Privacy-preserving Event Detection in Pervasive Spaces Bijit Hore, Jehan Wickramasuriya, Sharad Mehrotra, Nalini Venkatasubramanian, Daniel Massaguer

What is our pervasive space? No ordinary coffee room, one that is monitored ! There are rules that apply If rule is violated, penalties may be imposed But all is not unfair: individuals have right to privacy ! ”Till an individual has not had more than his quota of coffee, his identity will not be revealed” (Motivated by surveillance apps) A Coffee room !

Issues to be addressed Modeling pervasive spaces How to implement its functionality? Adversary What kind of adversary? How powerful is he? Privacy Goal  Ensure anonymity of individuals Necessary and sufficient conditions? Solution approach Meets the necessary and sufficiency conditions Practical/scalable? Here are a set of issues to be addressed in designing such a space

Basic events, Composite events & Rules Pervasive space generates stream of basic events Composite event is one or more sequence of basic events that comprise a pattern of interest (example on next page) Rule: (Composite event, Action) Rules apply to groups of individuals, e.g.: Coffee room rules apply to everyone Server room rule applies to everyone except administrators etc. Pervasive Space with sensors :: ek:<Bill, coffee-room, coffee-maker, exit> :: e2:<Tom, coffee-room, coffee-cup, dispense> Stream of Basic Events e1:<Tom, coffee-room, *, enter>

Composite events Composite event templates Detect the event when: “A student drinks more than 3 cups of coffee” e1 ≡ <u ∈ STUDENT, coffee_room, coffee_cup, dispense> Detect the event when: “A student tries to accesses the IBM server in the server room” e1 ≡ <u ∈ STUDENT,server_room,*, entry> e2 ≡ <ū, server_room, *, exit> e3 ≡ <ū, server_room, IBM-server, login-attempt> Change second example

Automata & State Information Rule  Automaton template (Rule, Individual)  Instance of a template = automaton object ARX ARY ARZ Rule R applies to {X, Y, Z} Add some more info on this slide Automaton used for storing state of partially completed events State transition in automatons happen on basic events 3 automata that implement R for X, Y and Z respectively The number of automata in the state table is proportional to the number of individuals who interact with the space

System architecture & adversary Server Secure Sensor node (SSN) Rules DB :: Secure Sensor node (SSN) State Information (Encrypted) Thin trusted middleware to obfuscate origin of events ------------------------------------------------------------ Architecture of a privacy-preserving pervasive space application (Talk about MUSQATI later) Say how we need to store large amount of state information in a dynamic environment Similar to secure querying systems which use a small secret and/or trusted agent to leverage the large (potentially unsafe) storage and computing power of the infrastructure to deliver applications Secure data capture is simple (no leakage/siphoning etc. of data) Secure event-generation is the key that we are trying to break now. Looks like we have to implement a “trusted middleware” to obfuscate the origin of basic events. Basic Assumptions about SSNs Secure data capture (Sensors are tamper-proof) Secure generation of basic events by SSN Trusted & have computation power + limited storage, can carry out encryption/decryption with secret key common to all SSNs

System architecture & adversary (cont.) Adversary: Server-side snooper who wants to deduce the identity of the individual associated with a basic-event. Minimum requirement for security: State information is to be always encrypted on server Recall: Goal is to ensure a level k of anonymity for each individual

Basic protocol Question: Does encryption ensure complete anonymity? Return automata that (possibly) match e (encrypted match) Store updated automata SERVER SECURE SENSOR NODE Query for set of (encrypted) automata that match event e Decrypt automata, advance the state of automata if necessary associate encrypted label with new state. Write-back encrypted automata Generate basic event e Question: Does encryption ensure complete anonymity? NO! SSNs’ pattern of automata access may cause identity disclosure

Example R1 Applies to Tom Tom enters Kitchen  3 firings R2 R3 R1 U enters kitchen U takes coffee R1 U enters kitchen U opens fridge Applies to Tom Tom enters Kitchen  3 firings R2 U enters kitchen U opens microwave R3 U enters kitchen U takes coffee R1 Applies to Bill Bill enters Kitchen  2 firings U enters kitchen U opens fridge R2 On an event, the # rows retrieved from state table can disclose the identity of the individual

Characteristic access patterns of automata The set of rules applicable to an individual maybe unique  potentially identify the individual Rules applicable to TOM Tom enters kitchen Tom takes coffee x Characteristic patterns of x P1: {x,y,z} {x y} Characteristic patterns of y P2: {x,y,z} {x,y} {y} P3: {x,y,z} {y,z} {y} Characteristic patterns of z P4: {x,y,z} {y z} Tom leaves coffee pot empty Tom takes coffee Tom enters kitchen y Tom opens fridge Tom leaves fridge open Tom enters kitchen Tom opens fridge z The characteristic access patterns of rows can potentially reveal the identity of the automaton in spite of encryption

Partitioning events (unrestricted) Goal: Make the set of characteristic patterns associated with each automaton non-identifying (k-anonymous) Candidate solution: Partition events into k-diverse groups Index automata (rows of the table) by event’s group-id instead of the event-label Tom enters kitchen Bill enters kitchen Kate leaves microwave open C2 Tom opens fridge Kate enters kitchen Bill takes coffee Theorem: Checking if an event-partitioning scheme for a given set of automata is k-anonymous is NP-Complete (The problem of checking the existence of a fixed-point-free automorphism in graphs can be reduced to this problem) Tom leaves microwave open Kate leaves fridge open 3-diverse event clusters 3-diverse solution Bill leaves microwave open C3 Does not guarantee 3-anonymity

Event clustering (restricted) Assign all events in an automaton into a single group If two automata have a common event, assign them to the same group  Connected-groups of automata Combine connected-groups into k-diverse partitions Guarantees k-anonymity C1 C2 Note that such a clustering offers opportunities for automata merging as well All automata in a cluster are associated with the same access pattern  k-anonymity

Final partition-based protocol Return all automata belonging to Partition(e) Store updated automata SERVER SECURE SENSOR NODE Determine Partition(e) (encrypted query) Decrypt automata, Advance the state of automata if necessary Write-back all automata in Partition(e) Generate basic event e

Minimum-cost clustering Each connected-group of automata is represented by a ball Each ball has a “weight” (accessed with a frequency) Each ball has a “price” (transmission overhead) Each ball has a “color” (denoting individual) Optimization problem: Partition the set of balls into as many bins as required where the objective is to ∑ ( ∑ b.price ) * ( ∑ b.weight ) s.t. each bin has balls of at least k distinct colors Minimize bini b∈bini b∈bini (Problem is NP-Hard: reduction from sum-of-squares problem)

Solution to optimization problem We give some simple heuristic solution that works well in practice Start with a random feasible partition meeting k-anonymity constraint Iterate: determine best set of “non-conflicting” ball transfers between bins (i.e. those which reduce cost by largest amount) & execute these transfers Iterate: determine best set of non-conflicting ball exchanges between bins & execute these exchanges Stop when no further cost-reduction is possible We carry out these only to the first degree of approximation -- establish pairs by using graph-matching algorithm

Experiments Prototype built on SATware-Responsphere framework Responsphere – communications, storage, computing framework consisting of approx. 200 sensors SATware – middleware for deploying pervasive space applications Dataset for simulation Generate events based on real activities in office building 4 groups of people – STUDENT, FACULTY, STAFF, VISITOR (300 in all) 3 regions: KITCHEN, SERVER_ROOM, FACILITIES_ROOM 15 rules belonging to 2 classes of activities: (i) protection of resources; (ii) suspicious activity

Sample rules

Evaluation using realistic dataset Simulated sequence of 1000 events & measured communication cost between Server and SSNs Compare the following 2 partitioning algorithms: k-individual partitioning – all automata of an individual in a single group k-connected-group partitioning – remove the above constraint

Comparison using synthetic data Cost differential increases (generally) as #individuals & # components increase No clear trend as k increases

Conclusion Automaton-based model for events in pervasive spaces is proposed Notion of anonymity in pervasive space is formalized Necessary and sufficient conditions are derived Event-clustering based solution approach is outlined Efficiency criteria is modeled as a min-cost clustering problem & a heuristic solution is proposed Challenges & Future Work: Designing a truly secure sensing-infrastructure is challenging Consider other interesting notions of privacy in pervasive spaces

Thank You !!

Secure sensor nodes IBM 4758 PCI Cryptographic Coprocessor Broadcom BCM5890 security applications processor