1
Enhancing Source-Location Privacy in Sensor
Network Routing
Pandurang Kamat, Yanyong Zhang, Wade Trappe, Celal Ozturk
Wireless Information Network Laboratory (WINLAB)
Rutgers University, 73 Brett Rd., Piscataway, NJ 08854.
Email: {pkamat,yyzhang,trappe,celal}@winlab.rutgers.edu
Abstract— One of the most notable challenges threatening the
successful deployment of sensor systems is privacy. Although
many privacy-related issues can be addressed by security mecha-
nisms, one sensor network privacy issue that cannot be adequately
addressed by network security is source-location privacy. Adver-
saries may use RF localization techniques to perform hop-by-hop
traceback to the source sensor’s location. This paper provides
a formal model for the source-location privacy problem in sen-
sor networks and examines the privacy characteristics of different
sensor routing protocols. We examine two popular classes of rout-
ing protocols: the class of flooding protocols, and the class of rout-
ing protocols involving only a single path from the source to the
sink. While investigating the privacy performance of routing pro-
tocols, we considered the tradeoffs between location-privacy and
energy consumption. We found that most of the current protocols
cannot provide efficient source-location privacy while maintain-
ing desirable system performance. In order to provide efficient
and private sensor communications, we devised new techniques to
enhance source-location privacy that augment these routing pro-
tocols. One of our strategies, a technique we have called phantom
routing, has proven flexible and capable of protecting the source’s
location, while not incurring a noticeable increase in energy over-
head. Further, we examined the effect of source mobility on lo-
cation privacy. We showed that, even with the natural privacy
amplification resulting from source mobility, our phantom rout-
ing techniques yield improved source-location privacy relative to
other routing methods.
I. INTRODUCTION
Sensor networks promise to have a significant commercial
impact by pr oviding strategic and timely data to new classes
of r ealtime monito ring applications. One of the most notable
challenges looming o n the horizon that threatens successful
deployment of sensor networks is privacy. Providing privacy
in sensor networks is complicated by the fact that sensor net-
works consist of low-cost radio devices that employ readily-
available, standardized wireless communication technologies.
As an example, Berkeley Motes employ a tunable radio tech-
nology that is easily observable by spectrum analyzers, while
other examples exist of sensor devices employing low-power
versions of 802.11 wireless technologies. As a result of the
open-architecture of the underlying sensor technology, adver-
saries will be able to easily gain access to communications be-
tween sensor nodes either by purchasing their own low-cost
sensor device and running it in a monitor mode, or by employ-
ing slightly more sophisticated software radios capable of mon-
itoring a broad array of radio technologies.
Privacy may be defined as the guarantee that information, in
its general sense, is observable or decipherable by only those
who are intentionally meant to observe or decipher it. The
phrase “in its general sense” is meant to imply that there may be
types of information besides the message content that are asso-
ciated with a message transmission. Consequently, the privacy
threats that exist for sensor networks may be categorized into
two broad classes: content-oriented security/privacy threats,
and contextual privacy threats. Content-oriented security and
privacy threats are issues that arise due to the ability of the ad-
versary to observe and manipulate the exact content of p ackets
being sent over the sensor network, whether these packets cor-
respond to actual sensed-data or sensitive lower-layer control
information. Although issues related to sensor security are im-
portant, we believe many of the core problems associated with
sensor security are on the r oad to eventual resolution due to an
abundance of recent research by the technical community, c.f.
[1–3].
Contextual privacy issues associated with sensor communi-
cation, however, have not been as thoroughly addressed. In
contrast to content-oriented security, the issue of contextual
privacy is concerned with protecting the context associated
with the measurement and transmission of sensed data. For
many scenarios, general contextual information surrounding
the sensor application, especially the location of the message
originator, are sensitive and must be protected. This is partic-
ularly true when the senso r network monitors valuable assets
since pro tecting the asset’s location becomes critical.
Many of the privacy techniques employed in general net-
work scenarios are not appropriate for protecting the source
location in a sensor network [4–7]. This is partially due to the
fact th at th e problems are different, and partially due to th e
fact that many of the methods introduce overhead which is too
burdensome for sensor networks. One notable challenge that
arises in sensor networks is that the shar ed wireless medium
makes it feasible for an adversary to locate the origin of a radio
transmission, thereby facilitating hop-by-hop traceback to the
origin of a m ulti-hop communication.
To address source-location privacy for sensor n etworks, this
paper provides a formal model f or the source-location p rivacy
problem and examines the privacy characteristics of different
sensor routing protocols. We introduce two metrics for quan-
tifying source-location privacy in sensor networks, the safety
period and capture likelihood. In our examination o f popular
routing techniques used in today’s sensor networks, we also
considered important systems issues, like energy consump-
tion, and found that most protocols cannot provide efficient
source-location privacy. We propose new techniques to en-
hance source-location privacy that augment these routing pro-
tocols. It is important that this privacy enhancement does not
come at a cost of a significant increase in resource consump-
tion. We have devised a strategy, called phantom routing, that
has proven flexible and capable of preventing the adversary
from tracking the source location with minimal increase in en-
ergy overhead.
2
II. ASSET MONITORING SENSOR NETWORKS
One important class of future sensor-driven applications will
be applications that monitor a valuable asset. For example, sen-
sors will be deployed in natural habitats to monitor endangered
animals, or may be used in tactical military deployments to pro-
vide information to networked operations. In these asset moni-
toring applications, it is important to provide confidentiality to
the source sensor’s location.
In order to facilitate the discussion and analysis of source-
location privacy in senso r networks, we need to select an ex-
emplary scenario that captures most of the relevant features of
both sensor networks and potential adversaries in asset mon-
itoring applications. Throughout this paper, we use a generic
asset monitoring application, which we have called the Panda-
Hunter Game, as well as refer to a formal model for asset mon-
itoring applications that can benefit from source-location pri-
vacy protection. In this section we begin by introducing the
Panda-Hunter Game and the formal model, and then discuss
how to model the Panda-Hunter Game using a discrete, event-
driven sim ulation framework.
A. The Panda-Hunter Game
In the Panda-Hunter Game, a large array of panda-detection
sensor nodes have been deployed by the Save-The-Panda Or-
ganization to monitor a vast habitat for pandas [8]. As soon as
a panda is observed, the corresponding source node will make
observations, and report data periodically to the sink via multi-
hop routing techniques. The game also features a hunter in the
role of the adversary, who tries to capture the panda by back-
tracing the routing path until it reaches the source. As a result,
a privacy-cautious routing technique should prevent the hunter
from locating the source, while delivering the data to the sink.
In the Panda-Hunter Game, we assume there is only a single
panda, thus a single source, and this source can be either sta-
tionary or mobile. During the lifetime o f the network, the sen-
sor nodes will continually send data, and the hunter may use
this to his advantage to track and hunt the panda. We assume
that the source includes its ID in the encrypted messages, but
only the sink can tell a node’s location from its ID. As a result,
even if the hunter is able to break the encryption in a reason-
ably short time frame, it cannot tell the source’s location. In
addition, the hunter has the following characteristics:
• Non-malicious: The adversary does not interfere with the
proper functioning of the network, otherwise intrusion de-
tection measures might flag the hunter’s presence. For ex-
ample, the hunter does not modify packets in transit, alter
the routing path, or destroy sensor devices.
• Device-rich: The hunter is equipped with devices, such
as antenna and spectrum analyzers, so that it can measure
the angle o f arrival of a message and the received signal
strength. From these two measurements, after it hears a
message, it is able to identify the immediate sender and
move to that node. We emphasize, though, that the hunter
cannot learn the origin of a message packet by merely ob-
serving a relayed version of a packet. In addition, the
hunter can detect the panda when it is near.
• Resource-rich: The hunter can move at any rate and has
an unlimited amount of power. In addition, it also has a
large amount of memory to keep track of information such
as messages that have been heard and nodes that have b een
visited.
• Informed: To appropriately study privacy, we must ap-
ply Kerckhoff’s Principle from security to the privacy set-
ting [9]. In particular, Kerckhoff’s Principle states that,
in assessing the p rivacy of a system, one should always
assume that the enemy knows the methods being used by
the system. Therefore, we assume that the hunter knows
the location of the sink node and knows various methods
being u sed by the sensor network to protect the panda.
B. A Formal Model
In order to understand the issue of location privacy in sen-
sor communication, we now p rovide a formal model for the
privacy problem. Our formal model involves the definition of
a general asset monitoring network game, which contains the
features of the Panda-Hunter game analyzed in this paper.
Definition 1: An asset monitoring network game is a six-
tuple (N,S,A,R, H, M),where
1) N = { n
i
}
i∈I
is the network of sensor nodes n
i
,which
are indexed using an index set I.
2) S is the network sink, to which all communication in the
sensor network must ultimately be routed to.
3) A is an asset that the sensor network monitors. Assets are
characterized by the mobility pa ttern that they follow.
4) R is the routing policy employed by the sensors to pro-
tect the asset from being acquired or tracked by the
hunter H.
5) H is the hunter, or adversary, who seeks to acquire or
capture the asset A through a set of movement rules M.
The game p rogresses in time with the sensor node that is mon-
itoring the asset periodically sending out messages.
The purpose of the network is to monitor the asset, while the
purpose of the routing strategy is two-fold, to deliver messages
to the sink and to enhance the location-privacy o f the asset in
the presence of an adversarial hunter following a movement
strategy. We are therefore interested in p rivacy measures and
network efficiency metrics.
Definition 2: The p rivacy associated with a sensor n et-
work’s routing strategy R can be quantified through two dif-
fering performance metrics:
1) The safety period Φ of a ro uting protocol R for a given
adversarial movement strategy M is the number of new
messages initiated by the source node that is monitoring
an asset, before the adversary locates the asset.
2) The capture likelihood L of a routing protocol R for a
given adversarial movement strategy M is the probabil-
ity that the hunter can capture the asset within a specified
time period.
On the other hand, the network’s performance may be quan-
tified in terms of its energy consumption, and the delivery qual-
ity. A sensor node consumes energy when it is sending mes-
sages, receiving messages, idling, computing, or sensing the
physical world. Among all the operations, sending and receiv-
ing messages consume the most energy [10, 11]. We measure
the energy consumed in a sensor network by the total number
of messages that are sent by all the nodes within the entire net-
work until the asset is captured. We assume that messages are
all the same length, each sensor transmits with the same trans-
mission power, and hence each transmission by each sensor
requires an equal amount of energy. Consequently, the greater
the amount of messages required by a strategy, the more en-
ergy that strategy consumes. We u se two metrics to measure
the delivery quality. One is the average message latency, and
the other is the event delivery ratio.
3
In order to illustrate the formal model of the asset moni-
toring game, we examine a special case o f the Panda-Hunter
Game. Suppose that we have a sensor network N = {n
i
},
where nodes n
i
are located on a two-dimensional integer grid
and that one of these nodes is designated as the network sink.
Network devices might monitor a stationary panda, i.e. the as-
set A, located at a particular sensing node n
A
. This node will
periodically transmit sensor messages to the sink S following
a routing policy R. One possible routing policy R might be to
employ shortest-path routing in which a single route is formed
between the source and sink S according to a gradient-based
approach. A hunter H, might start at the network sink S,and
might follow a movement strategy M. One possible movement
strategy could involve Hrepeatedly determining the position of
the node that relayed the sensor message and moving to that re-
lay node. Another movement strategy might involve Hinitially
moving two hops, in order to get a head start, and then continue
by moving one hop at a time. The safety period Φ corresponds
to the amount of messages transmitted b y the source which, in
the case of the first movement strategy, corresponds directly to
the amount of time it takes the hunter to reach the panda. On
the other hand, there is a possibility, in the second movement
strategy, that the hunter might skip past the panda (when the
panda is one hop from the sink), in which case the hunter will
miss the panda entirely and thus L =1. Clearly, both the safety
period Φ and the capture likelihood L depend on the location
of the panda, the mobility of the panda, the routing strategy R
and the movement rules M for the hunter.
C. Simulation Model
We have built a discrete event-based simulator to study the
privacy protection of several routing techniques. We are partic-
ularly interested in large-scale sensor networks where there is
a reasonably large separation between the source and the sink.
In order to support a large number of nodes in our simulations,
we have made a few approximations. Unless otherwise noted,
for the simulation results provided in this paper, we have a net-
work N of 10,000 randomly located nodes, and the hunter had
a hearing radius equal to the sensor transmission radius.
In reality, wireless communication within one hop involves
channel sensing (including backoffs) and MAC-layer retrans-
missions due to collisions. Our simulator ignores the colli-
sions. We emphasize that this should not have a noticeable
effect on our accuracy for the following reasons. First, when
more reliable MAC protocols are employed, the probability of
collision decreases considerably, and channel sensing time m ay
go up correspondingly. Second, sensor networks usually in-
volve light traffic loads with small packets, which result in a
lower likelihood of collisions. As a result, our simulator fo-
cuses on the channel sensing part. We employ a simple channel
sensing model: if a node has m neighbors that may send pack-
ets concurrently, the gap before its transmission is a uniformly
distributed random number between 1 and m clock ticks. Fur-
ther, we argue that, although the absolute numbers we report
in this pa per m ay not directly calibrate to a real network, the
observed performance trends should hold.
Next, let us look at how we implement the Panda-Hunter
game in our simulator. In the game, the panda pops up at a
random location. Section III considers the scenario where the
panda stays at the source until it is caught, while Section IV
investigates how the routing techniques perform for a moving
panda. Once the hunter gets close to the panda (i.e., within ∆
hops from the panda), the panda is considered captured and the
game is over. As soon as the panda appears at a location, the
closest sensor node, which becomes the source, will start send-
ing packets to the sink reporting its observations. The simula-
tor uses a global clock and a global event queue to schedule all
the activities within the network, including message sends, re-
ceives and data collections. The source generates a new packet
every T clock ticks until the simulation ends, which occurs
either when the hunter catches the panda or when the hunter
cannot catch the p anda within a threshold amount of time (e.g.
the panda has returned to its cave).
III. P
RIVACY PROTECTION FOR A STATIONARY SOURCE
Rather than build a completely new layer for privacy, we
take the viewpoint that existing technologies can be suitably
modified to achieve desirable levels of privacy. We will there-
fore examine several existing routing schemes R to protect the
source’s location, while simultaneously exploring how much
energy they consume. Specifically, we explore two popular
classes of routing mechanisms for sensor networks: flooding
and single-path routing. For each of these techniques, we pro-
pose modifications that allow for enhanced preservation of the
source’s location or allow us to achieve improved energy con-
servation. After exploring each of these two classes, we com-
bine our observations to propose a new technique, which we
call phantom routing, which has both a flooding and single-
path variation. Phantom routing is a powerful and effective
privacy enhancing strategy that carefully balances the tradeoffs
between privacy and energy consumption.
A. Baseline Routing Techniques
In sensor networks, flooding-based routing and single-path
routing are the two most popular classes of routing techniques.
In this study, we first examine baseline routing strategies R
from these two classes, and examine their capabilities in pro-
tecting the source-location privacy as well as in conserving en-
ergy in great depth.
1) Flooding-based Routing: Many sensor networks employ
flooding to disseminate data and control messages [12–15]. In
flooding, a m essage originator transmits its message to each of
its neighbors, who in turn retransmit the message to each of
their neighbors. Although flooding is known to have perfor-
mance drawbacks, it nonetheless remains a popular technique
for relaying information due to its ease of implementation, and
the fact that minor modifications allow it to perform relatively
well [16, 17].
In our baseline implementation of flooding, we have ensured
that every node in the network only forwards a message once,
and no node retransmits a message that it has previously trans-
mitted. When a message reaches an intermediate node, the
node first checks whether it has received that message before.
If this is its first time, the node will broadcast the message to
all its neighbors. Otherwise, it just discards the m essage. Real-
istically, this would require a cache at each sensor node. How-
ever, the cache size can be easily kept very small because we
only need to store the sequence number o f each message. We
assume that each intermediate sensor node can successfully de-
crypt just the portion of the message corresponding to the se-
quence number to obtain the sequence number. Such an oper-
ation can easily be done using the CTR-mode of encryption. It
is thus reasonable to expect that each sensor device will have
enough cache to keep track of enough messages to determine
whether it has seen a message before.
4
Probabilistic flooding [16, 17] was first proposed as an op-
timization of the baseline flooding technique to cut down en-
ergy consumption. In probabilistic flooding, only a subset of
nodes within the entire n etwork participate in data forwarding,
while the others simply discard the messages they receive. The
probability that a node forwards a message is referred to as the
forwarding probability (P
forward
), and plain flooding can be
viewed as probabilistic flooding with P
forward
=1.
In our simulation, we implement probabilistic flooding as
follows. Every time a node receives a new message (it discards
the message that it has received before n o matter whether it
has forwarded it or not), it generates a random number q that
is uniformly distributed between 0 and 1. If q<P
forward
,
the node will forward/broadcast this message to its neighbors.
Otherwise, it will just discard that message. The parameter,
P
forward
, is important to the overall pe rforman ce of this ap-
proach. A small value can help reduce the energy consumption
though at the expense of lower network coverage and connec-
tivity, while a large value can ensure a higher network coverage
and connectivity but will have a correspondingly higher energy
consumption.
2) Single-Path Routing: Unlike flooding, a large number
of energy-efficient routing techniques allow a node to forward
packets only to one of (or a small subset of) its neighbors.
This family of routing techniques is referred to as single-path
routing in this paper (e.g., GPSR [18], trajectory-based routing
[19], directed diffusion [14], etc). Single-path routing tech-
niques usually require either extra hardware support or a pre-
configuration phase. For example, in [18], Karp and Kung pro-
pose to use the location information of a node, its neighbors
and th e destination to calculate a greedy single routing path.
In [19], Niculescu and Nath propose trajectory-based routing,
which uses the location information associated with a node and
its neighbors to create a routing path along a specified trajec-
tory. Such location information can be obtained by either us-
ing GPS or other means. In Directed Diffusion [14], an initial
phase sets up the “gradients” from each sensor node towards
the sink. Later in the routing phase, each intermediate for-
warding node can use its neighbors’ gradients to implement
single-path routing. Whenever the source or the sink changes,
a re-configuration stage is required in order to reset the routes.
In this study, we try not to assume extra hardware for a nor-
mal sensor node. Instead, we u se an initial configuration phase
to set up the gradients, i.e. hop count between each node and
the sink. In the configuration phase, the sink initiates a flood,
setting the initial hop count to 0. Any intermediate node will
receive the packet many times. It makes sure that it only p ro-
cesses the packet from all of its neighbors once, discarding du-
plicates. Every time it receives the message, it increments the
hop in the message, records it in its local memory, and then
broadcasts to its neighbors. After the initial phase, among all
the hop counts it has recorded, a sensor node chooses the min-
imum value as the number of hops from the sink, and updates
its neighbors with that number. Then, every sensor node main-
tains a neighbor list, which is rank-sorted in ascending order
according to each neighbor’s hop count to the sink. The head
of the list, which has the shortest distance to the sink, is said to
have the maximum gradient towards the sink. In the baseline
single-path routing protocol, as soon as the source generates
a new packet, it forwards the packet to the neighbor with the
maximum gradient. Every node along the routing path will re-
peat this process until the packet reaches the sink. Our version
of single-path routing thus corresponds to shortest-path rout-
Algorithm:
Adversary Strategy I: Patient Adversary
H
next location = sink;
while
(next location != source)
do
Listen(next location);
msg = ReceiveMessage();
if
(IsNewMessage(msg))
then
next location = CalculateImmediateSender(msg);
MoveT o(next
location);
end
end
Algorithm 1: The adversar y waits at a locatio n until it re-
ceives a new message.
ing, and we use these two terms interchangeably.
3) Adversary Model and Performance Comparison: Be-
fore we delve into the location- privacy protection capability of
routing techniques, we define one class of hunter H.InAl-
gorithm 1 , the hunter follows a simple but natural adversary
model, where the adversary starts from the sink, waits at a lo-
cation until it hears a new message, and then moves to the im-
mediate sender of that message. It repeats this sequence until
it reaches the source location. In this model, the adversary as-
sumes that as long as he is patient enough, he will obtain some
information that can direct him to the source. We thus refer to
this H model as a patient adversary.
Figures 1(a)-(d) provide the performance of these baseline
routing techniques for a patient adversary for different source-
sink distances. In this set of results, we h ave 10,000 nodes
uniformly randomly distributed over a 6000 × 6000 (m
2
)net-
work field. The average number of neighbors is 8.5. Among
10,000 nodes, less than 1% are weakly connected with less than
3 neighbors.
a) Delivery Quality: As expected, baseline flooding and
shortest-path routing both g ive good delivery quality, n amely,
100% delivery ratio (Figure 1(a)) and lowest message latency
(Figure 1(c)). On the other hand, probabilistic flooding may
have a poorer delivery quality. In particular, we find that prob-
abilistic flooding techniques with P
forward
< 0.7 result in a
low message delivery ratio, especially when the source and the
0 10 20 30 40 50 60 70 80
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Source−sink distance in hops
Delivery ratio
P
fwd
=1.0
P
fwd
=0.9
P
fwd
=0.7
P
fwd
=0.5
shortest−path
0 10 20 30 40 50 60 70 80
0
2000
4000
6000
8000
10000
12000
Source−sink distance in hops
Number of Tx per delivered msg
P
fwd
=1.0
P
fwd
=0.9
P
fwd
=0.7
shortest−path
(a) Message delivery ratio
(b) Number of transmissions per
delivered message
0 10 20 30 40 50 60 70 80
0
10
20
30
40
50
60
70
80
90
Source−sink distance in hops
Average message latency
P
fwd
=1.0
P
fwd
=0.9
P
fwd
=0.7
shortest−path
0 10 20 30 40 50 60 70 80
0
20
40
60
80
100
120
140
Source−sink distance in hops
Safety period
P
fwd
=1.0
P
fwd
=0.9
P
fwd
=0.7
shortest−path
(c) Message latency (d) Safety period
Fig. 1. Performance of baseline routing techniques.
5
sink are far apart. Figure 1(a) shows that for P
forward
=0.5,
the message delivery ratio can drop below 5%. As a result, we
focus our attention on probabilistic flooding techniques with
P
forward
≥ 0.7 in the discussion below.
b) Energy Consumption: We use the number of trans-
missions to measure energy consumption, and instead of us-
ing the total energy consumed, we report energy consump-
tion per successfully delivered message since some of the mes-
sages may not reach the sink (for probabilistic flooding) and
this metric captures the wasted energy. For baseline flooding,
every m essage can successfully reach the sink, and each mes-
sage incurs n transmissions, where n is the number of sensor
nodes in the network. Similarly, single-path routing can deliver
all the messages, while each message incurs h transmissions
where h is the number of hops in the shortest source-sink path.
The number of transmissions per successfully delivered mes-
sage is more complicated for probabilistic flooding schemes.
Each successfully delivered message incurs nP
forward
trans-
missions, yet there is no guarantee that each message reaches
the sink. This behavior has been studied thoroughly by the
community [16, 17].
The effective energy usage is reported in Figure 1(b).
Shortest-path routing incurs a much lower energy consumption
(h as we discussed above). Three flooding-based techniques
have similar energy consumption figures for each successfully
delivered message (n as we discussed above). We would like to
point out that those data points below n =10, 000 for nearby
source-sink configurations are because we stopped the simula-
tion as soon as the panda was caught and the flooding of mes-
sages had not yet finished.
c) Privacy Protection: Although single-path protocols
have desirable energy consumption since they reduce the num-
ber of messages sent/received, they are rather poor at protecting
the source location privacy (Figure 1(d)). Since only the nodes
that are on the routing path forward messages, the adversary
can track the path easily, and can locate the source within h
moves. The safety period Φ of baseline single-path routing
protocols is the same as the length of the shortest routing path
because the adversary can observe every single message the
source transmits.
At first glance, one may think that flooding can provide
strong privacy protection since almost every node in the net-
work will participate in data forwarding, and that the adversary
may be led to the wrong source. Further inspection, however,
reveals the contrary. We would like to emphasize that flood-
ing provides the least possible privacy protection as it allows
the adversary to track and reach the source location within the
minimum safety period. Figure 1(d) shows that flooding and
shortest-path routing lead to the same minimal privacy level.
Specifically, the safety period is the same as the hop count on
the shortest path.
The poor privacy performance of flooding can be explained
by considering the set of all paths produced by the flooding of
a single message. This set consists of a mixture of different
paths. In particular, this set contains the shortest source-sink
path. The shortest path is more likely to reach the hunter first,
and thus the hunter will always select the shortest path out of
all paths produced by flooding.
In addition to its energy efficiency, probabilistic flooding can
improve the privacy protection as well. Imagine there exists a
path {1, 2, 3, 4,sink}, and the ad versary is waiting for a new
message at node 4. In flooding, the subsequent message will
certainly arrive at node 4. However, in probabilistic flood-
ing, the subsequent message may not arrive at node 4 because
neighboring nodes may not forward, or take longer to arrive.
As a result, the sou rce will likely have to transmit more mes-
sages in order for the adversary to work his way back to the
source. The more messages the adversary misses, the larger
the safety period for the panda, and hence source location pro-
tection is provided.
The primary observation is that it is hard for p robabilistic
flooding techniques to strike a good balance between privacy
protection and delivery ratio. For instance, in our study, prob-
abilistic flooding with P
forward
=0.7 can improve the safety
period of baseline flooding roughly by a factor of 2. At the
same time, however, it has a message delivery ratio of 70%,
which may not be enough for some applications. On the other
hand, P
forward
=0.9 can give a good delivery ratio, but its
privacy level is only m arginally improved compared to base-
line flooding.
B. Routing with Fake Sources
Baseline flooding and single-path routing cannot provide
privacy protection because the adversary can easily identify the
shortest path between the source and the sink. This behavior
may be considered a result of the fact that there is a single
source in the network, and that messaging naturally pulls the
hunter to the source. This suggests that one approach we can
take to alleviate the risk of a source-location privacy breach is
to devise new routing protocols R that introduce more sources
that inject fake messages into the network.
In order to demonstrate the effectiveness of fake messaging,
we assume that these messages are of the same length as the
real messages, and that they are encrypted as well. Therefore,
the adversary cannot tell the difference between a fake message
and a real one. As a result, when a fake message reaches the
hunter, h e will think that it is a legitimate new message, and
will be guided towards the fake source.
One challenge with this approach is how to inject fake mes-
sages. We need to first decide how to create the fake sources,
and when and how often these fake sources should inject false
messages. Specifically, we want these fake sources to start only
after the event is observed, otherwise the use of fake sources
would consume precious sensor energy although there is no
panda present to protect.
First, let us look at one naive injection strategy that does
not require any additional overhead, which we refer to as the
Short-lived Fa ke Source routing strategy. This strategy uses
the constant P
fake
to govern the fake message rate, and choose
P
fake
∝
1
n
. For any node within the network, after it receives
a real message, it generates a random number q that is uni-
formly distributed between 0 and 1. If q<P
fake
, then this
node will produce a fake packet and flood it to the n etwork. In
this strategy, the fake source changes from one fake message
to another. Although this strategy is easy to implement, it does
not improve the privacy level of baseline flooding because the
fake sources are short-lived. Even if the hunter is guided by
one fake message towards a wrong location, there are no sub-
sequent fake messages around that location to d raw him even
further away, so he can catch the next real message. As a result,
we need a persistent fake source to mislead the hunter.
Thus, we introduce a Persistent Fake Source routing strategy.
The basic idea of this method is that once a node decides to
become a fake source, it will keep generating fake messages
regularly so that the hunter can be misled. It is intuitive that
a fake source close to the real source, or on the way from the
sink to the source, can only help lead the adversary towards
