Z. Benenson, M. Peter, Cholewinski, and F. C. Freiling, ‘‘Wireless sensors networks security,’’ in Chapter Vulnerabilities Attacks, Wireless Sensor Networks. Amsterdam, The Netherlands: IOS Press, 2008, pp. 22–43. [8] K. Mehta, D. Liu, and M. Wright, ‘‘Protecting location privacy in sensor networks against a global eavesdropper,’’ IEEE Trans. Mobile Comput., vol. 11, no. 2, pp. 320–336, Feb. 2012. [9] L. Lightfoot, Y. Li, and J. Ren, ‘‘Preserving source-location privacy in wireless sensor network using STaR routing,’’ in Proc. IEEE Global Telecommun. Conf. (GLOBECOM), Dec. 2010, pp. 1–5. [10] A. Proano, L. Lazos, and M. Krunz, ‘‘Traffic decorrelation techniques for countering a global eavesdropper in WSNs,’’ IEEE Trans. Mobile Comput., vol. 16, no. 3, pp. 857–871, Mar. 2017. [11] R. Garey and D. S. Johnson, Computers and Intractability: A Guide to the Theory of NP-Completeness. New York, NY, USA: Freeman, 1979. [12] B. Alomair, A. Clark, J. Cuellar, and R. Poovendran, ‘‘Toward a statistical framework for source anonymity in sensor networks,’’ IEEE Trans. Mobile Comput., vol. 12, no. 2, pp. 248–260, Feb. 2013. [13] Y. Yang, M. Shao, S. Zhu, and G. Cao, ‘‘Towards statistically strong source anonymity for sensor networks,’’ ACM Trans. Sensor Netw., vol. 9, no. 3, 2013, Art. no. 34. [14] Q. Zhou and X. L. Qin, ‘‘Preserving source location privacy against the global attacker hiding in FOG,’’ in Proc. 15th IEEE Int. Conf. Netw., Sens. Control (ICNSC), Zhuhai, China, Mar. 2018, pp. 1–6. [15] P. Erös and P. Révész, ‘‘Problems and results on random walks,’’ in Mathematical Statistics and Probability Theory, P. Bauer, F. Konecny, and W. Wertz, Eds. Dordrecht, The Netherlands: Springer, 1987, pp. 59–65. [16] W. Feller, An Introduction to Probability Theory and its Applications, vol. 1. Hoboken, NJ, USA: Wiley, 1957. [17] G. J. Pottie and W. J. Kaiser, ‘‘Wireless integrated network sensors,’’ Commun. ACM, vol. 43, no. 5, pp. 51–58, 2000. [18] The Datasheet of MEMSIC’s TelosB Mote TPR2420. Accessed: Jun. 18, 2018. [Online]. Available: http://www.memsic.com/ userfiles/files/Datasheets/WSN/telosb_datasheet.pdf [19] M. Bradbury, M. Leeke, and A. Jhumka, ‘‘Hybrid online protocols for source location privacy in wireless sensor networks,’’ J. Parallel Distrib. Comput., vol. 115, pp. 67–81, May 2018. [20] J. Kirton, M. Bradbury, and A. Jhumka, ‘‘Source location privacy-aware data aggregation scheduling for wireless sensor networks,’’ in Proc. IEEE 37th Int. Conf. Distrib. Comput. Syst. (ICDCS), Jun. 2017, pp. 2200–2205, doi: 10.1109/ICDCS.2017.171. [21] Y. Zhang, G. Wang, Q. Hu, Z. Li, and J. Tian, ‘‘Design and performance study of a topology-hiding multipath routing protocol for mobile ad hoc networks,’’ in Proc. IEEE INFOCOM, Mar. 2012, pp. 10–18. [22] R. Shi, M. Goswami, J. Gao, and X. Gu, ‘‘Is random walk truly memoryless—Traffic analysis and source location privacy under random walks,’’ in Proc. IEEE INFOCOM, Apr. 2013, pp. 3021–3029. VOLUME 6, 2018

[23] Y. Xing, Y. Chen, W. Yi, and C. Duan, ‘‘Optimal beacon interval for TDMA-based MAC in wireless sensor networks,’’ in Proc. 11th Int. Conf. Innov. Inf. Technol. (IIT), 2015, pp. 156–161. [24] R. Rios and J. Lopez, ‘‘Exploiting context-awareness to enhance sourcelocation privacy in wireless sensor networks,’’ Comput. J., vol. 54, no. 10, pp. 1603–1615, Oct. 2011. [25] D. Apicharttrisorn, K. Apicharttrisorn, and T. Kasetkasem, ‘‘A moving object tracking algorithm using support vector machines in binary sensor networks,’’ in Proc. 13th Int. Symp. Commun. Inf. Technol. (ISCIT), 2013, pp. 529–534. [26] P. Lourenço, P. Batista, P. Oliveira, and C. Silvestre, ‘‘Simultaneous localization and mapping in sensor networks: A GES sensor-based filter with moving object tracking,’’ in Proc. Eur. Control Conf. (ECC), 2015, pp. 2354–2359. [27] R. Amin and G. Biswas, ‘‘A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks,’’ Ad Hoc Netw., vol. 36, pp. 58–80, Jan. 2016. [28] J. Srinivas, S. Mukhopadhyay, and D. Mishra, ‘‘Secure and efficient user authentication scheme for multi-gateway wireless sensor networks,’’ Ad Hoc Netw., vol. 54, pp. 147–169, Jan. 2017. [29] M. Raj, N. Li, D. Liu, M. Wright, and S. K. Das, ‘‘Using data mules to preserve source location privacy in wireless sensor networks,’’ Pervasive Mobile Comput., vol. 11, pp. 244–260, Apr. 2014. [30] A. Jhumka, M. Leeke, and S. Shrestha, ‘‘Secure and efficient user authentication scheme for multi-gateway wireless sensor networks,’’ Comput. J., vol. 54, no. 6, pp. 860–874, Jun. 2011. [31] C. J. Liu, P. Huang, and L. Xiao, ‘‘TAS-MAC: A traffic-adaptive synchronous MAC protocol for wireless sensor networks,’’ ACM Trans. Sensor Netw., vol. 12, no. 1, pp. 1:1–1:30, 2016. [32] A. A. M. Rahat, R. M. Everson, and J. E. Fieldsend, ‘‘Evolutionary multi-path routing for network lifetime and robustness in wireless sensor networks,’’ Ad Hoc Netw., vol. 52, pp. 130–145, Dec. 2016.

QIAN ZHOU was born in Xinghua, China, in 1983. She received the B.S. degree in communication engineering and the M.S. degree in computer science and technology from the National University of Defense Technology, Changsha, China, in 2005 and 2007, respectively. She is currently pursuing the Ph.D. degree in computer science and technology with the Nanjing University of Aeronautics and Astronautics, Nanjing, China. Her research interests include network security, wireless sensor networks, privacy preservation, and rough sets. XIAOLIN QIN was born in Suzhou, China, in 1953. He received the B.S. and M.S. degrees in computer science and engineering from the Nanjing University of Aeronautics and Astronautics, Nanjing, China. He is currently a Professor with the College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, China. He is the Lead of the Department of Data Management and Knowledge Engineering, Nanjing University of Aeronautics and Astronautics. His research interests include security database, temporal−spatial database, data management and security in distributed environment. XIAOJUN XIE was born in Anqing, China, in 1990. He received the B.E. degree in computer science and technology from Anhui Normal University, Wuhu, China, in 2013, and the M.E. degree in computer system architecture from the Key Laboratory of Data Processing and Intelligent Computing, Guangxi Normal University, Guilin, China, in 2016. He is currently pursuing the Ph.D. degree in software engineering with the Nanjing University of Aeronautics and Astronautics, Nanjing, China. Her research interests include rough sets, approximate reasoning, network security, wireless sensor networks, and privacy preservation.

51747