A Differential Privacy Mechanism for Deceiving Cyber Attacks in IoT Networks

Abstract

Protecting Internet of Things (IoT) network from private data breach is a grand challenge. Data breach may occur when networks’ statistical information is disclosed due to network scanning or data stored on the IoT devices is accessed by attackers because of lack of protection on IoT devices. To protect IoT networks, effective proactive cyber defence technologies (e.g., Moving Target Defence (MTD) and deception) have been proposed. They defend against attacks by dynamically changing attack surface or hiding true network information. However, little work considered the protection of statistical information of IoT network, such as the number of VLANs or the number of devices across VLANs. This type of information may leak the network’s operational information to attackers (e.g., functional information of VLANs). To address this problem, we propose a differential privacy (DP)-based defence method to mitigate its leakage. In this paper, we strategically obfuscate VLANs’ statistical information by integrating DP with MTD and deception technologies. Software-defined networking technology is leveraged to manage data flows among devices and support shuffling-based MTD. Two strategies (random and intelligent) are considered for defence deployment. A greedy algorithm is designed to explore the trade-off between defence cost and privacy protection level. We theoretically prove that the proposed method meets the definition of DP, thus offering solid privacy protection to the operational information of an IoT network. Extensive experimental results further demonstrate that, for a given defence budget, there exists a trade-off between protection level and cost. Moreover, the intelligent deployment strategy is more cost-effective than the random one under the same settings.

A Proof of Proposition 1

Proof

In the case of Algorithm 1, for neighbouring datasets \(N_{k}\) and \(N_{k}'\), without loss of generality, let \(\mathcal {A}\) be the step of Algorithm 1 that injects Laplace noise (i.e., Line 3 of Algorithm 1) and X be a random variable that follows Lap(\((\frac{|K|\cdot \varDelta }{\epsilon })\)). For any output value z, we have:

$$\begin{aligned} \begin{aligned} \frac{\textrm{Pr}[\mathcal {A}(N_{k})=z]}{\textrm{Pr}[\mathcal {A}(N_{k}')=z]} \le \textrm{exp}^{\frac{\epsilon }{|K|}}. \end{aligned} \end{aligned}$$

(4)

For any count function f, \(A_{f(N_{k})}=f(N_{k})+\textrm{Lap}(\frac{|K|\cdot \varDelta }{ \epsilon })\), it is easy to conclude

$$\begin{aligned} \frac{\textrm{Pr}[\mathcal {A}_{f(N_{k})}=z]}{\textrm{Pr}[\mathcal {A}_{f(N_{k}')}=z]}&= \frac{\textrm{Pr}[f(N_{k})+X = z]}{ \textrm{Pr} [f(N_{k}')+X =z]} \nonumber \\&=\frac{\textrm{Pr}[X = z-f(N_{k})]}{\textrm{Pr}[X = z-f(N_{k}')]}\nonumber \\&=\frac{\frac{\epsilon }{2\cdot |K|\cdot \varDelta }\cdot \textrm{exp}^{\frac{-\epsilon \cdot |z-f(N_{k})|}{|K|\cdot \varDelta }}}{\frac{\epsilon }{2\cdot |K|\cdot \varDelta }\cdot \textrm{exp}^{\frac{-\epsilon \cdot |z-f(N_{k}')|}{|K|\cdot \varDelta }}}\nonumber \\&=\textrm{exp}^{(\frac{-\epsilon \cdot |z-f(N_{k})|}{|K|\cdot \varDelta }-\frac{-\epsilon \cdot |z-f(N_{k}')|}{|K|\cdot \varDelta })}\nonumber \\&=\textrm{exp}^{(\epsilon \cdot (\frac{|z-f(N_{k}')|-|z-f(N_{k})|}{|K|\cdot \varDelta }))}\nonumber \\&\le \textrm{exp}^{(\frac{\epsilon \cdot |f(N_{k}')-f(N_{k})|}{|K|\cdot \varDelta })}. \end{aligned}$$

(5)

Since the sensitivity \(\varDelta \) is 1 as mentioned before, and by definition of sensitivity, \(\varDelta =\textrm{max}_{N_{k}, N_{k}'}\left\| f(N_{k}')-f(N_{k})\right\| _{1}\). Hence, Eq. (5) becomes

$$\begin{aligned} \frac{\textrm{Pr}[\mathcal {A}_{f(N_{k})}=z]}{\textrm{Pr}[\mathcal {A}_{f(N_{k}')}=z]}&= \frac{\textrm{Pr}[f(N_{k})+X = z]}{ \textrm{Pr} [f(N_{k}')+X =z]} \nonumber \\&\le \textrm{exp}^{(\frac{\epsilon \cdot |f(N_{k}')-f(N_{k})|}{|K|\cdot \varDelta })}\nonumber \\&\le \textrm{exp}^{(\frac{\epsilon }{|K|})}. \end{aligned}$$

(6)

Thus, each step of Algorithm 1 satisfies \(\frac{\epsilon }{\left| K\right| }\hbox {-}DP\). As there are \(\left| K\right| \) steps in Algorithm 1, based on Theorem 1, Algorithm 1 satisfies \((\sum _{i=1}^{|K|}\frac{\epsilon }{\left| K\right| })\hbox {-}DP\). Therefore, Algorithm 1 satisfies \(\epsilon \hbox {-}DP\).

Without loss of generality, denote Algorithm 1 as \(\mathcal {A}_{1}\) and Algorithm 2 as \(\mathcal {A}_{2}\). In the case of Algorithm 2, for neighbouring \(N_{k}\) and \(N_{k}'\), let z be the output value of algorithm \(\mathcal {A}_{1}\) and O be the set of output value of algorithm \(\mathcal {A}_{2}\). According to the discussion above, we have proved \(\mathcal {A}_{1}\) satisfies \(\epsilon \hbox {-}DP\), so we have

$$\begin{aligned} \frac{\textrm{Pr}[\mathcal {A}_{1}(N_{k})=z]}{\textrm{Pr}[\mathcal {A}_{1}(N_{k}')=z]}&\le \textrm{exp}^{\epsilon }. \end{aligned}$$

(7)

For any \(o \in O\), we have

$$\begin{aligned} \textrm{Pr}[\mathcal {A}_{2} \left( \mathcal {A}_{1}(N_{k})\right) =o]&= \sum _{o \in O}\textrm{Pr}[\mathcal {A}_{1} (N_{k})=z]\textrm{Pr}[\mathcal {A}_{2} (z)=o] \nonumber \\&\le \sum _{o \in O}\mathrm{exp^{\epsilon }}\textrm{Pr}[\mathcal {A}_{1} (N_{k}')=z]\textrm{Pr}[\mathcal {A}_{2} (z)=o] \nonumber \\&= \sum _{o \in O}\mathrm{exp^{\epsilon }}\textrm{Pr}[\mathcal {A}_{2} \left( \mathcal {A}_{1}(N_{k}')\right) =o]. \end{aligned}$$

(8)

Hence, according to Eq. (8), we have

$$\begin{aligned} \frac{\textrm{Pr}[\mathcal {A}_{2} \left( \mathcal {A}_{1}(N_{k})\right) =o]}{\textrm{Pr}[\mathcal {A}_{2} \left( \mathcal {A}_{1}(N_{k}')\right) =o]}&\le \mathrm{exp^{\epsilon }}, \end{aligned}$$

(9)

Therefore, Algorithm 2 also satisfies \(\epsilon \hbox {-}DP\) based on the Post-processing Theorem 2.    \(\square \)