EVALUACION DE LA GRAVEDAD DE LA ASCITIS

PROYECTO DE TESIS

EVALUACION DE LA GRAVEDAD DE LA ASCITIS

As we have discussed previously in Chapters 2.3.1 and 3.1, users of a na¨ıve opportunistic network may be exposed to privacy threats, which can cause them con- cern [101]. In this section, we outline current research related to adapting opportunistic networks to preserve users’ privacy.

We consider methods proposed to protect each of the categories of potentially- private information that were identified in Chapter 2.3.1: payload confidentiality, communication patterns, anonymity, location privacy, and social graph privacy.

3.2.1 Payload confidentiality

As in other networks, one approach to protect the confidentiality of message pay- loads is by employing encryption. Traditional approaches to key distribution and key management, however, are difficult to apply to opportunistic networks. Due to the disconnected nature of the network, with delays inherent to opportunistic network message delivery, querying a public key infrastructure (PKI) is likely to be impractical [55, 85], and even much of the research on key distribution in MANETs does not generalise to disconnected opportunistic networks [25].

A possible exception — noted as potentially being suitable for disconnected networks such as opportunistic networks [125, 8, 127, 85] — is in the use of identity-

based cryptography (IBC) [26]. In IBC, node identifiers serve as their public keys. Private keys are obtained by each node from a globally-trusted third party, the “private key generator” (PKG). This key generation step need only be performed once; after initially obtaining this private key from the PKG, a node need not be able to communicate again with the PKG while participating in the opportunistic network. IBC has two main drawbacks, however, in that a globally-trusted third party is required, and forward secrecy is lacking (i.e., a stolen private key allows decryption of all prior communication with that key). Seth and Keshav [125] par- tially address these problems, by describing a time-based and hierarchical IBC scheme, with a hierarchy of PKGs descending from a root PKG. But even this solution requires a globally-trusted third party, which may be a limiting requirement for general opportunistic networks.

An alternative approach to ensure payload confidentiality is by routing opportunistic network messages via trusted social contacts. For example, Bulut and Szy- manski [29] describe a two-period routing protocol: although messages are unencrypted, routing is preferentially via trusted friends where possible, to reduce the risk of an untrusted node receiving the unencrypted payload. El Defrawyet al.[55] describe a routing protocol where messages are sent encrypted via social contacts, under the assumption that social contacts know one another’s encryption keys.

Summarising, if sender and receiver are able to agree on encryption keys — which may be challenging in an opportunistic network — then encryption may be used to preserve message confidentiality. We note this privacy threat primarily for com- pleteness; our focus is on eavesdropping, metadata privacy, and inference attacks.

3.2.2 Communication patterns and anonymity

Traffic analysis may reveal communication patterns — for example, determination of those nodes participating in the opportunistic network, or with which other people users communicate (sender-receiver linkability). Onion routing [64] is a popular proposed solution [92, 126, 78, 1]. The idea behind onion routing is to mix and route messages via intermediate nodes, with successive layers of encryption “peeled away” at each hop, in order to provide anonymity. Tor is the most widely-

known implementation of onion routing on the traditional Internet.

In contrast to traditional onion routing implementations, where messages are rout- ed along a fixed path of intermediate nodes, adaptations of onion routing for opportunistic networks — such as PEON by Le et al. [92] and ARDEN by Shi et al. [126] — often generalise onion routing to allow messages to be forwarded by intermediate groups of nodes, rather than fixed intermediate nodes. This provides more flexibility for routing, since requiring a message to be sent along a single fixed path would be a strong requirement for an opportunistic network. Such approaches, however, require that encryption keys for nodes, or groups of nodes, are known by the original message source.

Alternative methods for preserving privacy of communication patterns have also been proposed. To provide authentication along with source anonymity, Ahmad

et al. describe using source pseudonyms with blind signatures [2]. This approach

relies on a globally-trusted certificate authority, however, to sign pseudonymised certificates. Kate et al. [85] in the context of opportunistic networks, and Lu et al.[97] for VANETs, suggest using special trusted static nodes, which they respec- tively term “DTN Gateways” or “Roadside Units”. In each case, senders first pass their message to the trusted node, which is trusted to know their identity. Then this node forwards the message (along with other messages similarly collected) to the network. This assumes, however, the presence of these fully-trusted static nodes.

Solutions that can be implemented locally at nodes, without requiring encryption or globally-trusted third parties, have also been suggested. In the context of an opportunistic publish-subscribe application, D ¨ora and Holczer [50] demonstrate a method to perturb user profiles, to avoid traffic analysis revealing a user’s specific interests. Or for more traditional opportunistic network routing, Radenkovic

et al.[118] propose AdaptAnon, an anonymisation overlay on top of opportunis-

tic network social network routing, where local heuristics are used to build on- demand “anonymisation paths” for messages through the opportunistic network.

Summarising, unless special care (such as onion routing) is taken to preserve anonymity of communication patterns, traffic analysis may reveal movement of messages throughout the network. We discuss the implications further in Chapter 4.2.

3.2.3 Location privacy

Users may not wish their physical locations to be public knowledge [16, 28, 40, 15, 6, 61]. Participating in an opportunistic network exposes users to location privacy threats. For example, Ristanovic et al. describe how location patterns can be recovered by analysing node encounters (such as those which would be detected through using an opportunistic network), if some malicious nodes are logging GPS locations [121]. But while techniques to preserve location privacy are well-studied in other contexts — such as protocols in sensor networks [83] and MANETs [56], or by cloaking or obfuscating specific locations when using services explicitly ded- icated to publishing sensed locations [146, 48, 90, 7] — preserving location privacy is a relatively new research topic in networks such as opportunistic networks.

To address the location privacy threats, Luet al. introduce ALAR, an opportunistic network routing protocol designed to be resistant to localisation attacks [98]. The technique is based on splitting each message into multiple segments, and then sending each segment encrypted via multiple paths. The decryption key is includ- ed with one of the segments, sidestepping the key distribution problems described in previous sections. This, however, degrades routing performance, because the message cannot be read until the receiver has received multiple segments — which is less likely than receiving a single message.

A second, alternative approach is taken in three similar opportunistic network routing protocols, all introduced by Zakharyet al.: HSLPO [152], SLPD [151], and LPAF [153]. Each protocol relies on forwarding messages in two phases: an initial obfuscation phase where only trusted social contacts are utilised for forwarding, followed by a second free-forwarding phase where a non-privacy-aware routing protocol may be used. The intention is that no untrusted node (i.e., not a trusted social contact) will receive the message until it has spread sufficiently-far from the original sender to provide this sender location privacy.

Location privacy is a relatively new research topic for opportunistic networks. Eavesdropping can, however, unless countermeasures are taken, allow inferences to be made about location or co-location. We return to this point in Chapter 4.2, and focus on examining users’ attitudes to location privacy throughout Chapter 4.

3.2.4 Social graph privacy

The final type of potentially-private information that we consider is the social graph, where nodes are opportunistic network users and edges are social links. Such graphs are, as described in Chapter 2, useful for social network routing. The structure of a social network graph may in itself be private information [105, 100]. To demonstrate this, Narayanan and Shmatikov show that it can be possible to link two distinct social networks based on network topology alone, and that this may therefore allow deanonymisation of nodes by comparison of an “anonymised” social network to another available social network dataset [105].

Focusing on one aspect of social graph privacy — preserving the privacy of the probability that a given node will encounter a particular other node, which may correlated with social relationships — Hasanet al.introduce the 3PR routing protocol [69]. Nodes are organised into communities, and within communities messages are forwarded using epidemic-style forwarding. Between communities, privacy is preserved by exchanging community-level encounter probability information only — rather than an individual node’s probability information — in an otherwise PRoPHET-style routing decision. 3PR relies on the assumption that nodes can be grouped into communities, however, and also does not consider social network routing, where social network information explicitly drives routing decisions.

Approaching the problem from the other direction, researchers have considered how to find social relations in opportunistic networking scenarios without com- promising privacy. Guoet al.[65] introduce PSaD, a privacy-preserving scheme to disseminate content to social relations — where social relations are defined in this context as users with similar attributes. Similarly, Costantinoet al.[44] describe the privacy vs accuracy trade-off in interest-casting, where the goal is to find “friends” — which they define as users with similar interests — in a privacy-preserving manner. Both schemes, however, define social contacts as users interested in receiving similar content. They do not consider general opportunistic network routing, and specifically social network routing — where pre-existing friendship links may be used to drive routing decisions.

As described in Chapter 2.2.3, potentially-sensitive social network information may be used within opportunistic network social network routing protocols to

enable performant routing. Privacy issues are, however, typically not considered. Even for the one social network routing protocol that we are aware of where privacy-preserving schemes are discussed — the HiBOp scheme introduced by Boldrini et al. [25] — performance evaluation is conducted in the absence of the privacy-preserving features. We therefore highlight a gap in current opportunistic networking research: whether social network information can be used for social networking routing in a privacy-preserving manner, without diminishing network performance. We focus on examining this open research topic within Chapter 5.

In document Factores Predictivos de Mortalidad en Pacientes con Cirrosis Hepática Hospitalizados en el Servicio de Medicina del Hospital Regional Honorio Delgado Espinoza Arequipa 2017 (página 108-112)