Presentation is loading. Please wait.

Presentation is loading. Please wait.

Haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of.

Published byBrady Eckersley Modified over 9 years ago

Similar presentations

Presentation on theme: "Haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of."— Presentation transcript:

1 haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of overhead bound

2 haowen chan  cmu In-Network Data Aggregation (( )) Q “What is the sum of all the sensor readings?” 2 4 1 3 0 3 2 0 + 4 + 6 + 9 9 + 15 Answer: Sensor readings

3 haowen chan  cmu Attacker Model  Unsecured deployment area  Sensor nodes not tamper-resistant  Adversary may undetectably take control of sensor nodes or base station

4 haowen chan  cmu Correct Data Aggregation (( )) Q 2 4 1 3 0 3 2 0 4 6 9 9 15 3 0 4 2

5 haowen chan  cmu Sensor Reading Falsification (( )) Q 2 4 1 3 0 3 2 0 4 6 15 21 3 0 10 2 Malicious node reports false sensor reading (within legal bounds)

6 haowen chan  cmu Sensor Reading Falsification  General aggregation problem: Assume no application-specific information  Attacker’s data indistinguishable from true data Sensor reading falsification is always possible in any general secure aggregation algorithm  Attacker’s ability limited by how many nodes compromised

7 haowen chan  cmu Aggregation Result Falsification (( )) Q 2 4 1 3 0 3 2 0 4 6 100 106 3 0 4 2 Malicious node reports false aggregation result

8 haowen chan  cmu Aggregation Result Falsification  Single malicious node may cause unbounded deviation in query result  Secure aggregation problem: Can we restrict the attacker’s ability to falsify aggregation results?  Tightest possible restriction without application knowledge: Attacker can only perform sensor reading falsification attacks or equivalent

9 haowen chan  cmu Prior Related Work  Either probabilistic detection or only for special cases  Single malicious node L. Hu and D. Evans [2003] P. Jadia and A. Mathuria [2004]  Flat aggregator topology B. Przydatek, A. Perrig, D. Song [2003] W. Du, J. Deng, Y. Han, P.K. Varshney [2003]  Probabilistic Detection B. Przydatek, A. Perrig, D. Song [2003] Y. Yang, X. Wang, S. Zhu, G. Cao [2006]

10 haowen chan  cmu Our Algorithm  General hierarchical (tree-based) aggregation topologies  Multiple (unbounded) number of compromised nodes  Achieves tightest possible bound on adversary ability to change aggregation result  Low communication overhead edge-congestion O ( l og 2 n )

11 haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of overhead bound

12 haowen chan  cmu Preventing SUM Result Deflation  Consider only the SUM aggregate Straightforward reductions from COUNT, AVG, MEDIAN to SUM  Adversary only wishes to reduce the aggregate result  Sensor readings are nonnegative: in [0, m]  Let the sum of reported sensor readings of all legitimate nodes be S. If adversary reports any S’ < S then we detect its presence.  Adversary gains no additional benefit from aggregation result falsification vs. sensor reading falsification

13 haowen chan  cmu Generating Commitments  Require nodes to cryptographically commit to a single version of the aggregation process  Any aggregation result falsification cause in an inconsistency in some position in the commitment structure Verification process can discover inconsistency

14 haowen chan  cmu Commitment Tree  Aggregation Tree  Commitment Tree F E D C B A M A M A M AB M B M AB M C M C … M AB = h ( M A jj M B ) ; v A + v B M D M ABCD M ABCD } v AB M ABCD = h ( M AB jj M D jj M C ) ; v AB + v D + v C … M E M E M F M A = A ; v A M B = B ; v B M R

15 haowen chan  cmu Main Idea  Commitment structure is probed to verify aggregation correctness  Prior work: Querier performs probing Cannot probe every node Too much congestion near base station  New idea: Distribute the verification process to the sensor nodes  Every sensor node checks that its sensor reading was included in the aggregate

16 haowen chan  cmu Self-verification  Querier disseminates commitment tree root M R using authenticated broadcast E.g. [Perrig et al. ’01]  Node A verifies its own contribution: Node A receives commitment tree root M R Node A requests all off-path vertices for M A Verify that the inputs to each aggregation step are non-negative Verify that the correct M R can be recomputed ¹ TESLA

17 haowen chan  cmu Self-Verification of Node C M A M B M AB M C M D M ABCD M E M F R eques t o ® -pa t h ver t i ces f or M C C h ec k t h a t v AB ; v D ; v E ; v F area ll non-nega t i ve M R R ecompu t e M ABCD ; M R

18 haowen chan  cmu Aggregating Verification Results  Each node shares a secret key with querier  Node A ’s “OK” bit phrase for query k :  OK bit phrases are aggregated using XOR on the way to the querier  Querier verifies that received aggregate bitphrase is XOR of all bit phrases If any node does not respond with OK, this test will fail: aggregation result rejected. MAC K A ( Q uery k ver i ¯ e d OK b yno d e A )

19 haowen chan  cmu Aggregating with XOR 0010 0011 0110 1111 0101 1010 1000

20 haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of overhead bound

21 haowen chan  cmu Motivating Observations  Correctness: Self-verification is cumulative Net result of all nodes performing independent self-verification is equivalent to having a central querier verify every node  Efficiency: Standard metric: congestion – maximum communication load on any single edge Self-verification incurs low congestion Even if every node performs self-verification

22 haowen chan  cmu Correctness  Lemma: If two legitimate nodes A and B both pass their verifications, then the SUM aggregate has value at least v A + v B M A M AX M AXYZ v AX ¸ v A M X v X ¸ 0 M YZ v YZ ¸ 0 Observation: Intermediate sums are non-decreasing. v AXYZ ¸ v A

23 haowen chan  cmu Correctness M C M A M B M R M X M Y v Y ¸ v B v X ¸ v A v C ¸ v A + v B v R ¸ v A + v B s i nce h i sco ll i s i on-res i s t an t M X an d M Y are d i s t i nc t M C : LCA o f M A an d M B

24 haowen chan  cmu Correctness  Corollary: If all legitimate nodes pass their verifications, then the final aggregation result is at least  Lower bound: Adversary cannot report result less than sum of legitimate sensor readings.  Upper bound? S = X i l eg i t v i

25 haowen chan  cmu Upper Bound  Reduce upper bound problem to lower bound  Compute simultaneously the complement sum aggregate (recall that )  Querier checks:  Adversary: to increase, must decrease. But neither nor can be decreased below contribution of legitimate nodes. S = n X i = 1 v i S = n X i = 1 ( m ¡ v i ) v i 2 [ 0 ; m ] S S S SS S = nm ¡ S

26 haowen chan  cmu Efficiency  Suppose aggregation tree is balanced  When node A self-verifies, it receives all off-path vertices in the commitment tree  Maximum congestion: leaf edge messages A O ( l ogn ) O ( l ogn )

27 haowen chan  cmu Efficiency  Self-verification of other nodes (e.g. node B) does not increase communication load on any edge of the path between node A and the root A B C Y X M X M Y M Y M X M Y M X

28 haowen chan  cmu Efficiency  Edge congestion in balanced aggregation trees:  For arbitrary unbalanced aggregation topology: Define a balanced logical aggregation overlay over the physical topology (details in paper) Incurs multiplicative factor  Edge congestion for general aggregation trees: O ( l ogn ) l ogn O ( l og 2 n )

29 haowen chan  cmu Naive Commitment Tree  Aggregation Tree  Commitment Tree F E D C B A M A M A M AB M B M AB M C M C M D M ABCD M ABCD M E M E M F M ABCDEF Topology of commitment tree is identical to aggregation tree (with addition of pendant vertices to all internal nodes)

30 haowen chan  cmu Balancing the Commitment Tree  Aggregation Tree unbalanced Naïve Commitment Tree unbalanced  Long paths in commitment tree High communication overhead  Idea: Instead of one commitment tree, keep a forest of complete commitment trees  Construct this using delayed aggregation )) O ( l ogn )

31 haowen chan  cmu Delayed Aggregation  Only perform aggregation on subtrees of equal height M A M A D C B A M AB M B M AB M C M AB ; M C M D M CD M ABCD M ABC M ABC

32 haowen chan  cmu Delayed Aggregation  All trees in commitment forest are complete and have distinct heights  Tallest tree has height at most  At most trees  Each sensor node receives (and transmits) commitment subtree root values  edge congestion (proof in paper) l ogn O ( l ogn ) l ogn O ( l og 2 n )

33 haowen chan  cmu Congestion Bound  Commitment tree overlay network of the aggregation tree  Each commitment tree vertex resides at the sensor node that created it  For A to self-probe, Send all off-path vertices to its leaf vertex.  congestion at leaf edge of MAMA O ( l ogn ) O ( l ogn ) ! M A M A

34 haowen chan  cmu Congestion Bound  In aggregation tree, each sensor node reports roots of subtrees to its parent  Responsible for receiving traffic for parent edges incident to these vertices in the commitment forest  edge-congestion in commitment forest edge congestion in aggregation tree. O ( l ogn ) O ( l ogn ) O ( l ogn ) ) O ( l og 2 n )

35 haowen chan  cmu Conclusion  Secure data aggregation algorithm Suitable for general tree-based aggregation topologies Resilient vs multiple malicious nodes Tightest possible guarantees on adversary detection (without assuming application knowledge) Low edge congestion Limitation: need to know the set of responding nodes  Future Work: Secure versions of more sophisticated aggregation functions Defences vs sensor reading falsification O ( l og 2 n )

36 haowen chan  cmu Secure Hierarchical In-network Data Aggregation for Sensor Networks Haowen Chan Adrian Perrig and Dawn Song Carnegie Mellon University

Download ppt "Haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of."

Similar presentations

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.
Chris Karlof and David Wagner

Chris Karlof and David Wagner
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Key Infection (smart trust for smart dust) Ross Anderson (Cambridge) Haowen Chan (CMU) Adrian Perrig (CMU)

Key Infection (smart trust for smart dust) Ross Anderson (Cambridge) Haowen Chan (CMU) Adrian Perrig (CMU)
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
An Efficient Scheme for Authenticating Public Keys in Sensor Networks Wenliang (Kevin) Du (Syracuse) Ronghua Wang (Syracuse) Peng Ning (North Carolina.

An Efficient Scheme for Authenticating Public Keys in Sensor Networks Wenliang (Kevin) Du (Syracuse) Ronghua Wang (Syracuse) Peng Ning (North Carolina.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Xinran Wang, Sencun Zhu and Guohong Cao The Pennsylvania State University MobiHoc’ 06.

A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Xinran Wang, Sencun Zhu and Guohong Cao The Pennsylvania State University MobiHoc’ 06.
A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Joint work with Xinran Wang, Sencun Zhu and Guohong Cao Dept. of Computer Science &

A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Joint work with Xinran Wang, Sencun Zhu and Guohong Cao Dept. of Computer Science &
Computer Science SDAP: A Secure Hop-by-Hop Data Aggregation Protocol for Sensor Networks Yi Yang, Xinran Wang, Sencun Zhu and Guohong Cao April 24, 2007.

Computer Science SDAP: A Secure Hop-by-Hop Data Aggregation Protocol for Sensor Networks Yi Yang, Xinran Wang, Sencun Zhu and Guohong Cao April 24, 2007.
Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.

Distributed Detection Of Node Replication Attacks In Sensor Networks Presenter: Kirtesh Patil Acknowledgement: Slides on Paper originally provided by Bryan.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos.

IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.

A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
SUMP: A Secure Unicast Messaging Protocol for Wireless Ad Hoc Sensor Networks Jeff Janies, Chin-Tser Huang, Nathan L. Johnson.

SUMP: A Secure Unicast Messaging Protocol for Wireless Ad Hoc Sensor Networks Jeff Janies, Chin-Tser Huang, Nathan L. Johnson.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Tributaries and Deltas: Efficient and Robust Aggregation in Sensor Network Streams Amit Manjhi, Suman Nath, Phillip B. Gibbons Carnegie Mellon University.

Tributaries and Deltas: Efficient and Robust Aggregation in Sensor Network Streams Amit Manjhi, Suman Nath, Phillip B. Gibbons Carnegie Mellon University.

Similar presentations

Ads by Google