Cost Analysis of Query-Anonymity on the Internet of Things

Abstract

A necessary function of the Internet of Things (IoT) is to sense the real-world from the fabric of everyday environments. Wireless Sensor Networks (WSNs) are widely deployed as part of IoT for environmental sensing, industrial monitoring, health care, and military purposes. Traditional WSNs are limited in terms of their management and usage model. As an alternative paradigm for WSN management, the sensor-cloud virtualizes physical sensors. While this model has many benefits, there are privacy issues that are not yet addressed. The query-anonymity arises when the client wants the destination physical sensor-node to be indistinguishable from other potential destinations. In particular, we consider the k-anonymous query scheme in which the query destination is indistinguishable from other k-1 probable destinations, where k is the offered level-of-anonymity. Moreover, we are interested in a communication-based approach in which the client is required to send k queries to at least k destinations including the node of interest in order to achieve a level-of-anonymity k. Thus, the communication-cost increases with the level-of-anonymity k. Consequently, there is a natural trade-off between the offered query-anonymity and the incurred communication-cost. The analysis of such trade-off is the main problem we address in this work.

We firstly aim at a novel theoretical framework that quantifies the security of a general k-anonymous query scheme. Towards that, we adopt two approaches based on well-known security models namely, ciphertext indistinguishability under chosen plaintext attack (IND-CPA), and information theoretic notion of perfect secrecy. Next, we provide a construction of a secure k-anonymous query scheme, and introduce its detailed design and implementation, including the partition algorithm, anonymity-sets construction methods, query routing algorithm, and querying protocol. Then we establish a set of average-case and worst-case bounds on the cost-anonymity trade-off. We are committed to answer two important questions: what is the communication-cost, on average and in the worst-case, that is necessary? and what is the communication-cost that is sufficient to achieve the required secure query k-anonymity?

Finally, we conduct extensive simulations to analyze various performance-anonymity trade-offs to study the average and worst-case bounds on them, and investigate several variations of anonymity-sets constructions methods. Confirming our theoretical analysis, our evaluation results show that the bounds of the average and worst-case cost change from quadratic asymptotic dependence on the network diameter to the same dependence on the level-of-anonymity when the later surpasses the former. Furthermore, most of the obtained bounds on various performance anonymity trade-offs can be expressed precisely in terms of the offered level-of-anonymity and network diameter.