Secure Dependable Stream Data Management Vana Kalogeraki (UC Riverside) Dimitrios Gunopulos (UC Riverside) Ravi Sandhu (UT San Antonio) Bhavani Thuraisingham (UT Dallas) May 2008
Outline l Dependable Information Management - Integrating Real-time and Security Policies l Secure Real-Time TMO - Apply RBAC and UCON models l Stream Data/Information Management - Overview, Data Manager, Security Policy, Directions l QoS-based Stream Execution Model
Dependable Sensor Information Management l Dependable sensor information management includes - secure sensor information management - fault tolerant sensor information - High integrity and high assurance computing - Real-time computing l Conflicts between different features - Security, Integrity, Fault Tolerance, Real-time Processing - E.g., A process may miss real-time deadlines when access control checks are made - Trade-offs between real-time processing and security - Need flexible security policies; real-time processing may be critical during a mission while security may be critical during non-operational times
Secure Dependable Information Management Example: Next Generation AWACS Technology provided by the project Hardware Display Processor & Refresh Channels Consoles (14) Navigation Sensors Data Links Data Analysis Programming Group (DAPG) Future App Future App Future App Multi-Sensor Tracks Sensor Detections MSI App Data Mgmt. Data Xchg. Infrastructure Services Security being considered after the system has been designed and prototypes implemented Challenge: Integrating real-time processing, security and fault tolerance Real-time Operating System
Secure Dependable Information Management: Directions l Challenge: How does a system ensure integrity, security, fault tolerant processing, and still meet timing constraints? l Develop flexible security policies; when is it more important to ensure real-time processing and ensure security? l Secure dependable models and architectures for the policies; Examine real-time algorithms – e.g., query and transaction processing l Research for databases as well as for applications; what assumptions do we need to make about operating systems, networks and middleware? l Developing dependable sensor objects
RBAC (Sandhu et al) and ABAC (Network Centric Enterprise Services) l RBAC - Access to information sources including structured and unstructured data both within the organization and external to the organization - Access based on roles - Hierarchy of roles: handling conflicts - Controlled dissemination and sharing of the data l ABAC (Attribute based access control) - User presents credentials - Depending on the user credentials user is granted access - Suitable for open web environments
UCON (Sandhu et al) l RBAC model is incorporated into UCON and useful for various applications - Authorization component l Obligations - Obligations are actions required to be performed before an access is permitted - Obligations can be used to determine whether an expensive knowledge search is required l Attribute Mutability - Used to control the scope of the knowledge search l Condition - Can be used for resource usage policies to be relaxed or tightened
UCON (Sandhu et al))
TMO (Kane Kim et al) l TMO model A TMO object ODSS 1 ODSS 2 Object Data Store (ODS) SpM1 Deadlines AA C SpM2 AA C SvM1 Concurrency Control SvM2 AAC: Autonomous Activation Condition Service Request Queue Remote TMO Clients Lock/Condition/CREW for Concurrent Access Time-triggered(TT) Spontaneous Methods(SpMs) Message-triggered(MT) Service Methods(SvMs) EAC Capability for accessing other TMOs and network environment including logical multicast channels and I/O devices
l Access Control mechanisms - Role Based Access Control (RBAC) model l Users (TMO objects) are associated with roles l Roles are associated with permissions (Write, Read, Execution, All) l A user has permission only if the user has an authorized role which is associated with that permission - Inadequate for distributed real-time system l Server side centralized model l Need constraints on temporal behaviors of spontaneous methods in TMO RT-RBAC (Jungin Kim and Thuraisingham)
RT-UCON (Jungin Kim and Thuraisingham) l Basic authorization components for access control in TMO Continuity: dynamic and seamless constraints Mutability: control the scope of access Conditions: control the amount of access, access time Obligations: pre-conditions for determining access decisions l Adequate for distributed real-time system Space and Time domain; Server and Client side control; Dynamic and Flexible l Implemented access control through a separated object l Checks access right, maintain access policies in the system ODS: stores static and dynamic access policies SpM: controls access policies in ODS SvM: handles access decision requests
Secure CAMIN (Jungin Kim and Thuraisingham) l Mission: Defend target objects both in the sea and on the land from the hostile objects in the sky l Access control checks policies and security levels l Some malicious objects are added
Secure Sensor/Stream Information Management l Sensor network consists of a collection of autonomous and interconnected sensors that continuously sense and store information about some local phenomena - May be employed in battle fields, seismic zones, pavements l Data streams emanate from sensors; for geospatial applications these data streams could contain continuous data of maps, images, etc. Data has to be fused and aggregated l Continuous queries are posed, responses analyzed possibly in real- time, some streams discarded while rest may be stored l Recent developments in sensor information management include sensor database systems, sensor data mining, distributed data management, layered architectures for sensor nets, storage methods, data fusion and aggregation l Secure sensor data/information management has received very little attention; need a research agenda
Secure Sensor/Stream Information Management: Data Manager
Policy Specification and Enforcement: Elena Ferrari and Barbara Carminati et al l Example: Aurora Stream Model develop by Stonebraker et al l Model Operators - Filter: Select on streams based on predicates; results is a sequence of streams - Map: Project onto attributes by applying certain functions - Aggregate: Aggregate/fuse streams l Secure Model Operators - Secure Filter: Form of secure selection where access to resulting streams are controlled - Secure Map: Access to resulting attributes are controlled - Secure Aggregation: Access to resulting stream is controlled - Access to original streams are controlled but not to the results
Secure Sensor/Stream Information Management: Inference/Aggregation Control
Secure Sensor/Stream Information Management: Security Policy Integration (MURI Project) Export Engine Component Data System for Agency A Federated Data Management Export Engine Component Data System For Agency C Component Data System for Agency B Export Engine Federated Privacy Controller Privacy Controller Privacy Controller Privacy Controller Export Policy Component Policy for Sensor A Integrated Policy for the Sensor Network Export Policy Component Policy for Sensor C Component Policy for Sensor B Export Policy Generic Policy for A Generic Policy for B Generic Policy for C Additional security constraints for Inference Control Export Engine Component Data System for Agency A Federated Data Management Export Engine Component Data System For Agency C Component Data System for Agency B Export Engine Federated Privacy Controller Privacy Controller Privacy Controller Privacy Controller Export Policy Component Policy for Sensor A Integrated Policy for the Sensor Network Export Policy Component Policy for Sensor C Component Policy for Sensor B Export Policy Generic Policy for A Generic Policy for B Generic Policy for C Additional security constraints for Inference Control
Real-time Knowledge Discovery (RT-KDD) l How does a data mining technique meet the timing constraint? - E.g., if an association rule mining algorithm has a 5 minutes constraint, then should it output as many rules as possible within 5 minutes - How does this affect the accuracy of the results? - Will there be an increase in false positives and negatives? l Approximate data mining - Are there techniques analogous to techniques in approximate query processing - Are incomplete results better than no results l What are the applications for RT-KDD - Give the results to the first responder/law enforcement official in 5 minutes so that he can take appropriate actions l Secure RT-KDD?
Secure Sensor/Stream Information Management: Directions l Individual sensors may be compromised and attacked; need techniques for detecting, managing and recovering from such attacks l Aggregated sensor data may be sensitive; need secure storage sites for aggregated data; variation of the inference and aggregation problem? l Security has to be incorporated into sensor database management - Policies, models, architectures, queries, etc. l Evaluate costs for incorporating security especially when the sensor data has to be fused, aggregated and perhaps mined in real-time l Data may be emanating from sensors and other devices at multiple locations - Data may pertain to individuals (e.g. video information, images, surveillance information, etc.); Data may be mined to extract useful information; Need to maintain privacy
Secure Stream based Execution Model: Integrate Kalogeraki stream model with UCON l QoS based Infrastructure support for hosting stream based applications l Component Discovery - Data summarization and dissemination to propagate components and resource information to the appropriate nodes - Bloom filter data structure based techniques l QoS aware composition - For each application request the user specifies the data source, application graph (describing the application components and their invocations) and real-0time requirements l Apply UCON model as the basis for security - Integrate concepts from RT-UCON with stream based policies l Our approach: Specify security policies and prove that the resulting system is secure