1 / 23

Privacy-preserving Event Detection in Pervasive Spaces

Privacy-preserving Event Detection in Pervasive Spaces. Bijit Hore , Jehan Wickramasuriya, Sharad Mehrotra, Nalini Venkatasubramanian, Daniel Massaguer. What is our pervasive space?. No ordinary coffee room, one that is monitored ! There are rules that apply

lfernando
Télécharger la présentation

Privacy-preserving Event Detection in Pervasive Spaces

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy-preserving Event Detection in Pervasive Spaces Bijit Hore, Jehan Wickramasuriya, Sharad Mehrotra, Nalini Venkatasubramanian, Daniel Massaguer

  2. What is our pervasive space? • No ordinary coffee room, one that is monitored ! • There are rules that apply • If rule is violated, penalties may be imposed • But all is not unfair: individuals have right to privacy ! ”Till an individual has not had more than his quota of coffee, his identity will not be revealed” (Motivated by surveillance apps) A Coffee room !

  3. Issues to be addressed • Modeling pervasive spaces • How to implement its functionality? • Adversary • What kind of adversary? • How powerful is he? • Privacy • Goal  Ensure anonymity of individuals • Necessary and sufficient conditions? • Solution approach • Meets the necessary and sufficiency conditions • Practical/scalable?

  4. Basic events, Composite events & Rules • Pervasive space generates stream of basic events • Composite event is one or more sequence of basic events that comprise a pattern of interest (example on next page) • Rule: (Composite event, Action) • Rules apply to groups of individuals, e.g.: • Coffee room rules apply to everyone • Server room rule applies to everyone except administrators etc. Pervasive Space with sensors :: ek:<Bill, coffee-room, coffee-maker, exit> :: e2:<Tom, coffee-room, coffee-cup, dispense> Stream of Basic Events e1:<Tom, coffee-room, *, enter>

  5. Composite events Composite event templates • Detect the event when: “A student drinks more than 3 cups of coffee” e1 ≡ <u ∈ STUDENT, coffee_room, coffee_cup, dispense> • Detect the event when: “A student tries to accesses the IBM server in the server room” e1 ≡ <u ∈ STUDENT,server_room,*, entry> e2 ≡ <ū, server_room, *, exit> e3 ≡ <ū, server_room, IBM-server, login-attempt>

  6. Automata & State Information • Rule Automaton template • (Rule, Individual) Instance of a template = automaton object ARX ARY ARZ Rule R applies to {X, Y, Z} 3 automata that implement R for X, Y and Z respectively The number of automata in the state table is proportional to the number of individuals who interact with the space

  7. System architecture & adversary Server Secure Sensor node (SSN) Rules DB :: Secure Sensor node (SSN) State Information (Encrypted) Thin trusted middleware to obfuscate origin of events Basic Assumptions about SSNs • Secure data capture (Sensors are tamper-proof) • Secure generation of basic events by SSN • Trusted & have computation power + limited storage, can carry out encryption/decryption with secret key common to all SSNs

  8. System architecture & adversary (cont.) Adversary: Server-side snooper who wants to deduce the identity of the individual associated with a basic-event. Minimum requirement for security: State information is to be always encrypted on server Recall: Goal is to ensure a level k of anonymity for each individual

  9. Basic protocol Return automata that (possibly) match e (encrypted match) Store updated automata SERVER SECURE SENSOR NODE Query for set of (encrypted) automata that match event e Decrypt automata, advance the state of automata if necessary associate encrypted label with new state. Write-back encrypted automata Generate basic event e Question: Does encryption ensure complete anonymity? NO! SSNs’ pattern of automata access may cause identity disclosure

  10. Example U enters kitchen U takes coffee R1 U enters kitchen U opens fridge Applies to Tom Tom enters Kitchen  3 firings R2 U enters kitchen U opens microwave R3 U enters kitchen U takes coffee R1 Applies to Bill Bill enters Kitchen  2 firings U enters kitchen U opens fridge R2 On an event,the # rows retrieved from state tablecan disclose the identity of the individual

  11. Characteristic access patterns of automata The set of rules applicable to an individual maybe unique  potentially identify the individual The characteristic access patterns of rows can potentially reveal the identity of the automaton in spite of encryption Rules applicable to TOM Tom enters kitchen Tom takes coffee x Characteristic patterns of x P1: {x,y,z} {x y} Characteristic patterns of y P2: {x,y,z} {x,y} {y} P3: {x,y,z} {y,z} {y} Characteristic patterns of z P4: {x,y,z} {y z} Tom leaves coffee pot empty Tom takes coffee Tom enters kitchen y Tom opens fridge Tom leaves fridge open Tom enters kitchen Tom opens fridge z

  12. Partitioning events (unrestricted) C1 Goal: Make the set of characteristic patterns associated with each automaton non-identifying (k-anonymous) Candidate solution: • Partition events into k-diverse groups • Index automata (rows of the table) by event’s group-id instead of the event-label Tom enters kitchen Bill enters kitchen Kate leaves microwave open C2 Tom opens fridge Kate enters kitchen Bill takes coffee Theorem: Checking if an event-partitioning scheme for a given set of automata is k-anonymous is NP-Complete (The problem of checking the existence of a fixed-point-free automorphism in graphs can be reduced to this problem) Tom leaves microwave open Kate leaves fridge open 3-diverse event clusters Bill leaves microwave open C3 Does not guarantee 3-anonymity

  13. Event clustering (restricted) • Assign all events in an automaton into a single group • If two automata have a common event, assign them to the same group Connected-groups of automata • Combine connected-groups into k-diverse partitions Guarantees k-anonymity C1 C2 All automata in a cluster are associated with the same access pattern  k-anonymity

  14. Final partition-based protocol Return all automata belonging to Partition(e) Store updated automata SERVER SECURE SENSOR NODE Determine Partition(e) (encrypted query) Decrypt automata, Advance the state of automata if necessary Write-back all automata in Partition(e) Generate basic event e

  15. Minimum-cost clustering Each connected-group of automata is represented by a ball • Each ball has a “weight” (accessed with a frequency) • Each ball has a “price” (transmission overhead) • Each ball has a “color” (denoting individual) Optimization problem: Partition the set of balls into as many bins as required where the objective is to ∑ ( ∑ b.price ) * ( ∑ b.weight ) s.t. each bin has balls of at least k distinct colors Minimize bini b∈bini b∈bini (Problem is NP-Hard: reduction from sum-of-squares problem)

  16. Solution to optimization problem We give some simple heuristic solution that works well in practice • Start with a random feasible partition meeting k-anonymity constraint • Iterate: determine best set of “non-conflicting” ball transfers between bins (i.e. those which reduce cost by largest amount) & execute these transfers • Iterate: determine best set of non-conflicting ball exchanges between bins & execute these exchanges • Stop when no further cost-reduction is possible

  17. Experiments • Prototype built on SATware-Responsphere framework • Responsphere – communications, storage, computing framework consisting of approx. 200 sensors • SATware – middleware for deploying pervasive space applications • Dataset for simulation • Generate events based on real activities in office building • 4 groups of people – STUDENT, FACULTY, STAFF, VISITOR (300 in all) • 3 regions: KITCHEN, SERVER_ROOM, FACILITIES_ROOM • 15 rules belonging to 2 classes of activities: (i) protection of resources; (ii) suspicious activity

  18. Sample rules

  19. Evaluation using realistic dataset Evaluation • Simulated sequence of 1000 events & measured communication cost between Server and SSNs • Compare the following 2 partitioning algorithms: • k-individual partitioning – all automata of an individual in a single group • k-connected-group partitioning – remove the above constraint

  20. Comparison using synthetic data • Cost differential increases (generally) as #individuals & # components increase • No clear trend as k increases

  21. Conclusion • Automaton-based model for events in pervasive spaces is proposed • Notion of anonymity in pervasive space is formalized • Necessary and sufficient conditions are derived • Event-clustering based solution approach is outlined • Efficiency criteria is modeled as a min-cost clustering problem & a heuristic solution is proposed Challenges & Future Work: • Designing a truly secure sensing-infrastructure is challenging • Consider other interesting notions of privacy in pervasive spaces

  22. Thank You !!

  23. Secure sensor nodes • IBM 4758 PCI Cryptographic Coprocessor • Broadcom BCM5890 security applications processor

More Related