Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy-preserving Event Detection in Pervasive Spaces

Published by희주 수 Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy-preserving Event Detection in Pervasive Spaces"— Presentation transcript:

1 Privacy-preserving Event Detection in Pervasive Spaces
Bijit Hore, Jehan Wickramasuriya, Sharad Mehrotra, Nalini Venkatasubramanian, Daniel Massaguer

2 What is our pervasive space?
No ordinary coffee room, one that is monitored ! There are rules that apply If rule is violated, penalties may be imposed But all is not unfair: individuals have right to privacy ! ”Till an individual has not had more than his quota of coffee, his identity will not be revealed” (Motivated by surveillance apps) A Coffee room !

3 Issues to be addressed Modeling pervasive spaces
How to implement its functionality? Adversary What kind of adversary? How powerful is he? Privacy Goal  Ensure anonymity of individuals Necessary and sufficient conditions? Solution approach Meets the necessary and sufficiency conditions Practical/scalable? Here are a set of issues to be addressed in designing such a space

4 Basic events, Composite events & Rules
Pervasive space generates stream of basic events Composite event is one or more sequence of basic events that comprise a pattern of interest (example on next page) Rule: (Composite event, Action) Rules apply to groups of individuals, e.g.: Coffee room rules apply to everyone Server room rule applies to everyone except administrators etc. Pervasive Space with sensors :: ek:<Bill, coffee-room, coffee-maker, exit> :: e2:<Tom, coffee-room, coffee-cup, dispense> Stream of Basic Events e1:<Tom, coffee-room, *, enter>

5 Composite events Composite event templates
Detect the event when: “A student drinks more than 3 cups of coffee” e1 ≡ <u ∈ STUDENT, coffee_room, coffee_cup, dispense> Detect the event when: “A student tries to accesses the IBM server in the server room” e1 ≡ <u ∈ STUDENT,server_room,*, entry> e2 ≡ <ū, server_room, *, exit> e3 ≡ <ū, server_room, IBM-server, login-attempt> Change second example

6 Automata & State Information
Rule  Automaton template (Rule, Individual)  Instance of a template = automaton object ARX ARY ARZ Rule R applies to {X, Y, Z} Add some more info on this slide Automaton used for storing state of partially completed events State transition in automatons happen on basic events 3 automata that implement R for X, Y and Z respectively The number of automata in the state table is proportional to the number of individuals who interact with the space

7 System architecture & adversary
Server Secure Sensor node (SSN) Rules DB :: Secure Sensor node (SSN) State Information (Encrypted) Thin trusted middleware to obfuscate origin of events Architecture of a privacy-preserving pervasive space application (Talk about MUSQATI later) Say how we need to store large amount of state information in a dynamic environment Similar to secure querying systems which use a small secret and/or trusted agent to leverage the large (potentially unsafe) storage and computing power of the infrastructure to deliver applications Secure data capture is simple (no leakage/siphoning etc. of data) Secure event-generation is the key that we are trying to break now. Looks like we have to implement a “trusted middleware” to obfuscate the origin of basic events. Basic Assumptions about SSNs Secure data capture (Sensors are tamper-proof) Secure generation of basic events by SSN Trusted & have computation power + limited storage, can carry out encryption/decryption with secret key common to all SSNs

8 System architecture & adversary (cont.)
Adversary: Server-side snooper who wants to deduce the identity of the individual associated with a basic-event. Minimum requirement for security: State information is to be always encrypted on server Recall: Goal is to ensure a level k of anonymity for each individual

9 Basic protocol Question: Does encryption ensure complete anonymity?
Return automata that (possibly) match e (encrypted match) Store updated automata SERVER SECURE SENSOR NODE Query for set of (encrypted) automata that match event e Decrypt automata, advance the state of automata if necessary associate encrypted label with new state. Write-back encrypted automata Generate basic event e Question: Does encryption ensure complete anonymity? NO! SSNs’ pattern of automata access may cause identity disclosure

10 Example R1 Applies to Tom Tom enters Kitchen  3 firings R2 R3 R1
U enters kitchen U takes coffee R1 U enters kitchen U opens fridge Applies to Tom Tom enters Kitchen  3 firings R2 U enters kitchen U opens microwave R3 U enters kitchen U takes coffee R1 Applies to Bill Bill enters Kitchen  2 firings U enters kitchen U opens fridge R2 On an event, the # rows retrieved from state table can disclose the identity of the individual

11 Characteristic access patterns of automata
The set of rules applicable to an individual maybe unique  potentially identify the individual Rules applicable to TOM Tom enters kitchen Tom takes coffee x Characteristic patterns of x P1: {x,y,z} {x y} Characteristic patterns of y P2: {x,y,z} {x,y} {y} P3: {x,y,z} {y,z} {y} Characteristic patterns of z P4: {x,y,z} {y z} Tom leaves coffee pot empty Tom takes coffee Tom enters kitchen y Tom opens fridge Tom leaves fridge open Tom enters kitchen Tom opens fridge z The characteristic access patterns of rows can potentially reveal the identity of the automaton in spite of encryption

12 Partitioning events (unrestricted)
Goal: Make the set of characteristic patterns associated with each automaton non-identifying (k-anonymous) Candidate solution: Partition events into k-diverse groups Index automata (rows of the table) by event’s group-id instead of the event-label Tom enters kitchen Bill enters kitchen Kate leaves microwave open C2 Tom opens fridge Kate enters kitchen Bill takes coffee Theorem: Checking if an event-partitioning scheme for a given set of automata is k-anonymous is NP-Complete (The problem of checking the existence of a fixed-point-free automorphism in graphs can be reduced to this problem) Tom leaves microwave open Kate leaves fridge open 3-diverse event clusters 3-diverse solution Bill leaves microwave open C3 Does not guarantee 3-anonymity

13 Event clustering (restricted)
Assign all events in an automaton into a single group If two automata have a common event, assign them to the same group  Connected-groups of automata Combine connected-groups into k-diverse partitions Guarantees k-anonymity C1 C2 Note that such a clustering offers opportunities for automata merging as well All automata in a cluster are associated with the same access pattern  k-anonymity

14 Final partition-based protocol
Return all automata belonging to Partition(e) Store updated automata SERVER SECURE SENSOR NODE Determine Partition(e) (encrypted query) Decrypt automata, Advance the state of automata if necessary Write-back all automata in Partition(e) Generate basic event e

15 Minimum-cost clustering
Each connected-group of automata is represented by a ball Each ball has a “weight” (accessed with a frequency) Each ball has a “price” (transmission overhead) Each ball has a “color” (denoting individual) Optimization problem: Partition the set of balls into as many bins as required where the objective is to ∑ ( ∑ b.price ) * ( ∑ b.weight ) s.t. each bin has balls of at least k distinct colors Minimize bini b∈bini b∈bini (Problem is NP-Hard: reduction from sum-of-squares problem)

16 Solution to optimization problem
We give some simple heuristic solution that works well in practice Start with a random feasible partition meeting k-anonymity constraint Iterate: determine best set of “non-conflicting” ball transfers between bins (i.e. those which reduce cost by largest amount) & execute these transfers Iterate: determine best set of non-conflicting ball exchanges between bins & execute these exchanges Stop when no further cost-reduction is possible We carry out these only to the first degree of approximation -- establish pairs by using graph-matching algorithm

17 Experiments Prototype built on SATware-Responsphere framework
Responsphere – communications, storage, computing framework consisting of approx. 200 sensors SATware – middleware for deploying pervasive space applications Dataset for simulation Generate events based on real activities in office building 4 groups of people – STUDENT, FACULTY, STAFF, VISITOR (300 in all) 3 regions: KITCHEN, SERVER_ROOM, FACILITIES_ROOM 15 rules belonging to 2 classes of activities: (i) protection of resources; (ii) suspicious activity

18 Sample rules

19 Evaluation using realistic dataset
Simulated sequence of 1000 events & measured communication cost between Server and SSNs Compare the following 2 partitioning algorithms: k-individual partitioning – all automata of an individual in a single group k-connected-group partitioning – remove the above constraint

20 Comparison using synthetic data
Cost differential increases (generally) as #individuals & # components increase No clear trend as k increases

21 Conclusion Automaton-based model for events in pervasive spaces is proposed Notion of anonymity in pervasive space is formalized Necessary and sufficient conditions are derived Event-clustering based solution approach is outlined Efficiency criteria is modeled as a min-cost clustering problem & a heuristic solution is proposed Challenges & Future Work: Designing a truly secure sensing-infrastructure is challenging Consider other interesting notions of privacy in pervasive spaces

22 Thank You !!

23 Secure sensor nodes IBM 4758 PCI Cryptographic Coprocessor Broadcom BCM5890 security applications processor

Download ppt "Privacy-preserving Event Detection in Pervasive Spaces"

Similar presentations

What is a Database By: Cristian Dubon.

What is a Database By: Cristian Dubon.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
A Privacy Preserving Index for Range Queries

A Privacy Preserving Index for Range Queries
Effective Keyword Based Selection of Relational Databases Bei Yu, Guoliang Li, Karen Sollins, Anthony K.H Tung.

Effective Keyword Based Selection of Relational Databases Bei Yu, Guoliang Li, Karen Sollins, Anthony K.H Tung.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Design and Implementation of a Middleware for Sentient Spaces Bijit Hore, Hojjat Jafarpour, Ramesh Jain, Shengyue Ji, Daniel Massaguer Sharad Mehrotra,

Design and Implementation of a Middleware for Sentient Spaces Bijit Hore, Hojjat Jafarpour, Ramesh Jain, Shengyue Ji, Daniel Massaguer Sharad Mehrotra,
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Cache Placement in Sensor Networks Under Update Cost Constraint Bin Tang, Samir Das and Himanshu Gupta Department of Computer Science Stony Brook University.

Cache Placement in Sensor Networks Under Update Cost Constraint Bin Tang, Samir Das and Himanshu Gupta Department of Computer Science Stony Brook University.
Preference Analysis Joachim Giesen and Eva Schuberth May 24, 2006.

Preference Analysis Joachim Giesen and Eva Schuberth May 24, 2006.
Chapter 5 Normalization Transparencies © Pearson Education Limited 1995, 2005.

Chapter 5 Normalization Transparencies © Pearson Education Limited 1995, 2005.
Fast Subsequence Matching in Time-Series Databases Christos Faloutsos M. Ranganathan Yannis Manolopoulos Department of Computer Science and ISR University.

Fast Subsequence Matching in Time-Series Databases Christos Faloutsos M. Ranganathan Yannis Manolopoulos Department of Computer Science and ISR University.
An efficient distributed protocol for collective decision- making in combinatorial domains CMSS Feb. 20-21, 2012 Minyi Li Intelligent Agent Technology.

An efficient distributed protocol for collective decision- making in combinatorial domains CMSS Feb , 2012 Minyi Li Intelligent Agent Technology.
Secure Incremental Maintenance of Distributed Association Rules.

Secure Incremental Maintenance of Distributed Association Rules.
Normalization Transparencies

Normalization Transparencies
TECH Computer Science NP-Complete Problems Problems  Abstract Problems  Decision Problem, Optimal value, Optimal solution  Encodings  //Data Structure.

TECH Computer Science NP-Complete Problems Problems  Abstract Problems  Decision Problem, Optimal value, Optimal solution  Encodings  //Data Structure.
Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.

Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.
Privacy Challenges in Pervasive Spaces RESCUE All Hands Meeting – June 2007.

Privacy Challenges in Pervasive Spaces RESCUE All Hands Meeting – June 2007.
Resource Mapping and Scheduling for Heterogeneous Network Processor Systems Liang Yang, Tushar Gohad, Pavel Ghosh, Devesh Sinha, Arunabha Sen and Andrea.

Resource Mapping and Scheduling for Heterogeneous Network Processor Systems Liang Yang, Tushar Gohad, Pavel Ghosh, Devesh Sinha, Arunabha Sen and Andrea.
Lecture 5 Normalization. Objectives The purpose of normalization. How normalization can be used when designing a relational database. The potential problems.

Lecture 5 Normalization. Objectives The purpose of normalization. How normalization can be used when designing a relational database. The potential problems.

Similar presentations

Ads by Google