Julien Freudiger

École Polytechnique Fédérale de Lausanne, Lausanne, Vaud, Switzerland

Are you Julien Freudiger?

Claim your profile

Publications (26)5.83 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: In mobile networks, authentication is a required primitive for most security protocols. Unfortunately, an adversary can monitor pseudonyms used for authentication to track the location of mobile nodes. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. This approach is costly. Self-interested mobile nodes might, thus, decide not to cooperate and jeopardize the achievable location privacy. In this paper, we analyze non-cooperative behavior of mobile nodes by using a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We obtain Nash equilibria in static n-player complete information games. As in practice mobile nodes do not know their opponents' payoffs, we then consider static incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies. By means of numerical results, we predict behavior of selfish mobile nodes. We then investigate dynamic games where players decide to change their pseudonym one after the other and show how this affects strategies at equilibrium. Finally, we design protocols-PseudoGame protocols-based on the results of our analysis and simulate their performance in vehicular network scenarios.
    IEEE Transactions on Dependable and Secure Computing 03/2013; 10(2):84-98. · 1.06 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Wireless networks offer novel means to enhance social interactions. In particular, peer-to-peer wireless communications enable direct and real-time interaction with nearby devices and communities and could extend current online social networks by providing complementary services including real-time friend and community detection and localized data sharing without infrastructure requirement. After years of research, the deployment of such peer-to-peer wireless networks is finally being considered. A fundamental primitive is the ability to discover geographic proximity of specific communities of people (e.g, friends or neighbors). To do so, mobile devices must exchange some community identifiers or messages. We investigate privacy threats introduced by such communications, in particular, adversarial community detection. We use the general concept of community pseudonyms to abstract anonymous community identification mechanisms and define two distinct notions of community privacy by using a challenge-response methodology. An extensive cost analysis and simulation results throw further light on the feasibility of these mechanisms in the upcoming generation of wireless peer-to-peer networks.
    Mobile Networks and Applications 01/2013; 18(3). · 1.11 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Pervasive social networks extend traditional social networking by enabling users to share information in a peer-to-peer fashion using their wireless mobile devices. Contrary to traditional online social networks, privacy protection in such networks depends heavily on users' context (time, location, activity, etc.) and their sensitivity to the shared data and context. Existing privacy-preserving mechanisms do not adapt well to different data, context and user sensitivities. In this work, we follow a fresh approach for privacy preservation, called privacy-triggered communications; it allows users in such pervasive networks to dynamically regulate their communications based on their context and on the evolution of their privacy in that context. Our initial results show that this is a feasible strategy for privacy management in pervasive social networking scenarios.
    World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2011 IEEE International Symposium on a; 07/2011
  • Source
    Julien Freudiger, Reza Shokri, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: In modern mobile networks, users increasingly share their location with third-parties in return for location-based services. In this way, users obtain services customized to their location. Yet, such communications leak location information about users. Even if users make use of pseudonyms, the operators of location-based services may be able to identify them and thus affect their privacy. In this paper, we provide an analysis of the erosion of privacy caused by the use of location-based services. To do so, we experiment with real mobility traces and measure the dynamics of user privacy. This paper thus details and quantifies the privacy risks induced by the use of location-based services.
    02/2011;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Users of mobile networks can change their identifier in regions called mix zones in order to defeat the tracking of their location by third parties. Mix zones must be carefully deployed in the network to reduce the cost induced on mobile users and to provide high location privacy. Unlike most previous work that considers a global adversary, we consider a local adversary equipped with multiple eavesdropping stations. We study the interaction between the local adversary deploying eavesdropping stations to track mobile users and mobile users deploying mix zones to protect their location privacy. We use a game-theoretic model to predict the strategies of both players. We derive the strategies at equilibrium in complete and incomplete information scenarios and propose an algorithm to converge to the equilibrium. Finally, based on real road traffic information, we numerically quantify the effect of complete and incomplete information on the strategies of mobile users and of the adversary. In complete information scenarios, mobile users and the adversary tend to adopt complementary strategies: users place mix zones where there is no eavesdropping station, and vice versa. In incomplete information scenarios, the location privacy level achieved by mobile users depends on their level of uncertainty about the strategy of the adversary.
    11/2010;
  • Source
    Reza Shokri, Julien Freudiger, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: We introduce a novel framework that provides a logical structure for classifying and organizing fundamental components and concepts of location privacy. Our framework models mobile networks and applications, threats, location-privacy preserving mechanisms, and metrics. We demonstrate the relevance of our framework by showing how the existing proposals in the field of location privacy are embodied appropriately in the framework. Our framework provides "the big picture" of research on location privacy and hence aims at paving the way for future research. It helps researchers to better understand this field of research, identify open problems, appropriately design new schemes, and position their work with respect to other efforts. The terminology proposed in this framework also facilitates establishing an inter-disciplinary research community on location privacy.
    Hot Topics in Privacy Enhancing Technologies. 09/2010;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Online advertising is a major source of revenues in the Internet. In this paper, we identify a number of vulnerabilities of current ad serving systems. We describe how an adversary can exploit these vulnerabilities to divert part of the ad revenue stream for its own benefit. We propose a collaborative secure scheme to fix this problem. The solution relies on the fact that most of online advertising networks own digital authentication certificates and can become a source of trust. We also explain why the deployment of this solution would benefit the Web browsing security in general.
    08/2010;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In many envisioned mobile ad hoc networks, nodes are expected to periodically beacon to advertise their presence. In this way, they can receive messages addressed to them or participate in routing operations. Yet, these beacons leak information about the nodes and thus hamper their privacy. A classic remedy consists of each node making use of (certified) pseudonyms and changing its pseudonym in specific locations called mix zones. Of course, privacy is then higher if the pseudonyms are short-lived (i.e., nodes have a short distance-to-confusion), but pseudonyms can be costly, as they are usually obtained from an external authority. In this paper, we provide a detailed analytical evaluation of the age of pseudonyms based on differential equations. We corroborate this model by a set of simulations. This paper thus provides a detailed quantitative framework for selecting the parameters of a pseudonym-based privacy system in peer-to-peer wireless networks.
    INFOCOM, 2010 Proceedings IEEE; 04/2010
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Wireless Sensor Networks (WSNs) allow the monitoring of activity or environmental conditions over a large area, from homes to industrial plants, from agriculture fields to forests and glaciers. They can support a variety of applications, from assisted living to natural disaster prevention. WSNs can, however, be challenging to setup and maintain, reducing the potential for real-world adoption. To address this limitation, this paper introduces SensorTune, a novel mobile interface to support non-expert users in iteratively setting up a WSN. SensorTune uses non-speech audio to present to its users information regarding the connectivity of the network they are setting up, allowing them to decide how to extend it. To simplify the interpretation of the data presented, the system adopts the metaphor of tuning a consumer analog radio, a very common and well known operation. A user study was conducted in which 20 subjects setup real multi-hop networks inside a large building using a limited number of wireless nodes. Subjects repeated the task with SensorTune and with a comparable mobile GUI interface. Experimental results show a statistically significant difference in the task completion time and a clear preference of users for the auditory interface.
    Proceedings of the SIGCHI Conference on Human Factors in Computing Systems; 04/2010
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: There is a rich collection of literature that aims at protecting the privacy of users querying location-based services. One of the most popular location privacy techniques consists in cloaking users' locations such that k users appear as potential senders of a query, thus achieving k-anonymity. This paper analyzes the effectiveness of k-anonymity approaches for protecting location privacy in the presence of various types of adversaries. The unraveling of the scheme unfolds the inconsistency between its components, mainly the cloaking mechanism and the k-anonymity metric. We show that constructing cloaking regions based on the users' locations does not reliably relate to location privacy, and argue that this technique may even be detrimental to users' location privacy. The uncovered flaws imply that existing k-anonymity scheme is a tattered cloak for protecting location privacy.
    01/2010;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose a novel framework for measuring and evaluating location privacy preserving mechanisms in mobile wireless networks. Within this framework, we first present a formal model of the system, which provides an efficient representation of the network users, the adversaries, the location privacy preserving mechanisms and the resulting location privacy of the users. This model is general enough to accurately express and analyze a variety of location privacy metrics that were proposed earlier. We provide formal representations of four among the most relevant categories of location privacy metrics, by using the proposed model. We also present a detailed comparative analysis of these metrics based on a set of criteria for location privacy measurement. Finally, we propose a novel and effective metric for measuring location privacy, called distortion-based metric, which satisfies these criteria for privacy measurement and is capable of capturing the mobile users' location privacy more precisely than the existing metrics. Our metric measures location privacy as the expected level of distortion of the adversary's hypothesized trajectories of the users, considering the adversary's knowledge and also the observed parts of the users' trajectories.
    11/2009;
  • Source
    Julien Freudiger, Reza Shokri, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: In mobile wireless networks, third parties can track the location of mobile nodes by monitoring the pseudonyms used for identification. A frequently proposed solution to protect the location privacy of mobile nodes suggests to change pseudonyms in regions called mix zones. In this paper, we propose a novel metric based on the mobility profiles of mobile nodes to evaluate the mixing effectiveness of possible mix zone locations. Then, as the location privacy achieved with mix zones depends on their placement in the network, we analyze the optimal placement of mix zones with combinatorial optimization techniques. The proposed algorithm maximizes the achieved location privacy in the system and takes into account the cost on mobile nodes induced by mix zones. By means of simulations, we show that the placement recommended by our algorithm significantly reduces the tracking success by the adversary.
    01/2009;
  • Source
    Julien Freudiger, Maxim Raya, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: Pervasive communications bring along new privacy challenges, fueled by the capability of mobile devices to communicate with, and thus "sniff on", each other directly. We design a new mechanism that aims at achieving location privacy in these forthcoming mobile networks, whereby mobile nodes collect the pseudonyms of the nodes they encounter to generate their own privacy cloaks. Thus, privacy emerges from the mobile network and users gain control over the disclosure of their locations. We call this new paradigm self- organized location privacy. In this work, we focus on the problem of self- organized anonymous authentication that is a necessary prerequisite for location privacy. We investigate, using graph theory, the optimality of different cloak constructions and evaluate with simulations the achievable anonymity in various network topologies. We show that peer-to-peer wireless communications and mobility help in the establishment of self- organized anonymous authentication in mobile networks.
    01/2009;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In mobile networks, authentication is a required primitive of the majority of security protocols. However, an adversary can track the location of mobile nodes by monitoring pseudonyms used for authentication. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. Because this approach is costly, self-interested mobile nodes might decide not to cooperate and could thus jeopardize the achievable location privacy. In this paper, we analyze the non-cooperative behavior of mobile nodes with a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We first analyze the Nash equilibria in $n$-player complete information games. Because mobile nodes in a privacy-sensitive system do not know their opponents' payoffs, we then consider incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies in $n$-player games and derive the equilibrium strategies. By means of numerical results, we show that mobile nodes become selfish when the cost of changing pseudonym is small, whereas they cooperate more when the cost of changing pseudonym increases. Finally, we design a protocol - the PseudoGame protocol - based on the results of our analysis.
    01/2009;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Significant developments have taken place over the past few years in the area of vehicular communication systems. Now, it is well understood in the community that security and protection of private user information are a prerequisite for the deployment of the technology. This is so precisely because the benefits of VC systems, with the mission to enhance transportation safety and efficiency, are at stake. Without the integration of strong and practical security and privacy enhancing mechanisms, VC systems can be disrupted or disabled, even by relatively unsophisticated attackers. We address this problem within the SeVeCom project, having developed a security architecture that provides a comprehensive and practical solution. We present our results in a set of two articles in this issue. In this first one, we analyze threats and types of adversaries, identify security and privacy requirements, and present a spectrum of mechanisms to secure VC systems. We provide a solution that can be quickly adopted and deployed. In the second article we present our progress toward the implementation of our architecture and results on the performance of the secure VC system, along with a discussion of upcoming research challenges and our related current results.
    IEEE Communications Magazine 12/2008; · 3.66 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Wireless social community networks formed by users with a WiFi access point have been created as an alternative to traditional wireless networks that operate in the licensed spectrum. By relying on access points owned by users for access, wireless community networks provide a wireless infrastructure in an inexpensive way. However, the coverage of such a network is limited by the set of users who open their access points to the social community. Currently, it is not clear to what degree this paradigm can serve as a replacement, or a complimentary service, of existing centralized networks operating in licensed bands. In this paper, we study the dynamics of wireless social community networks using, as well as the situation where a wireless social community networks co-exists with a traditional wireless network operating in the licensed spectrum.
    Communications, 2008 IEEE International Zurich Seminar on; 04/2008
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Online advertisement is a major source of revenues in the Internet. In this paper, we identify a number of vulnerabilities of current ad serving systems. We describe how an adversary can exploit these vulnerabilities to divert part of the ad revenue stream for its own benefit. We propose a scalable, secure ad serving scheme to fix this problem. We also explain why the deployment of this solution would benefit the Web browsing security in general.
    01/2008;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Wireless sensor networks (WSNs) represent an enabling technology for a whole range of applications, such as environment monitoring or event detection/alert reporting. Their limited resources, however, make them a challenging tool to handle in the field. In particular, they lack a proper display, which makes them difficult to deploy, and to manage once they are deployed. In this article, we present Sensor-Tune, a light-weight deployment and maintenance support tool for wireless sensor networks. This tool is based on an auditory user interface using sonification. Sonification refers to the use of audio signals (mostly non-speech) to convey information. We explore the potential of this approach, in particular how it allows to overcome the inherent limitations of visual interfaces. We then justify our design choices, and present typical WSN applications where sonification can be particularly useful. Finally, we present the prototype that we built, and describe a user experiment that we conducted in early 2008, which is the first reported attempt to put a multi-hop wireless sensor network deployment in the hands of non-specialists.
    01/2008;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Wireless social community networks are emerging as a new alternative to providing wireless data access in urban areas. By relying on users in the network deployment, a wireless community can rapidly deploy a high-quality data access infrastructure in an inexpensive way. But, the coverage of such a network is limited by the set of access points deployed by the users. Currently, it is not clear if this paradigm can serve as a replacement of existing centralized networks operating in licensed bands (such as cellular networks) or if it should be considered as a complimentary service only, with limited coverage. This question currently concerns many wireless network operators. In this paper, we study the dynamics of wireless social community networks by using a simple analytical model. In this model, users choose their service provider based on the subscription fee and the offered coverage. We show how the evolution of social community networks depends on their initial coverage, the subscription fee, and the user preferences for coverage. We conclude that by using an efficient static or dynamic pricing strategy, the wireless social community can obtain a high coverage. Using a game-theoretic approach, we then study a case where the mobile users can choose between the services provided by a licensed band operator and those of a social community. We show that for specific distribution of user preferences, there exists a Nash equilibrium for this non-cooperative game.
    INFOCOM 2008. 27th IEEE International Conference on Computer Communications, Joint Conference of the IEEE Computer and Communications Societies, 13-18 April 2008, Phoenix, AZ, USA; 01/2008
  • [Show abstract] [Hide abstract]
    ABSTRACT: Since the beginning of the 20th century, the wireless frequency spectrum has been carefully controlled by government regulators. In response to the recent advances in radio technology, the spectrum regulators have opened some parts of the available spectrum for unlicensed usage. In addition, they have reformed the traditional command and control regulation policies and have allowed more opportunistic transmissions over unused spectrum bandwidth in licensed bands, for certain times and locations. This paradigm shift can lead to a more flexible and efficient spectrum sharing in the near future. In this chapter, we address the problem of spectrum sharing between network operators and cognitive radios. Because of the dynamic nature of spectrum sharing, it is difficult to analyze and to provide sound spectrum management schemes. Several researchers rely on game theory that is an appropriate tool for modelling strategic interactions between rational decisionmakers (e.g., spectrum sharing in wireless networks). We present a selected set of works to highlight the usefulness of game theory in solving the main problems in this field.
    01/2007;