Privacy-preserving Event Detection in Pervasive Spaces

Slides:



Advertisements
Similar presentations
What is a Database By: Cristian Dubon.
Advertisements

Lecture 24 MAS 714 Hartmut Klauck
A Privacy Preserving Index for Range Queries
Effective Keyword Based Selection of Relational Databases Bei Yu, Guoliang Li, Karen Sollins, Anthony K.H Tung.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Design and Implementation of a Middleware for Sentient Spaces Bijit Hore, Hojjat Jafarpour, Ramesh Jain, Shengyue Ji, Daniel Massaguer Sharad Mehrotra,
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Cache Placement in Sensor Networks Under Update Cost Constraint Bin Tang, Samir Das and Himanshu Gupta Department of Computer Science Stony Brook University.
Preference Analysis Joachim Giesen and Eva Schuberth May 24, 2006.
Chapter 5 Normalization Transparencies © Pearson Education Limited 1995, 2005.
Fast Subsequence Matching in Time-Series Databases Christos Faloutsos M. Ranganathan Yannis Manolopoulos Department of Computer Science and ISR University.
An efficient distributed protocol for collective decision- making in combinatorial domains CMSS Feb , 2012 Minyi Li Intelligent Agent Technology.
Secure Incremental Maintenance of Distributed Association Rules.
Normalization Transparencies
TECH Computer Science NP-Complete Problems Problems  Abstract Problems  Decision Problem, Optimal value, Optimal solution  Encodings  //Data Structure.
Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.
Privacy Challenges in Pervasive Spaces RESCUE All Hands Meeting – June 2007.
Resource Mapping and Scheduling for Heterogeneous Network Processor Systems Liang Yang, Tushar Gohad, Pavel Ghosh, Devesh Sinha, Arunabha Sen and Andrea.
Lecture 5 Normalization. Objectives The purpose of normalization. How normalization can be used when designing a relational database. The potential problems.
Chapter 10 Normalization Pearson Education © 2009.
Zhuo Peng, Chaokun Wang, Lu Han, Jingchao Hao and Yiyuan Ba Proceedings of the Third International Conference on Emerging Databases, Incheon, Korea (August.
1 SYNTHESIS of PIPELINED SYSTEMS for the CONTEMPORANEOUS EXECUTION of PERIODIC and APERIODIC TASKS with HARD REAL-TIME CONSTRAINTS Paolo Palazzari Luca.
An Efficient Linear Time Triple Patterning Solver Haitong Tian Hongbo Zhang Zigang Xiao Martin D.F. Wong ASP-DAC’15.
Tetris Agent Optimization Using Harmony Search Algorithm
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.
CISC 849 : Applications in Fintech Namami Shukla Dept of Computer & Information Sciences University of Delaware iCARE : A Framework for Big Data Based.
On Mobile Sink Node for Target Tracking in Wireless Sensor Networks Thanh Hai Trinh and Hee Yong Youn Pervasive Computing and Communications Workshops(PerComW'07)
Optimizing Distributed Actor Systems for Dynamic Interactive Services
Contents. Goal and Overview. Ingredients. The Page Model.
EMGT 6412/MATH 6665 Mathematical Programming Spring 2016
Hummingbird: Privacy at the time of Twitter
Abstract In this paper, the k-coverage problem is formulated as a decision problem, whose goal is to determine whether every point in the service area.
Clustering Data Streams
Data Management on Opportunistic Grids
Module 11: File Structure
Privacy Preserving Subgraph Matching on Large Graphs in Cloud
Database Management System
A Study of Group-Tree Matching in Large Scale Group Communications
Relational Database Design by Dr. S. Sridhar, Ph. D
Privacy Preserving Similarity Evaluation of Time Series Data
NSF Faculty Career Award
Concurrency Control.
Location Cloaking for Location Safety Protection of Ad Hoc Networks
Privacy Preserving Subgraph Matching on Large Graphs in Cloud
THE STEPS TO MANAGE THE GRID
Haim Kaplan and Uri Zwick
Privacy and Fault-Tolerance in Distributed Optimization Nitin Vaidya University of Illinois at Urbana-Champaign.
Topic 14: Random Oracle Model, Hashing Applications
Supporting Fault-Tolerance in Streaming Grid Applications
Privacy Preserving Subgraph Matching on Large Graphs in Cloud
Differential Privacy in Practice
Analysis and design of algorithm
Effective Social Network Quarantine with Minimal Isolation Costs
Chap 3. The simplex method
Privacy Preserving Data Mining
On the effect of randomness on planted 3-coloring models
Consensus Partition Liang Zheng 5.21.
Chapter 11 Limitations of Algorithm Power
Algorithms for Budget-Constrained Survivable Topology Design
Solving the Minimum Labeling Spanning Tree Problem
國立臺北科技大學 課程:資料庫系統 2015 fall Chapter 14 Normalization.
Privacy preserving cloud computing
A Framework for Testing Query Transformation Rules
Resource Allocation for Distributed Streaming Applications
Clustering.
Path Oram An Extremely Simple Oblivious RAM Protocol
Authors: Jinliang Fan and Mostafa H. Ammar
Locality In Distributed Graph Algorithms
Outline Introduction Background Distributed DBMS Architecture
Presentation transcript:

Privacy-preserving Event Detection in Pervasive Spaces Bijit Hore, Jehan Wickramasuriya, Sharad Mehrotra, Nalini Venkatasubramanian, Daniel Massaguer

What is our pervasive space? No ordinary coffee room, one that is monitored ! There are rules that apply If rule is violated, penalties may be imposed But all is not unfair: individuals have right to privacy ! ”Till an individual has not had more than his quota of coffee, his identity will not be revealed” (Motivated by surveillance apps) A Coffee room !

Issues to be addressed Modeling pervasive spaces How to implement its functionality? Adversary What kind of adversary? How powerful is he? Privacy Goal  Ensure anonymity of individuals Necessary and sufficient conditions? Solution approach Meets the necessary and sufficiency conditions Practical/scalable? Here are a set of issues to be addressed in designing such a space

Basic events, Composite events & Rules Pervasive space generates stream of basic events Composite event is one or more sequence of basic events that comprise a pattern of interest (example on next page) Rule: (Composite event, Action) Rules apply to groups of individuals, e.g.: Coffee room rules apply to everyone Server room rule applies to everyone except administrators etc. Pervasive Space with sensors :: ek:<Bill, coffee-room, coffee-maker, exit> :: e2:<Tom, coffee-room, coffee-cup, dispense> Stream of Basic Events e1:<Tom, coffee-room, *, enter>

Composite events Composite event templates Detect the event when: “A student drinks more than 3 cups of coffee” e1 ≡ <u ∈ STUDENT, coffee_room, coffee_cup, dispense> Detect the event when: “A student tries to accesses the IBM server in the server room” e1 ≡ <u ∈ STUDENT,server_room,*, entry> e2 ≡ <ū, server_room, *, exit> e3 ≡ <ū, server_room, IBM-server, login-attempt> Change second example

Automata & State Information Rule  Automaton template (Rule, Individual)  Instance of a template = automaton object ARX ARY ARZ Rule R applies to {X, Y, Z} Add some more info on this slide Automaton used for storing state of partially completed events State transition in automatons happen on basic events 3 automata that implement R for X, Y and Z respectively The number of automata in the state table is proportional to the number of individuals who interact with the space

System architecture & adversary Server Secure Sensor node (SSN) Rules DB :: Secure Sensor node (SSN) State Information (Encrypted) Thin trusted middleware to obfuscate origin of events ------------------------------------------------------------ Architecture of a privacy-preserving pervasive space application (Talk about MUSQATI later) Say how we need to store large amount of state information in a dynamic environment Similar to secure querying systems which use a small secret and/or trusted agent to leverage the large (potentially unsafe) storage and computing power of the infrastructure to deliver applications Secure data capture is simple (no leakage/siphoning etc. of data) Secure event-generation is the key that we are trying to break now. Looks like we have to implement a “trusted middleware” to obfuscate the origin of basic events. Basic Assumptions about SSNs Secure data capture (Sensors are tamper-proof) Secure generation of basic events by SSN Trusted & have computation power + limited storage, can carry out encryption/decryption with secret key common to all SSNs

System architecture & adversary (cont.) Adversary: Server-side snooper who wants to deduce the identity of the individual associated with a basic-event. Minimum requirement for security: State information is to be always encrypted on server Recall: Goal is to ensure a level k of anonymity for each individual

Basic protocol Question: Does encryption ensure complete anonymity? Return automata that (possibly) match e (encrypted match) Store updated automata SERVER SECURE SENSOR NODE Query for set of (encrypted) automata that match event e Decrypt automata, advance the state of automata if necessary associate encrypted label with new state. Write-back encrypted automata Generate basic event e Question: Does encryption ensure complete anonymity? NO! SSNs’ pattern of automata access may cause identity disclosure

Example R1 Applies to Tom Tom enters Kitchen  3 firings R2 R3 R1 U enters kitchen U takes coffee R1 U enters kitchen U opens fridge Applies to Tom Tom enters Kitchen  3 firings R2 U enters kitchen U opens microwave R3 U enters kitchen U takes coffee R1 Applies to Bill Bill enters Kitchen  2 firings U enters kitchen U opens fridge R2 On an event, the # rows retrieved from state table can disclose the identity of the individual

Characteristic access patterns of automata The set of rules applicable to an individual maybe unique  potentially identify the individual Rules applicable to TOM Tom enters kitchen Tom takes coffee x Characteristic patterns of x P1: {x,y,z} {x y} Characteristic patterns of y P2: {x,y,z} {x,y} {y} P3: {x,y,z} {y,z} {y} Characteristic patterns of z P4: {x,y,z} {y z} Tom leaves coffee pot empty Tom takes coffee Tom enters kitchen y Tom opens fridge Tom leaves fridge open Tom enters kitchen Tom opens fridge z The characteristic access patterns of rows can potentially reveal the identity of the automaton in spite of encryption

Partitioning events (unrestricted) Goal: Make the set of characteristic patterns associated with each automaton non-identifying (k-anonymous) Candidate solution: Partition events into k-diverse groups Index automata (rows of the table) by event’s group-id instead of the event-label Tom enters kitchen Bill enters kitchen Kate leaves microwave open C2 Tom opens fridge Kate enters kitchen Bill takes coffee Theorem: Checking if an event-partitioning scheme for a given set of automata is k-anonymous is NP-Complete (The problem of checking the existence of a fixed-point-free automorphism in graphs can be reduced to this problem) Tom leaves microwave open Kate leaves fridge open 3-diverse event clusters 3-diverse solution Bill leaves microwave open C3 Does not guarantee 3-anonymity

Event clustering (restricted) Assign all events in an automaton into a single group If two automata have a common event, assign them to the same group  Connected-groups of automata Combine connected-groups into k-diverse partitions Guarantees k-anonymity C1 C2 Note that such a clustering offers opportunities for automata merging as well All automata in a cluster are associated with the same access pattern  k-anonymity

Final partition-based protocol Return all automata belonging to Partition(e) Store updated automata SERVER SECURE SENSOR NODE Determine Partition(e) (encrypted query) Decrypt automata, Advance the state of automata if necessary Write-back all automata in Partition(e) Generate basic event e

Minimum-cost clustering Each connected-group of automata is represented by a ball Each ball has a “weight” (accessed with a frequency) Each ball has a “price” (transmission overhead) Each ball has a “color” (denoting individual) Optimization problem: Partition the set of balls into as many bins as required where the objective is to ∑ ( ∑ b.price ) * ( ∑ b.weight ) s.t. each bin has balls of at least k distinct colors Minimize bini b∈bini b∈bini (Problem is NP-Hard: reduction from sum-of-squares problem)

Solution to optimization problem We give some simple heuristic solution that works well in practice Start with a random feasible partition meeting k-anonymity constraint Iterate: determine best set of “non-conflicting” ball transfers between bins (i.e. those which reduce cost by largest amount) & execute these transfers Iterate: determine best set of non-conflicting ball exchanges between bins & execute these exchanges Stop when no further cost-reduction is possible We carry out these only to the first degree of approximation -- establish pairs by using graph-matching algorithm

Experiments Prototype built on SATware-Responsphere framework Responsphere – communications, storage, computing framework consisting of approx. 200 sensors SATware – middleware for deploying pervasive space applications Dataset for simulation Generate events based on real activities in office building 4 groups of people – STUDENT, FACULTY, STAFF, VISITOR (300 in all) 3 regions: KITCHEN, SERVER_ROOM, FACILITIES_ROOM 15 rules belonging to 2 classes of activities: (i) protection of resources; (ii) suspicious activity

Sample rules

Evaluation using realistic dataset Simulated sequence of 1000 events & measured communication cost between Server and SSNs Compare the following 2 partitioning algorithms: k-individual partitioning – all automata of an individual in a single group k-connected-group partitioning – remove the above constraint

Comparison using synthetic data Cost differential increases (generally) as #individuals & # components increase No clear trend as k increases

Conclusion Automaton-based model for events in pervasive spaces is proposed Notion of anonymity in pervasive space is formalized Necessary and sufficient conditions are derived Event-clustering based solution approach is outlined Efficiency criteria is modeled as a min-cost clustering problem & a heuristic solution is proposed Challenges & Future Work: Designing a truly secure sensing-infrastructure is challenging Consider other interesting notions of privacy in pervasive spaces

Thank You !!

Secure sensor nodes IBM 4758 PCI Cryptographic Coprocessor Broadcom BCM5890 security applications processor