TCP Performance in Flow-Based Mix Networks: Modeling and Analysis

Anonymity technologies such as mix networks have gained increasing attention as a way to provide communication privacy. Mix networks were developed for message-based applications such as e-mail, but researchers have adapted mix techniques to low-latency flow-based applications such as anonymous Web browsing. Although a significant effort has been directed at discovering attacks against anonymity networks and developing countermeasures to those attacks, there is little systematic analysis of the quality of service (QoS) for such security and privacy systems. In this paper, we systematically address TCP performance issues of flow-based mix networks. A mix's batching and reordering schemes can dramatically reduce TCP throughput due to out-of-order packet delivery. We developed a theoretical model to analyze such impact and present formulas for approximate TCP throughput in mix networks. To improve TCP performance, we examined the approach of increasing TCP's duplicate threshold parameter and derived formulas for the performance gains. Our proposed approaches will not degrade the system anonymity degree since they do not change the underlying anonymity mechanism. Our data matched our theoretical analysis well. Our developed theoretical model can guide the deployment of batching and reordering schemes in flow-based mix networks and can also be used to investigate a broad range of reordering schemes.     

Effective mix-zone anonymization techniques for mobile travelers

Mix-zones are recognized as an alternative and complementary approach to spatial cloaking based location privacy protection. Unlike spatial cloaking techniques that perturb the location resolution through location k-anonymization, mix-zones break the continuity of location exposure by ensuring that users’ movements cannot be traced while they are inside a mix-zone. In this paper we provide an overview of some known attacks that make mix-zones on road networks vulnerable and discuss a set of counter measures to make road network mix-zones attack-resilient. Concretely, we categorize the vulnerabilities of road network mix-zones into two classes: one due to the road network characteristics and user mobility, and the other due to the temporal, spatial and semantic correlations of location queries. We propose efficient road network mix-zone construction techniques that are resilient to attacks based on road network characteristics. Furthermore, we enhance the road network mix-zone framework with the concept of delay-tolerant mix-zones that introduce a combination of spatial and temporal shifts in the location exposure of the users to achieve higher anonymity. We study the factors that impact on the effectiveness of each of these attacks and evaluate the efficiency of the counter measures through extensive experiments on traces produced by GTMobiSim at different scales of geographic maps.     

Traffic analysis attacks on Skype VoIP calls

Skype is one of the most popular voice-over-IP (VoIP) service providers. One of the main reasons for the popularity of Skype VoIP services is its unique set of features to protect privacy of VoIP calls such as strong encryption, proprietary protocols, unknown codecs, dynamic path selection, and the constant packet rate. In this paper, we propose a class of passive traffic analysis attacks to compromise privacy of Skype VoIP calls. The proposed attacks are based on application-level features extracted from VoIP call traces. The proposed attacks are evaluated by extensive experiments over different types of networks including commercialized anonymity networks and our campus network. The experiment results show that the proposed traffic analysis attacks can greatly compromise the privacy of Skype calls. Possible countermeasure to mitigate the proposed traffic analysis attacks are analyzed in this paper.     

Anonymizing continuous queries with delay-tolerant mix-zones over road networks

This paper presents a delay-tolerant mix-zone framework for protecting the location privacy of mobile users against continuous query correlation attacks. First, we describe and analyze the continuous query correlation attacks (CQ-attacks) that perform query correlation based inference to break the anonymity of road network-aware mix-zones. We formally study the privacy strengths of the mix-zone anonymization under the CQ-attack model and argue that spatial cloaking or temporal cloaking over road network mix-zones is ineffective and susceptible to attacks that carry out inference by combining query correlation with timing correlation (CQ-timing attack) and transition correlation (CQ-transition attack) information. Next, we introduce three types of delay-tolerant road network mix-zones (i.e., temporal, spatial and spatio-temporal) that are free from CQ-timing and CQ-transition attacks and in contrast to conventional mix-zones, perform a combination of both location mixing and identity mixing of spatially and temporally perturbed user locations to achieve stronger anonymity under the CQ-attack model. We show that by combining temporal and spatial delay-tolerant mix-zones, we can obtain the strongest anonymity for continuous queries while making acceptable tradeoff between anonymous query processing cost and temporal delay incurred in anonymous query processing. We evaluate the proposed techniques through extensive experiments conducted on realistic traces produced by GTMobiSim on different scales of geographic maps. Our experiments show that the proposed techniques offer high level of anonymity and attack resilience to continuous queries.     

基于节点分类的k度匿名隐私保护方法

针对传统k度匿名隐私保护方法严重破坏图结构和无法抵抗结构性背景知识攻击的问题,提出改进的k度匿名隐私保护方法。引入社区的概念,将节点划分为社区内节点和连接社区的边缘节点两类,通过区分不同节点的重要性,实现社区内节点的度匿名和边缘节点的社区序列匿名,从而完成整个社交网络的k度匿名。实验结果表明,该方法可降低数据实用性损失,抵抗以节点的度和节点所在社区关系为背景知识的攻击,提升隐私保护力度。     

What about Privacy of My OSN Data?

In the arena of internet of things, everyone has the ability to share every aspect of their lives with other people. Social media is the most popular and effective medium to provide communication. Social media has gripped our lives in a dramatic way. Privacy of users data lying with the service providers needs to be preserved when published for the purpose of research as the release of sensitive personal information of an individual may pose security threats. This has become an important research area nowadays. To some extent, the concepts of anonymization that were earlier used to preserve privacy of relational microdata have been applied to preserve privacy of social networks data. Anonymizing social networks data is challenging as it is a complex structure with users connected to one another graphically and the most important is to preserve the structural properties of the graph depicting the social network relationships while applying such concepts. Recent studies based upon K-anonymity and L-diversity help to preserve privacy of online social networks data and subsequently identify attacks that arise while applying these techniques in different scenarios. K-anonymity equalizes the degree of the nodes to prevent the data from identity disclosure but it cannot preserve sensitive information and also cannot handle attacks arising due to background knowledge and homogeneity. To cope up with the drawbacks of K anonymity, L-diversity was introduced that protects the sensitive labels of the users. In this paper, a novel technique has been proposed which implements the combined features of K-anonymity and L-diversity. Our proposed approach has been validated using the data of real time social network–Twitter (most popular microblogging network). The performance of the proposed technique has been measured by the metrics, such as average path length, average change in sensitive labels, and remaining ratio of top influential users. It thus becomes evident from the results that the values of these parameters attained with the proposed technique for the anonymized graph has minimal variation to that of original structural graph. So, it is possible to retain the utility without compromising privacy while publishing social networks data. Further, the performance of the proposed technique has been discussed by calculating the information loss that addresses the concern of preserving privacy with the least variation of actual content viz info loss.     

Analysis of privacy in mobile telephony systems

We present a thorough experimental and formal analysis of users’ privacy in mobile telephony systems. In particular, we experimentally analyse the use of pseudonyms and point out weak deployed policies leading to some critical scenarios which make it possible to violate a user’s privacy. We also expose some protocol’s vulnerabilities resulting in breaches of the anonymity and/or user unlinkability. We show these breaches translate in actual attacks which are feasible to implement on real networks and discuss our prototype implementation. In order to countermeasure these attacks, we propose realistic solutions. Finally, we provide the theoretical framework for the automatic verification of the unlinkability and anonymity of the fixed 2G/3G procedures and automatically verify them using the ProVerif tool.     

A survey on privacy inference attacks and defenses in cloud-based Deep Neural Network

Deep Neural Network (DNN), one of the most powerful machine learning algorithms, is increasingly leveraged to overcome the bottleneck of effectively exploring and analyzing massive data to boost advanced scientific development. It is not a surprise that cloud computing providers offer the cloud-based DNN as an out-of-the-box service. Though there are some benefits from the cloud-based DNN, the interaction mechanism among two or multiple entities in the cloud inevitably induces new privacy risks. This survey presents the most recent findings of privacy attacks and defenses appeared in cloud-based neural network services. We systematically and thoroughly review privacy attacks and defenses in the pipeline of cloud-based DNN service, i.e., data manipulation, training, and prediction. In particular, a new theory, called cloud-based ML privacy game, is extracted from the recently published literature to provide a deep understanding of state-of-the-art research. Finally, the challenges and future work are presented to help researchers to continue to push forward the competitions between privacy attackers and defenders.     

基于区块链的V2G匿名身份认证方案

车辆到电网（V2G）能源交易系统中的通信实体由于缺乏身份验证和匿名保护,导致电动汽车（EV）与充电站、数据中心等V2G通信实体之间存在安全与隐私风险。建立基于区块链的能源交易系统模型,使用区块链的分布式账本执行能源交易,利用椭圆曲线数字签名算法和单向哈希函数进行身份验证。设计匿名的身份认证方案,实现EV、充电站和数据中心之间的隐私保护和相互认证,同时最小化EV的通信开销和计算开销。性能分析结果表明,该方案可有效抵御假冒、重放、窃听等攻击,并且相比现有方案在身份认证过程中EV约平均降低了25%的通信成本和33%的计算时间。     

Correlated network data publication via differential privacy

With the increasing prevalence of information networks, research on privacy-preserving network data publishing has received substantial attention recently. There are two streams of relevant research, targeting different privacy requirements. A large body of existing works focus on preventing node re-identification against adversaries with structural background knowledge, while some other studies aim to thwart edge disclosure. In general, the line of research on preventing edge disclosure is less fruitful, largely due to lack of a formal privacy model. The recent emergence of differential privacy has shown great promise for rigorous prevention of edge disclosure. Yet recent research indicates that differential privacy is vulnerable to data correlation, which hinders its application to network data that may be inherently correlated. In this paper, we show that differential privacy could be tuned to provide provable privacy guarantees even in the correlated setting by introducing an extra parameter, which measures the extent of correlation. We subsequently provide a holistic solution for non-interactive network data publication. First, we generate a private vertex labeling for a given network dataset to make the corresponding adjacency matrix form dense clusters. Next, we adaptively identify dense regions of the adjacency matrix by a data-dependent partitioning process. Finally, we reconstruct a noisy adjacency matrix by a novel use of the exponential mechanism. To our best knowledge, this is the first work providing a practical solution for publishing real-life network data via differential privacy. Extensive experiments demonstrate that our approach performs well on different types of real-life network datasets.     

DyDAP: A dynamic data aggregation scheme for privacy aware wireless sensor networks

End-to-end data aggregation, without degrading sensing accuracy, is a very relevant issue in wireless sensor networks (WSN) that can prevent network congestion to occur. Moreover, privacy management requires that anonymity and data integrity are preserved in such networks. Unfortunately, no integrated solutions have been proposed so far, able to tackle both issues in a unified and general environment. To bridge this gap, in this paper we present an approach for dynamic secure end-to-end data aggregation with privacy function, named DyDAP. It has been designed starting from a UML model that encompasses the most important building blocks of a privacy-aware WSN, including aggregation policies. Furthermore, it introduces an original aggregation algorithm that, using a discrete-time control loop, is able to dynamically handle in-network data fusion to reduce the communication load. The performance of the proposed scheme has been verified using computer simulations, showing that DyDAP avoids network congestion and therefore improves WSN estimation accuracy while, at the same time, guaranteeing anonymity and data integrity.     

Protecting User Privacy in a Multi-Path Information-Centric Network Using Multiple Random-Caches

In-network caching is a fundamental mechanism advocated by information-centric networks (ICNs) for efficient content delivery. However, this new mechanism also brings serious privacy risks due to cache snooping attacks. One effective solution to this problem is random-cache, where the cache in a router randomly mimics a cache hit or a cache miss for each content request/probe. In this paper, we investigate the effectiveness of using multiple random-caches to protect cache privacy in a multi-path ICN. We propose models for characterizing the privacy of multi-path ICNs with random-caches, and analyze two different attack scenarios: 1) prefix-based attacks and 2) suffix-based attacks. Both homogeneous and heterogeneous caches are considered. Our analysis shows that in a multi-path ICN an adversary can potentially gain more privacy information by adopting prefix-based attacks. Furthermore, heterogeneous caches provide much better privacy protection than homogeneous ones under both attacks. The effect of different parameters on the privacy of multi-path random-caches is further investigated, and the comparison with its single-path counterpart is carried out based on numerical evaluations. The analysis and results in this paper provide insights in designing and evaluating multi-path ICNs when we take privacy into consideration.     

Privacy preserving Back-propagation neural network learning over arbitrarily partitioned data

Neural networks have been an active research area for decades. However, privacy bothers many when the training dataset for the neural networks is distributed between two parties, which is quite common nowadays. Existing cryptographic approaches such as secure scalar product protocol provide a secure way for neural network learning when the training dataset is vertically partitioned. In this paper, we present a privacy preserving algorithm for the neural network learning when the dataset is arbitrarily partitioned between the two parties. We show that our algorithm is very secure and leaks no knowledge (except the final weights learned by both parties) about other party’s data. We demonstrate the efficiency of our algorithm by experiments on real world data.     

PEACE: A Novel Privacy-Enhanced Yet Accountable Security Framework for Metropolitan Wireless Mesh Networks

Recently, multihop wireless mesh networks (WMNs) have attracted increasing attention and deployment as a low-cost approach to provide broadband Internet access at metropolitan scale. Security and privacy issues are of most concern in pushing the success of WMNs for their wide deployment and for supporting service-oriented applications. Despite the necessity, limited security research has been conducted toward privacy preservation in WMNs. This motivates us to develop PEACE, a novel Privacy-Enhanced yet Accountable seCurity framEwork, tailored for WMNs. On one hand, PEACE enforces strict user access control to cope with both free riders and malicious users. On the other hand, PEACE offers sophisticated user privacy protection against both adversaries and various other network entities. PEACE is presented as a suite of authentication and key agreement protocols built upon our proposed short group signature variation. Our analysis shows that PEACE is resilient to a number of security and privacy related attacks. Additional techniques were also discussed to further enhance scheme efficiency.     

The <Emphasis Type="Italic">k</Emphasis>-anonymity and <Emphasis Type="Italic">l</Emphasis>-diversity approaches for privacy preservation in social networks against neighborhood attacks

Recently, more and more social network data have been published in one way or another. Preserving privacy in publishing social network data becomes an important concern. With some local knowledge about individuals in a social network, an adversary may attack the privacy of some victims easily. Unfortunately, most of the previous studies on privacy preservation data publishing can deal with relational data only, and cannot be applied to social network data. In this paper, we take an initiative toward preserving privacy in social network data. Specifically, we identify an essential type of privacy attacks: neighborhood attacks. If an adversary has some knowledge about the neighbors of a target victim and the relationship among the neighbors, the victim may be re-identified from a social network even if the victim’s identity is preserved using the conventional anonymization techniques. To protect privacy against neighborhood attacks, we extend the conventional k-anonymity and l-diversity models from relational data to social network data. We show that the problems of computing optimal k-anonymous and l-diverse social networks are NP-hard. We develop practical solutions to the problems. The empirical study indicates that the anonymized social network data by our methods can still be used to answer aggregate network queries with high accuracy.     

改进的YOLO特征提取算法及其在服务机器人隐私情境检测中的应用

为了提高YOLO识别较小目标的能力,解决其在特征提取过程中的信息丢失问题,提出改进的YOLO特征提取算法.将目标检测方法DPM与R-FCN融入到YOLO中,设计一种改进的神经网络结构,包含一个全连接层以及先池化再卷积的特征提取模式以减少特征信息的丢失.然后,设计基于RPN的滑动窗口合并算法,进而形成基于改进YOLO的特征提取算法.搭建服务机器人情境检测平台,给出服务机器人情境检测的总体工作流程.设计家居环境下的六类情境,建立训练数据集、验证数据集和4类测试数据集.测试分析训练步骤与预测概率估计值、学习率与识别准确性之间的关系,找出了适合所提出算法的训练步骤与学习率的经验值.测试结果表明:所提出的算法隐私情境检测准确率为94.48%,有较强的识别鲁棒性.最后,与YOLO算法的比较结果表明,本文算法在识别准确率方面优于YOLO算法.     

基于随机博弈的机会网络隐私保护机制

机会网络在数据转发过程中,由于需要依靠陌生节点帮助转发信息或者接收来自陌生节点的数据,这种数据转发机制对普通用户来说具有严重的隐私安全隐患。因此,本文针对机会网络中存在恶意节点窃取用户隐私等安全问题,为机会网络中的用户设计出一种最佳防御策略来防止个人隐私泄露。首先,建立机会网络下的系统模型,使用马尔科夫链刻画普通用户的个人信息的变化过程。在系统模型的基础上,采用随机博弈理论对用户与攻击者之间的攻防关系进行建模;然后,提出一种基于极小极大学习算法的防御策略;最后,通过与传统防御算法的对比实验,证明该算法不但具有较快的收敛速度,且在满足一定用户服务质量的前提下,性能始终优于其他防御策略,是机会网络下一种高效的隐私保护安全机制。     

PrivaKERB: A user privacy framework for Kerberos

Kerberos is one of the most well-respected and widely used authentication protocols in open and insecure networks. It is envisaged that its impact will increase as it comprises a reliable and scalable solution to support authentication and secure service acquisition in the Next Generation Networks (NGN) era. This means however that security and privacy issues related to the protocol itself must be carefully considered. This paper proposes a novel two-level privacy framework, namely PrivaKERB, to address user privacy in Kerberos. Our solution offers two privacy levels to cope with user anonymity and service access untraceability. We detail how these modes operate in preserving user privacy in both single-realm and cross-realm scenarios. By using the extensibility mechanisms already available in Kerberos, PrivaKERB does not change the semantics of messages and enables future implementations to maintain interoperability. We also evaluate our solution in terms of service time and resource utilization. The results show that PrivaKERB is a lightweight solution imposing negligible overhead in both the participating entities and network.     

一种基于GSNPP算法的社交网络隐私保护方法研究

随着网络信息技术的快速发展,社交网络迅速涌现。针对社交网络隐私保护问题,提出了一种基于GSNPP算法的隐私保护方法。它通过对社交网络中节点进行聚类,再对生成的簇进行簇内泛化及簇间泛化,来对社交网络进行匿名化处理,拟达到隐私保护的目的;同时量化了社交网络匿名化处理过程中所带来的不同类型信息的丢失。最后通过实验验证了该方法的可行性和有效性。     

一种防边权和语义攻击的位置隐私保护方法

边权攻击和位置语义攻击根据移动用户活动的周边环境推断用户的位置,泄露用户的位置隐私。针对该问题,提出一种防边权攻击的位置语义安全隐私保护方法。该方法将道路的敏感度和关联度结合,构建道路隐私度,描述道路在语义位置的敏感性,及道路与匿名集中其他道路上用户数量分布的均衡性;基于中心服务器结构,根据用户的位置隐私要求,采用宽度优先搜索方式,筛选道路隐私度最小的道路加入匿名集,以生成具备语义安全和防边权推断攻击的匿名集。仿真测试结果表明,该方法筛选的匿名集的匿名成功率达到87%,抗边权攻击和语义攻击的能力要高于对比算法。