A dynamic ring-based routing scheme for source location privacy in wireless sensor networks

Information Sciences 504 (2019) 308–323

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

A dynamic ring-based routing scheme for source location privacy in wireless sensor networks Guangjie Han a,∗, Mengting Xu a, Yu He a,b, Jinfang Jiang a, James Adu Ansere a, Wenbo Zhang c a

College of Internet of Things Engineering, Hohai University, 200 North Jinling Road, Changzhou 213022, China State Key Laboratory of Acoustics, Institute of Acoustics, Chinese Academy of Sciences, Beijing 100190, China c College of Information Science and Engineering, Shenyang Ligong University, Shenyang 110159, China b

a r t i c l e

i n f o

Article history: Received 28 December 2018 Revised 27 June 2019 Accepted 7 July 2019 Available online 15 July 2019 Keywords: Wireless sensor networks Source location privacy Intermediate node Mixing ring Fake source

a b s t r a c t Many studies have addressed the protection of source location privacy (SLP). However, most of the traditional research has not achieved a balance between security and energy consumption. Here, we propose a dynamic ring-based routing (DRBR) scheme to solve this problem. This scheme is divided into three stages. In the first stage, the source node randomly selects an intermediate node to send a data packet to the selected area. During the second stage, the intermediate node sends the data packet to the mixing ring, where the ring nodes combine data packets. The mixed data packets from the mixing ring are sent to the sink node in the third stage. We prove that DRBR not only provides high SLP, but also achieves a desirable trade-off between privacy and energy consumption. © 2019 Elsevier Inc. All rights reserved.

1. Introduction Wireless sensor networks (WSNs) are a new platform for information acquisition and processing [1–3]. Sensor nodes in WSNs communicate with each other via wireless devices. The WSNs consist of many low-power wireless sensor nodes [4– 6]. These sensor nodes are used to sense and collect useful information in the network and forward it to the sink node via multiple hops [7]. Finally, the sink node stores and processes the collected information. Owing to a lack of physical boundaries, wireless devices are more susceptible to adversaries than the wired devices. When sensor nodes are communicating with each other, anyone with a relevant wireless receiver can detect and intercept messages between sensor nodes [2,4]. The attacker may use illegal means to communicate with powerful workstations or information sources. Illegal interactions and information theft can cause severe harm to the network, and even propel the entire network into a state of paralysis [5,6]. Therefore, the security of the network has become a critical issue for the WSNs. Location privacy, which is a security issue, has attracted significant attention in recent years. According to the different protected objects, protection of location privacy can be classified into source location privacy (SLP) and sink location privacy [8,9]. This paper focuses on the issue of SLP protection. This paper mainly proposes a dynamic ring-based routing (DRBR) scheme to protect the privacy of the source node. The scheme is divided into three stages. During the first stage, the source node randomly chooses an intermediate node from ∗

Corresponding author. E-mail addresses: [email protected] (G. Han), [email protected] (M. Xu), [email protected] (J. Jiang), [email protected] (J.A. Ansere), [email protected] (W. Zhang). https://doi.org/10.1016/j.ins.2019.07.028 0020-0255/© 2019 Elsevier Inc. All rights reserved.

[email protected]

(Y.

He),

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

309

Fig. 1. Model of the panda-hunter game.

a limited area and then sends the data packet to it. During the second stage, the intermediate node sends the data packet to the mixing ring, and the ring nodes mix the data packet with other data packets. During the third stage, the mixed data packets are sent to the sink node from the mixing ring. Our contributions are summarized in this paper as follows: • •

• •

We We the We We

propose a DRBR scheme to enhance the privacy protection of the source node location; study the mixing ring method that combines real and fake data packets to prevent an adversary from tracking real data packets; examine the dynamic mixing ring method to achieve balanced energy for other nodes in the network; provide extensive theoretical analyses and experimental simulations to validate the proposed scheme.

The reminder of this article is organized as follows. Section 2 describes related research. Section 3 introduces the assumptions and models. Section 4 gives an overview of the proposed scheme, whilst the security analysis is outlined in Section 5. Finally, the article is concluded in Section 6. 2. Related works In [8], location privacy was divided into sink location privacy and SLP. SLP refers to protecting data sources from adversaries through analysis. Sink location privacy means that the destination of the protected data transmission is not destroyed by adversaries; thus, protection of the security of the transmitted data packets is necessary. The SLP problem has received considerable attention recently [8,10–14] since Ozturk et al. [10] proposed the classic panda-hunter game. This became a fundamental event-driven application scenario for SLP studies as shown in Fig. 1. In the panda-hunter game, many sensor nodes are deployed randomly to detect the locations of pandas [11,12]. As soon as a panda is detected, the corresponding source node will be triggered, and periodically forward data packets that carry information about the panda to the sink node hop by hop [7]. However, a hunter acts as an adversary to locate the panda by backtracking the routing paths for the location of the source node. Therefore, providing high SLP when delivering the data packets to the sink node [14] is of great importance. Ozturk et al. [10] proposed the phantom routing scheme (PRS) to solve the SLP problem, which symmetrically distributes the phantom source node around the real source node. In the PRS, there are two phases: a random walk phase and a flooding phase. When the source node senses an event, the corresponding messages are forwarded randomly for h hops. The node that receives the data packet at the end of the random walk plays the role of the phantom source. Then, the phantom source starts to flood data packets to the sink node as shown in Fig. 2(a). The purpose of this is to move the phantom sources away from the real source. However, phantom sources are distributed near the real source through a pure random walk. There is a high probability for the formation of routing loops between the phantom sources and the real source owing to the pure random walk [12], which boosts the ability of the adversary to detect the real source. Li et al. [11] proposed a directed walk scheme as shown in Fig. 2(b). In this scheme, the source node selects the neighbor node as its next hop. Then, it selects the next hop from its neighbor nodes in the same direction until h hops. This scheme can remove the phantom node from the real source to avoid detection by an adversary. Consequently, Tan et al. [15] proposed the path extension method (PEM) scheme, as illustrated in Fig. 2(c), which provides SLP. This scheme uses fake sources that offer more flexibility than other schemes. The fake sources generated are dynamic after network initialization as compared to the fixed fake sources in other schemes. As shown in Fig. 2(c), nodes represented by blue circles are fake sources that mislead the adversary away from the real path. However, it is less efficient to protect the source node when the source node is close to the sink node. In 2012, Li et al. [16] proposed a scheme called RSIN to provide SLP through two-phase routing as illustrated in Fig. 2(d). During the first stage, an intermediate node is randomly selected to receive the data packet. During the second stage, the

310

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

Fig. 2. (a) Illustration of the phantom routing scheme; (b) Illustration of the directed walk; (c) Illustration of the PEM; and (d) Illustration of the RSIN.

data packet is transmitted to a ring node. The scheme, however, consumes more energy at the sink node, which reduces the lifetime of the node. In [17–19], the authors studied SLP using cyclic topology. A multi-ring-based scheme was proposed by Yao et al. [20]. Each data packet arriving at the sink node transmits at a certain angle along the external ring and at a supplementary angle along the internal ring. The scheme generates fake messages that cost extra energy. The cloud-based scheme was proposed by Mahmoud et al. in [21] to generate multiple fake sources around the real source. However, both real and fake packets are routed in a limited region to prevent the adversary from locating the real source node. Ikram Ullah et al. [22] proposed an ESOT (Enhanced Semantic Obfuscation Technique) scheme for location privacy. The scheme was aimed at hiding the source from an adversary to protect the useful information. This achieves a balance between SLP and service utility. Several schemes have been proposed to enhance SLP, but most of them have turned out to consume extra energy, which reduces the network’s lifetime [23,24]. Therefore, in this paper, we propose a DRBR scheme to improve SLP and introduce both an intermediate node and a dynamic ring in the scheme. The intermediate node changes the entrance to the mixing ring, and the dynamic ring ensures the packets are mixed to balance energy consumption, which improves the safety of the source node. More details will be presented in Section 4.

3. System model 3.1. Network model The system model in this paper is similar to the Panda-Hunter model explained in [11,25–27] as shown in Fig. 1. In the Panda-Hunter model [28,29], the sensor network continuously monitors animal activities and locations in wildlife habitats [10,30]. Once the panda is detected, the nodes around the area will become source nodes and report relevant messages to the sink node. Therefore, we make the following assumptions to prevent poachers from tracking the trajectory of pandas: •

We assume that the nodes are randomly deployed in the network, and they are consistent with the Panda-Hunter model;

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323 •

•

•

311

We consider the sink node as the main destination for the transmitted message. The information of the sink node is public, all messages are sent to the sink node, and all nodes know the location of the sink node; We assume that each message has a unique dynamic ID that indicates the location information of the generated message. Each message is encrypted using the key between the node and the sink node, and the messages can jointly share a key with neighbor nodes; We assume that the node knows its relative position and the relevant information of their neighboring nodes, including both their locations and identities. Each node communicates with other nodes via multiple hops.

However, applying the key management approach such as key generation, distribution, and updating are beyond the scope of this paper [31–33]. 3.2. Adversary model Because the profits made from hunting pandas are very desirable, poachers will try to use powerful equipment to track pandas. In this paper, we make the following assumptions: •

•

•

The adversary is powerful. It is assumed that the adversary has sufficient energy, computing power, and storage memory. Once an event is detected, the adversary will move to the location where the panda is located by analyzing the received signal; Passive attack. It is assumed that the adversary cannot disturb the normal functions of the network in the same way as the model in [16,23], such as altering the data packet, adding routing paths, and damaging the sensor node. This assumption aims to enhance detection of the adversary to prevent the occurrence of attacks; Local attack. It is assumed that the adversary can monitor areas that are important to him/her, but not the entire network. The adversary uses powerful devices to monitor certain areas of the network to detect the activities of the panda [25], but not all areas where the panda could be located. When the adversary identifies a sender’s location with an eavesdrop range that is equal to the communication radius of the sensor nodes, the adversary occupies the available location. If a new location is found, the adversary relies on the backtracking attack to identify the location of the source node.

4. Proposed DRBR scheme The network consists of a large number of common sensor nodes and only one sink node. The sink node is located in the center of the network. We divide the entire network into grids with the same size and randomly deploy the same number of nodes in each grid. These nodes are partitioned into five categories: source nodes, sink node, intermediate nodes, ring nodes, and branch nodes. Common sensor nodes can become source nodes, intermediate nodes, ring nodes, or branch nodes during specific stages of the routing paths. The source node senses the event. The sink node plays the role of the only destination of the network. The intermediate nodes act as phantom nodes and mislead the adversary away from the real source. The ring nodes are deployed near the sink node and forward messages in the ring. Branch nodes are selected to transmit dummy data packets to tempt the adversary away from the real routing path. The proposed DRBR scheme is composed of three stages. During the first stage, the intermediate node is selected from an area, which is decided by the location of the source node and the sink node; then, data packets are forwarded from the source node to it. The process of mixing in the mixing ring is completed during the second stage. During the third stage, data packets are transmitted from the current mixing ring to the sink node. We discuss the proposed scheme in the following sections. 4.1. Network initialization The sink node initiates a broadcast of a beacon, which includes the hop count and the sink location, to the entire network. Initially, the sink node and the common nodes set the hop count to zero and infinity, respectively. When a common sensor node receives an initialization beacon, it obtains the hop count from the sink node and adds one to the hop count. Then, the node compares the current hop count to the original hop count. If the current hop count exceeds the original hop count, the node discards it. Otherwise, the node sets the current hop count as its hop count to the sink node. Then, these nodes continue to send their hop counts to their neighboring nodes except for those that have received a beacon. In the same way, all nodes in the whole network know their hop counts to the sink node in the end. As all nodes are aware of their hop counts to the sink node, the nodes with the same hop count h0 form the initial mixing ring. The value of h0 is selected moderately to obtain a balance between security and energy consumption. The nodes with high h0 hop counts are broadcast in the entire network to establish the initial ring and inform other nodes about the ring nodes. However, h0 can be set as the largest integer value not exceeding half of the maximum hop count to sink node. In Fig. 3, we first depict the mixing ring using irregular circles to represent irregular rings. The mixing ring is deployed near the sink node, and many nodes are deployed in the ring. These rings comprise the mixing rings, which are often used for SLP protection. The nodes A, B, C, D, E, F, G, and H are selected to construct the initial mixing ring. The nodes in the initial mixing ring are called initial ring nodes.

312

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

Fig. 3. Initialization of the DRBR.

4.2. Selection of the intermediate node An area is determined by the positions of the source and the sink node. Then, a node is randomly selected in this area, labeled intermediate node, and data packets are sent to the selected intermediate node. Details of the selection of the intermediate node are presented in the following subsections. To guarantee that the routing path of the selected intermediate node does not pass through the current mixing ring, the proposed scheme protects the source node from being exposed. If the mixing ring is located between source node and intermediate node, the adversary will backtrack to identify the location to attack the transmitted data packets. Therefore, our proposed scheme ensures that the selected nodes are on the same side of the current mixing ring. We shall discuss this procedure in four circumstances: in/close, in/far, out/close, and out/far. 4.2.1. Circumstance 1 - IN/CLOSE When the source node is inside the current mixing ring and the source node is very close to the sink node, to enable a sufficiently large selection area of the intermediate node, the source node routes the data packets for a few hop counts in a direction away from the sink but does not exceed the current mixing ring. Then, the area of the intermediate node to be selected is determined. In Fig. 4, the source node represented by a blue star is too close to the sink node (represented by a red triangle). Then, it selects the next hop from the neighbors away from the sink node until it is three hops away from the current source. This ensures that the area of selecting the intermediate node is sufficiently large. The last node is called the phantom node and is represented by a dark star. After determining the phantom node, the optional area of the intermediate node is determined by the combined sink node and the phantom source. Then, establishing a coordinate system is necessary. The line from the sink to the phantom source is the X1 -axis, and the line through the sink and perpendicular to the X1 -axis (using the right-hand rule) is the Y1 -axis. A circle can be drawn with the sink node at the center and the distance from the sink node to the phantom source as the radius. To ensure that the routing path of the intermediate node to the current mixing ring does not pass through the sink node at short distance, the area is reduced to the right half of the Y1 -axis. The intermediate node cannot exist in the security area around the source represented by the light gray circle. Furthermore, to guarantee that the routing path of the selected intermediate node does not pass through the source node, the semicircle including the safety zone is subtracted from the original semicircle and the area is then reduced to a semi-circle. The boundary line of this area is indicated with a blue dotted line in Fig. 4. After the area is determined, the intermediate node will be selected randomly from this area, taking the sensor node represented by the blue semicircle in Fig. 4 for instance. First, a random point is determined in the area to enable the source node to select a neighbor node as the next hop. If the distance between the neighbor node and the point is less than or equal to the communication radius, the neighbor node is selected as the intermediate node. 4.2.2. Circumstance 2 - IN/FAR When the source node is within the current mixing ring but farther from the sink node, we briefly explain the selection and the representation of the intermediate node as follows. As shown in Fig. 4, the line from the sink node to the source

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

313

Fig. 4. Illustration of circumstances 1 and 2 of DRBR.

Fig. 5. Illustration of circumstances 3 and 4 of DRBR.

node (represented by a yellow star) forms the X2 -axis and the line that passes the sink node and is perpendicular to the X2 -axis forms the Y2 -axis. In this coordinate system, the sink node is at the center of the circle and its distance from the source is taken as the radius. However, the routing path is selected from the intermediate node to the current mixing ring within a small area to reduce it to a semicircle above the X2 -axis. The yellow line indicates the boundary of the area in which the intermediate node can be selected. In addition, to improve the safety of the source, the intermediate node cannot be in the security area around the source represented by the light gray circle, and the dangerous area is represented by the dark gray circle. After the area is determined, the intermediate node is selected in the same way as in circumstance 1 and represented by a yellow circle. 4.2.3. Circumstance 3 - OUT/CLOSE When the source node is outside the current mixing ring and the source node is closer to it, to enable a sufficiently large selection area of the intermediate node, the source node routes the data packets for a few hop counts in the direction away from the sink. In Fig. 5, the source node represented by the green star is quite close to the current mixing ring represented by a red line. Then, it selects the next hop from the neighbors away from the sink node until it is four hops away from the current source, thus ensuring that the area for selecting the intermediate node is sufficiently large. We call the last node the phantom node and represent it by a dark star. After determining the phantom node, the area where the intermediate node can be selected is determined by the sink node and the phantom source. Then, establishing a coordinate system is necessary. The line from the sink to the phantom source forms the X3 -axis, and the line through the sink and perpendicular

314

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

to the X3 -axis (using the right-hand rule) forms the Y3 -axis. A circle can be drawn with the sink node at the center and the distance from the sink node to the phantom source as the radius, and the intermediate node is selected randomly within this area. Hence, to guarantee the routing path of the selected intermediate node without passing through the source node is as short as possible, the area is reduced to the right half of the Y3 -axis. In addition, the area enclosed by the right half of the current mixing ring and the Y3 -axis should be cut to ensure that the intermediate node and source would be on the same side of the current mixing ring. The boundary line of this area is indicated by a green dotted line in Fig. 5. Furthermore, to ensure that the routing path from the source node to the intermediate node does not pass through the source node, the intermediate node cannot be selected in the safety area enclosed by light gray circle. After the area is determined, the intermediate node is selected in the same way as in circumstance 1 and is represented by a green circle. 4.2.4. Circumstance 4 - OUT/FAR When the source node is outside the current mixing ring but farther from the sink node, selection of the intermediate node occurs as follows. As shown in Fig. 5, the line from the sink node to the source node, represented by purple star forms the X4 -axis, the line that passes the sink node and is perpendicular to the X4 -axis forms the Y4 -axis. In the coordinate system, a circle can be drawn with the sink node at the center and the distance from the sink node to the source as the radius. To ensure that the routing path from the intermediate node to the current mixing ring to be selected is as short as possible, the area is reduced to a semicircle above the X4 -axis. The purple dotted line indicates the boundary of the area from which the intermediate node can be selected. In addition, to ensure that the intermediate node and source are on the same side of the current mixing ring, a semicircle surrounded by the current mixing ring above the X4 -axis and the X4 -axis should be cut. Similar to circumstance 1, the intermediate nodes are selected within the allotted area to enhance packet transmission. It is represented by a purple circle. After determining the intermediate node, the packet transmission from the source node is stopped. More specially, if the source is in the current mixing ring, it acts as an intermediate node. The details of the process of mixing in the mixing ring are provided in the next section. 4.3. Mixing in the mixing ring 4.3.1. Overview of the proposed scheme Definition 1: An initial branch node is defined as the ring node selected to send a request packet for dummy data packets. Definition 2: Branch nodes consist of initial branch nodes and neighbor nodes that send dummy packets. When the data packets are sent to the intermediate node, it selects the neighbor node closest to the current mixing ring as the next hop to transmit the data packet to the ring node within the current mixing ring. After the data packet reaches the first ring node, the transmitting direction (clockwise or counterclockwise) is randomly selected with the same probability. Once a ring node receives the data packet, it first transmits the data packet to a node with the same hop count according to the transmitting direction, and then sends a request packet that includes the request to “send dummy packets” with probability p to the ring whose hop count exceeds that of the current mixing ring by one. The node that receives the request packet periodically sends a dummy data packet to the sender and continues to send the same request packet to a farther ring node until the request packet is received by a boundary node. The nodes sending dummy packets play the role of fake sources, and the dummy packets will be discarded once they are received by a node. When the angle between the ray from the sink node to the first ring node and the ray from the sink node to the current ring node is not less than a specific threshold angle α (α is evenly distributed between 0 and 4π ), the ring node stops selecting the next hop ring node and sends the data packets to the sink node through the shortest path routing algorithm. In Fig. 6, after the data packets are sent to the intermediate node, the intermediate node selects one of its neighbor nodes that are closer to the current mixing ring as the next hop until the data packet is received by a ring node, which is shown as node A. Node A then becomes the first ring node. After the data packet reaches node A, the clockwise direction is randomly selected. The real data packet is transmitted in turn through node A, node B,..., node P. Node C is selected as the initial branch node. It sends a request packet that includes the request to “send dummy packets” to the ring whose hop count exceeds the current mixing ring by one. The node that receives the request packet periodically sends a dummy data packet to node C and continues sending a request packet to a farther ring node until the boundary of the network. The other nodes that receive the request packet do the same. As shown in Fig. 6, if node C is selected as the initial branch node, node C sends a request packet to node D. At the same time, the real data packet is sent to node H with the same hop in the ring. After receiving the request packet of node C, node D sends dummy data packets periodically. Similarly, the request packets are sent by node E to the boundary of the network (e.g. node G) as well as from node E to node F in the process. The nodes on the current mixing ring that receive the dummy packets discard the fake packets and only relay the real packets along the current mixing ring. When the angle between the ray from the sink node to the first ring node A and the ray from the sink node to the current ring node P is not less than a preset angle, the ring node stops selecting the next hop ring node and starts sending data packets to the sink node. Obviously, the number of branch nodes affects the energy consumption and lifetime of the network. Therefore, the number of branch nodes will be discussed in the next section.

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

315

Fig. 6. Progress of mixing in the mixing ring.

4.3.2. Number of branch nodes More branch nodes increase the number of dummy packets. However, more dummy data packets result in more energy consumption that affects the network lifetime. Meanwhile, too few branch nodes cannot guarantee a good SLP for the network. Therefore, it is important to select the proper number of branch nodes. (1) Generation of branch nodes In our proposed scheme, several fake sources are called branch nodes. They are generated when the first ring node starts to send messages to the sink node. As shown in Fig. 6, several branch nodes are selected from nodes on the routing path from the first ring node to the last ring node in the current mixing ring and are marked as the initial branch nodes (node C and node J). When an object (such as a panda) appears in the network, the sensor node closest to it becomes the source. The source node periodically sends a data packet to the sink as follows. The first packet is sent from the source node through the shortest path to the intermediate node, and then the intermediate node conveys the packet to the current mixing ring. Finally, the data packets are sent to the sink node. We call this routing path from the source node to sink the real path and call the routing path from the first ring node to the last ring node the real ring path. When a node on the real ring path receives a data packet from the first ring node, a random number q is generated. Parameter q is randomly distributed between 0 and 1. If q < p is satisfied, the fake source called the initial branch node is generated, where p is a system parameter. Parameter p correlates positively with the hops from the first ring node to the last ring node. It is distributed between Nα and Nβ to control the number of initial branch nodes. After the initial branch nodes are generated, more branch nodes are also generated to finish the extension of the fake routing path. More initial branch nodes are generated to extend the fake routing path. (2) Path extension After the initial branch nodes are selected, each of them will select the next hop from its neighbors, which has one more hop from the sink node than itself and then send a request packet to it. For instance, node C will select node D to send a request packet. When the data packet is intercepted by an adversary to divert its routing path, the real ring path and the routing path from C to D will form a fake path. The branch node acting as the fake source continues sending a request packet along the fake path. It then selects a new branch node from its neighbors, which is one more hop from the sink than itself, resulting in a longer fake routing path until the boundary of the network is reached. Moreover, the neighbors of the source cannot be selected as the new branch nodes. Otherwise, the adversary located at this new branch node may be led to the real routing path by the data packets. Therefore, the adversary moves away from the fake path instead of the real routing path. As shown in Fig. 6, node D is the neighbor of node C but not the neighbor of the source; therefore, it can be selected to be its successor. Similarly, node E can be selected to be the next hop of node D. In the same way, nodes E, F, and G are selected as the next hops along the fake path. Even though node D is a neighbor of several nodes on the real ring path, the transmission frequency of the first several nodes, such as nodes D and E, on the fake path along which data packets are sent is much faster than that of the real source. Therefore, the probability that the adversary will reconnect to the real routing path if it is located in node C is low. The fake path stops extending when it encounters boundary of the network. Similarly, node J is selected to become the initial branch node, and then nodes K, L, M, and Q are respectively selected as branch nodes to extend the fake path and enhance SLP as shown in Fig. 6. Moreover, the distance between branch nodes and the real real source are selected carefully to prevent the adversary’s attacks on the routing path. If an adversary is located in the visible area, it can be captured by the source. Therefore, the

316

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

Fig. 7. Relationship between E(s) and l.

visible area of the real source cannot be concluded from the fake paths. The source launches limited flooding, and therefore, nodes that receive the flooding data packet, are ignored to improve the removal of fake paths from the real source. If a node is selected as branch node and acts as a fake source, its frequency for transmitting dummy packets affects the privacy of the source. As suggested in [26], the frequency for transmitting the dummy packet is similar to the real data so that there will be a trade-off between privacy and energy consumption. Over time, the number of branch nodes becomes larger and larger. The fake paths composed of branch nodes are extended, becoming longer. If the branch node transmits the data packet faster than the real source, the adversary will be attracted to it. Therefore, if we design a scheme where the frequency for transmitting the dummy packet is fast at the first several hops on the fake path, the adversary thinks that the real source is at the end of the fake path. In addition, to reduce energy consumption, the frequency for transmitting the dummy packet becomes slower gradually. Therefore, it can achieve a balance between SLP and energy consumption. (3) The number of branch nodes When path extension occurs, the number of branches greatly affects the safety and energy consumption of the whole network. More details are presented in the following sections. We use l to indicate the length of the real ring path from the first ring node to the last ring node. The parameter p represents the probability of the ring node in the current mixing ring being chosen to be the initial branch node. Fig. 7 represents the relationship between the expectation of s and the length l, where s is defined as the number of fake paths. In addition, the expectation E(s) and the probability p are satisfied with the formula E(s) = l × p. This means that the number of fake paths increases with the length of the real ring path from the first ring node to the last ring node. The more fake paths that exist, the more difficult it is for an adversary to track the real path. However, more fake paths lead to more energy consumption. To balance energy consumption and safety, we use two thresholds lα and lβ . Furthermore, parameter p is defined as shown in formula (1):

p=

⎧N α ⎪ ⎨ l , l ≤ lα

p0 , lα < l < lβ

⎪ ⎩ Nβ l

, lβ ≤ l

, p0 =

Nβ −Nα lβ −lα

(l − lα ) + Nα l

(1)

In formula (1), Nα and Nβ represent system parameters. If the length l is less than a certain value Nα , we assume a constant number of initial branch nodes in the real ring path to guarantee the safety of the source. Furthermore, if it exceeds another certain value Nβ , we assume that a constant number of initial branch nodes are generated, which reduces energy consumption. This ensures that a probable number of initial branch nodes is generated. This not only ensures a high SLP, but also saves energy consumption to a certain degree. In other words, it achieves a balance between SLP and energy.

4.4. Routing path from the current ring to the sink node When data packets arrive at the last ring node in the mixing ring, they are forwarded through the shortest routing path to the sink node, which requires less energy.

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

317

Fig. 8. Dynamic movement of the mixing ring.

4.5. Dynamic movement of the mixing ring After a period of time, the ring nodes consume more energy than other nodes, and continuing operation may affect the normal function of the network. When the remaining energy of the node in the mixing ring reaches a specific threshold, a new mixing ring is dynamically generated. Similarly, when the energy of the node in the new mixing ring reaches a certain threshold again, a new dynamic mixing ring is generated again. The dynamic movement of the mixing ring not only balances the energy consumption, but also improves the network’s lifetime. When the minimum rest energy of the nodes in the current mixing ring reaches a certain threshold, the node broadcasts the message to the entire network. Nodes with the same hop from the sink node that receive the message are informed not to continue to act as ring nodes, such as node B in Fig. 8. Nodes with one more hop from the sink than the broadcasting node are informed to be the ring node in the new mixing ring, such as node A in Fig. 8. The other nodes that receive this message are informed of the location of the new mixing ring, such as node C in Fig. 8, thus forming a new mixing ring. The dynamic movement of the mixing ring makes it possible to achieve a balance between energy consumption and lifetime of the network when ensuring privacy of the source node. 5. Security analysis In this section, we introduce a theoretical analysis for the security of our proposed scheme. To ensure that our proposed scheme has higher privacy than RSIN and PEM, we introduce the concept of intermediate nodes and a mixing ring. The intermediate node is randomly selected in a semicircular or semi-ring region determined by the location of a randomly generated source node and a sink node. The region determined by the source node and the sink node ensures that the intermediate node is not too close to the source node and not too far away from the sink node. The intermediate node is randomly selected from this region. This leads to different routing paths of the continuous packets sent by the source node each time, which increases the diversity of the paths. Even if an adversary receives one of the packets and performs backtracking to track one hop, the next packet is then routed by a different routing method. The adversary is then farther away from the current routing path, and it is difficult to pinpoint the source location. It is difficult for an adversary to find the source location, which increases the location privacy of the source node. If a location of an intermediate nod is detected by the adversary, the source location remains protected from the adversary in the real source node. Therefore, the probability of selecting the same routing path for multiple events from the same source would be equal to zero for a large number of sensor networks. Second, the use of mixing rings further enhances the location privacy of the source node. After the randomly selected intermediate node sends a data packet to the current mixing ring, the mixing ring randomly selects the initial transmission direction (clockwise or counterclockwise), which increases the randomness of data packet transmission. The probability of selection in each direction would be half of the intermediate node. The ring node that receives the packet from the first ring node in the current ring randomly determines whether it becomes a branch node (with probability p). If there were n

318

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323 Table 1 Simulation parameters. Parameters

Value

Network size Number of sensor nodes Location of sink node Initial energy of sensor nodes Period of data packet (T) Communication radius of sensor nodes Nα Nβ lα lβ

1000 m × 1000 m 2500 (0, 0) 100 J 5s 50 m 6 18 14 40

sensor nodes in the current ring, the probability of selecting a branch node would be 1/n. The ring node that becomes the branch node sends a request packet that includes the information “request sending dummy packets” to the neighbor node in the ring whose own hop count from the sink node increases by one. The node that receives the request packet sends the dummy data packet to the sender. The node then sends the request packet in the same way until the boundary of the network is reached. The delivery of dummy packets makes it difficult for an adversary to identify the origin of real packets. Even if an adversary traces several nodes along a path, it may be misled by dummy data packets and be removed from the real path. Again, if there are another set of m branch nodes, we can find the probability of selecting the total branch nodes as 1/n × 1/m. In addition, the period of the dummy data packet is shorter than the period of the real data packet, and the adversary is likely tempted to trace along the fake routing path until the boundary of the network is reached so that the adversary is farther and farther removed from the real source, and more time is required for the adversary to find the real source. Thus, using an intermediate node and mixing ring enhances the SLP of the network. 6. Simulation results and performance analysis 6.1. Simulation environment and parameter configuration We evaluate the performance of our proposed DRBR scheme using the MATLAB platform. In the simulation, the network area is a square with a side length of 10 0 0 m with 250 0 randomly distributed sensor nodes. The sink node is the unique receiver for all packets and is located at the center of the whole network. The adversary is initially deployed around the sink node. We compare our proposed DRBR scheme with both RSIN [16] and PEM [15] with regard to safe time, intercept rate, energy consumption, and delay of data packet. The result of this comparison is represented below. More parameter details are shown in Table 1. 6.2. Performance analysis 6.2.1. Safe time Fig. 9 shows the simulation results for safe time against distance. As shown in Fig. 9, our proposed DRBR scheme has the longest safe time compared to the other two schemes. The meaning of H is hop count. Compared to RSIN [16], our proposed DRBR scheme has more limitations when selecting intermediate nodes. However, the location of the intermediate nodes has a relationship with both the position of the source node and sink node for the current mixing ring. These limitations lead to a less random selection of intermediate nodes, which reduces the possibility that intermediate nodes are distributed around the source node. This guarantees that it is difficult for the adversary to find the real source, even if the intermediate node has been compromised. Moreover, the delivery of the message in the mixing ring is different. Our proposed DRBR scheme uses its branch nodes to prevent adversary attacks on the routing path. In the RSIN scheme, messages are only delivered in the mixing ring. Therefore, our proposed DRBR scheme has a longer safe time per distance as compared to RSIN. Compared to PEM [15], the proposed DRBR scheme includes a process of selecting intermediate nodes and mixing the ring nodes that has more randomness than that used in PEM. As it is more difficult for the adversary to find the source node, the proposed DRBR has more safe time than PEM. 6.2.2. Intercept rate Intercept rate refers to the percentage of packets that are intercepted by the adversary among the packets sent by the source node. As shown in Fig. 10, the proposed DRBR has the lowest intercept rate among the three schemes. When the source node is far away from the sink node, the curve shows a downward trend. Because the farther the source node is from the sink node, the greater the difficulty the adversary faces when detecting the position of the source node. It is also more difficult for the adversary to intercept data packets. In our proposed DRBR scheme, the routing path becomes diversified when the distance from the source to the sink node increases. The increase in diversity causes a decline in interception rate.

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

319

Fig. 9. Safe time versus distance to sink.

Fig. 10. Intercept rate versus distance to sink.

In the RSIN scheme, unlike in the DRBR scheme, the selection of the intermediate node is random; therefore, the intermediate node may be too close to the sink node, allowing the adversary to intercept new signals. In PEM, data packets are sent through the shortest path. As a result, the probability that the adversary can intercept new data packets is high, which explains the high intercept rate. Fig. 11 shows an increasing trend in the intercept rate with increasing side length of the grid. With increasing side length, fewer neighbor nodes can be selected as the next hop when transmitting the data packets, giving the adversary more chances to intercept other new nodes. 6.2.3. Energy consumption In this experiment, energy consumption refers to the average energy consumed by transmitting one data packet from the source towards the sink node. Regardless of the routing strategy used by the sensor networks, there is always a trade-

320

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

Fig. 11. Intercept rate versus side length of grid.

Fig. 12. Energy consumption versus distance to sink.

off between security and energy consumption. If we only consider delay and energy consumption, it is best to route the message from the source to the sink node along the shortest path. However, in such a case, the adversary can easily find the source and capture the monitored assets. Fig. 12 depicts the simulation results of energy consumption. The proposed DRBR requires more energy to transmit one message to the sink node than PEM. This is because the PEM scheme uses a short routing path from the source node to the sink node. However, the proposed DRBR scheme routes through a randomly selected intermediate node and the mixing ring. Therefore, the DRBR scheme uses a longer routing path and consumes more energy as compared to PEM scheme. Compared to RSIN, DRBR requires less energy to transmit one message to the sink node. Although both DRBR and RSIN route through an intermediate node and the mixing ring, the selection of the intermediate node is limited by the position of the source node, current mixing ring, and sink node in DRBR. Therefore, the process from the source node to the intermediate node in DRBR costs less energy than that in RSIN.

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

321

Fig. 13. Delay versus hops from source to sink.

6.2.4. Delay of the data packet In this work, we observed that the adversary is able to track back to the sender without delay based on the received signal. Thus, we compared the delay of a packet among DRBR, RSIN, and PEM. For simplicity, we define the hops of a real data packet from the source node to the sink node as a delay. Fig. 13 shows the delay under all three schemes. The delay of DRBR and RSIN is longer than that of PEM. This is because PEM routes a data packet along the shortest routing path from the source node to the sink node. In DRBR and RSIN, the real packet uses the intermediate node to send a data packet to the mixing ring. The routing path of the data packet is influenced by the delay. The longer the routing path is, the longer the delay of data packet from the source to the sink node is. Therefore, both DRBR and RSIN have a longer delays than PEM. With regard to the delay of DRBR and RSIN, both schemes have a similar delay during a short period. As we consider that events are randomly distributed, all the sensors in the network have the same possibility to sense events. Therefore, the energy consumption is randomly distributed with the same energy cost and network lifetime impact. In addition, the intermediate node of RSIN is randomly selected in the network except for the safety area. In DRBR, selection of an intermediate node is not completely random as an intermediate node is neither too close to the real source nor too close to the current ring. The intermediate node selection is limited to a specific area, which gives the RSIN scheme a shorter routing path from the source node. On the contrary, the DRBR scheme has a shorter number of hops in the mixing ring than the RSIN scheme, as it routes through several hops instead of a whole circle (like in RSIN) until the angle between the line from the sink node to the first ring node and the line from the sink node to the current ring node is not less than a threshold angle. This gives the DRBR scheme a shorter delay per hop than the RSIN scheme. 7. Conclusion We have investigated SLP in WSNs in this paper. We have proposed a dynamic ring-based routing scheme to ensure SLP. The scheme is divided into three stages. During the first stage, the intermediate node is selected based on the position of the source node, sink node, and the current mixing ring to send data packets to the randomly selected intermediate node. During the second stage, the intermediate node sends data packets to the mixing ring, which uses the ring nodes to mix the data packets, and the data packets are sent to a sink from the mixing ring via the shortest path during the third stage. The analysis and simulation results demonstrate that our proposed scheme ensures efficient SLP. Conflicts of Interest None. Acknowlgedgments The work is supported by the National Key Research and Development Program, No. 2017YFE0125300, the National Natural Science Foundation of China-Guangdong Joint Fund under Grant No. U1801264 the Jiangsu Key Research and Development Program, No. BE2019648, and in part by the Open fund of State Key Laboratory of Acoustics under Grant SKLA201901.

322

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

References [1] W. Chen, M. Zhang, G. Hu, et al., Constrained random routing mechanism for source privacy protection in WSNs, IEEE Access 5 (5) (2017) 23171–23181. [2] G.J. Han, X. Yang, L. Liu, et al., A joint energy replenishment and data collection algorithm in wireless rechargeable sensor networks, IEEE Internet Things J. 5 (4) (2018) 2596–2604. [3] G.J. Han, X. Yang, W.B. Zhang, et al., A disaster management-oriented path planning for mobile anchor-based localization in wireless sensor networks, IEEE Trans. Emerg. Top. Comput. (2017), doi:10.1109/TETC.2017.2687319. [4] G.J. Han, L. Liu, W.B. Zhang, et al., A hierarchical jammed-area mapping service for ubiquitous communication in smart communities, IEEE Commun. Mag. 56 (1) (2018) 92–98. [5] P. Alejandro, L. Loukas, M. Krunz, Traffic decorrelation techniques for countering a global eavesdropper in WSNs, IEEE Trans. Mob. Comput. 16 (3) (2017) 857–871. [6] J. Long, M.X. Dong, K. Ota, et al., Achieving source location privacy and network lifetime maximization through tree-based diversionary routing in wireless sensor networks, IEEE Access 2 (2014) 633–651. [7] A.E.A.A. Abdulla, H. Nishiyama, J. Yang, HYMN: a novel hybrid multi-hop routing algorithm to improve the longevity of WSNs, IEEE Trans. Wirel. Commun. 11 (7) (2012) 2531–2541. [8] Y. Yang, M. Shao, S. Zhu, Towards statistically strong source anonymity for sensor networks, ACM Trans. Sens. Netw. 9 (3) (2013) 1–23. [9] Y. Li, J. Ren, Source-location privacy through dynamic routing in wireless sensor networks, Proce. IEEE INFOCOM (2010), doi:10.1109/INFCOM.2010. 5462096. [10] C. Ozturk, Y.Y. Zhang, W. Trappe, Source-location privacy in energy-constrained sensor network routing, ACM Worksh. Secur. Ad Hoc Sens. Netw. (2004), doi:10.1145/1029102.1029117. [11] C. Ozturk, Y.Y. Zhang, W. Trappe, Enhancing source-location privacy in sensor network routing, Dist. Comput. Syst. (2005), doi:10.1109/ICDCS.2005.31. [12] W.B. Yang, W.T. Zhu, Protecting source location privacy in wireless sensor networks with data aggregation, Inter. Conf. Ubi. Intel. Comput. 6406 (2010) 252–266. [13] A. Jhumka, M. Leeke, S. Shrestha, On the use of fake sources for source location privacy: trade-offs between energy and privacy, Comput. J. 54 (6) (2011) 860–874. [14] M. Qiucheng, J. Weipeng, S. Houbing, Differential privacy-based location privacy enhancing in edge computing, Concurr. Comput.-Pract. Exp. (2018), doi:10.1002/cpe.4735. [15] W. Tan, K. Xu, D. Wang, An anti-tracking source-location privacy protection protocol in WSNs based on path extension, IEEE Internet Things J. 1 (5) (2014) 461–471. [16] Y. Li, J. Ren, J. Wu, Quantitative measurement and design of source-location privacy schemes for wireless sensor networks, IEEE Parallel Distrib. Syst. 23 (7) (2012) 1302–1311. [17] O.Y. Yi, Z. Le, G. Chen, Entrapping adversaries for source protection in sensor networks, Mob. Multimed. Netw. (2006), doi:10.1109/WOWMOM.2006.40. [18] L. Kazatzopoulos, C. Delakouridis, G.F. Marias, IHIDE: hiding sources of information in WSNs, WorldCIS (2006), doi:10.1109/SECPERU.2006.11. [19] K. Mehta, D. Liu, M. Wright, Protecting location privacy in sensor networks against a global eavesdropper, IEEE Trans. Mob. Comput. 11 (2) (2012) 320–336. [20] L. Yao, L. Kang, F.Y. Deng, Protecting source-location privacy based on multirings in wireless sensor networks, Concurr. Comput.-Pract. Exp. 27 (15) (2015) 3863–3876. [21] Mahmoud, M.E.A. Mohamed, X. Shen, A cloud-based scheme for protecting source-location privacy against hotspot-locating attack in wireless sensor networks, IEEE Trans. Parallel Distrib. Syst. 23 (10) (2012) 1805–1818. [22] I. Ullah, M.A. Shah, Wahid, et al., ESOT: a new privacy model for preserving location privacy in internet of things, Telecommun. Syst. (2017), doi:10. 1007/s11235- 017- 0352- x. [23] S. Alsemairi, M. Younis, Clustering-based mitigation of anonymity attacks in wireless sensor networks, IEEE Global Commun. Conf. (2019), doi:10.1109/ GLOCOM.2015.7417501. [24] L. Shu, Y. Zhang, L.T. Yang, et al., TPGF: geographic routing in wireless multimedia sensor networks, Telecommun. Syst. 44 (1–2) (2010) 79–95. [25] H. Chen, W. Lou, On protecting end-to-end location privacy against local eavesdropper in wireless sensor networks, Pervasive Mob. Comput. 16 (2015) 36–50. [26] Y. Jian, S. Chen, Z. Zhang, et al., A novel scheme for protecting receivers location privacy in wireless sensor networks, IEEE Wirel. Commun. 7 (10) (2008) 3769–3779. [27] M. Conti, J. Willemsen, B. Crispo, Providing source location privacy in wireless sensor networks: a survey, IEEE Commun. Surv. Tutor. 15 (3) (2013) 1238–1280. [28] H.W. Li, Y. Yang, T.H. Luan, Enabling fine-grained multi-keyword search supporting classified sub-dictionaries over encrypted cloud data, IEEE Trans. Dependable Secur. Comput. 13 (3) (2016) 312–325. [29] H.W. Li, D.X. Liu, Y.S. Dai, Engineering searchable encryption of mobile cloud networks: when QoE meets QoP, IEEE Wirel. Commun. 22 (4) (2015) 74–80. [30] X. Lin, R. Lu, X. Shen, et al., SAGE: a strong privacy-preserving scheme against global eavesdropping for ehealth systems, IEEE J. Sel. Areas Commun. 27 (4) (2009) 365–378. [31] H. Liu, H.S. Ning, Y. Zhang, Aggregated-proofs based privacy-preserving authentication for v2g networks in the smart grid, IEEE Trans. Smart Grid 3 (4) (2012) 1722–1733. [32] F. Kausar, S. Hussain, L.T. Yang, Scalable and efficient key management for heterogeneous sensor networks, J. Supercomput. 45 (1) (2008) 44–65. [33] H. Liu, H.s. Ning, Y. Zhang, Role-dependent privacy preservation for secure v2g networks in the smart grid, IEEE Trans. Inf. Forensic Secur. 9 (2) (2014) 208–220. Guangjie Han is currently a Professor with the Department of Information and Communication System, Hohai University, Changzhou, China and a Distinguished Professor of Dalian University of Technology, Dalian, China. He received the Ph.D. degree from Northeastern University, Shenyang, China, in 20 04. In February 20 08, he finished his work as a Postdoctoral Researcher with the Department of Computer Science, Chonnam National University, Gwangju, Korea. From October 2010 to October 2011, he was a Visiting Research Scholar with Osaka University, Suita, Japan. From January 2017 to February 2017, he was a Visiting Professor with City University of Hong Kong, China. He is the author of over 330 papers published in related international conference proceedings and journals, including the IEEE COMST, IEEE TMC, IEEE TIE, IEEE TII, IEEE TCC, IEEE TPDS, IEEE TVT, IEEE TETC, IEEE IoT Journal, IEEE TETCI, IEEE Systems, IEEE Sensors, IEEE Wireless Communications, IEEE Communications, IEEE Network, etc, and is the holder of 130 patents. Currently, his H-index is 33 and i10-index is 96 in Google Citation (Google Scholar). Total citation of his papers by other people is more than 4756 times. His current research interests include Internet of Things, Industrial Internet, Machine Learning and Artificial Intelligence, Mobile Computing, Security and Privacy. Dr. Han has served as a Co-chair for more than 50 international conferences/workshops and as a Technical Program Committee member of more than 150 conferences. He has served on the Editorial Boards of up to 16 international journals, including the IEEE JSAC, IEEE Network, IEEE Systems, IEEE ACCESS, IEEE/CCA JAS, Telecommunication Systems, etc. He has guest edited a number of special issues in IEEE Journals and Magazines, including the IEEE Communications, IEEE Wireless Communications, IEEE Transactions on Industrial Informatics, Computer Networks, etc. He has served as a Reviewer of more than 60 journals. He had been awarded the ComManTel 2014, ComComAP 2014, Chinacom 2014 and Qshine 2016 Best Paper Awards. He is a Senior Member of IEEE.

G. Han, M. Xu and Y. He et al. / Information Sciences 504 (2019) 308–323

323

Mengting Xu received the B.S. degree in College of Internet of Things from Hohai University, China, in 2017, where she is currently pursuing the M.S. degree. Her current research interests are security for wireless sensor networks.

Yu He received the B.S. degree in College of Internet of Things from Hohai University, China, in 2017, where he is currently pursuing the M.S. degree. His current research interests are security for underwater acoustic sensor networks.

Jinfang Jiang received the Ph.D. degree from the Department of Computer Science, Hohai University, Nanjing, China, in 2015. She is currently an associate professor with the Department of Information and Communication System, Hohai University, Nanjing, China. She has published over 40 papers in related international conferences and journals, including the IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, the IEEE TRANSACTIONS ON MOBILE COMPUTING, IEEE COMMUNICATIONS MAGAZINE, and so on. Her research interests include wireless sensor networks, mobile cloud computing, and information security technologies.

James Adu Ansere received his BSc in Physics from University of Cape Coast, Ghana in 2007 and MSc in Telecommunication Engineering from Blekinge Institute of Technology, Sweden, in 2012. He is a lecturer at Sunyani Technical University, Ghana. He is a peer reviewer for International Telecommunication System, IEEE ACCESS, and IEEE COMST. He has published in peer reviewed journals and conferences. Currently, he is doing his PhD at the College of Internet of Things Engineering, Hohai University, China. His research interests are internet of things, wireless sensor networks, and wireless communication networks. He was a recipient of the Sparbanksstiftelsen Kronan Award for Master’s Thesis in 2012, Sweden and Fellowship Award (FCIDA) from Civilian Institute of Democratic Administration, West Africa in 2017. He is a member of IEEE.

Wenbo Zhang is currently a professor of School of Information Science and Engineering, Shenyang Ligong University, China. He received his Ph.D. in Computer Science and Technology at Northeastern University, China, in March 2006. He has published over 100 papers in related international conferences and journals. He has served in the editorial board of up to 10 journals, including Chinese Journal of Electronics and Journal of Astronautics. He had been awarded the ICINIS 2011 Best Paper Awards and up to 9 Science and Technology Awards including the National Science and Technology Progress Award and Youth Science and Technology Awards from China Ordnance Society. His current research interests are Ad hoc networks, Sensor Networks, Satellite networks, Embedded systems.