Privacy-preserving Event Detection in Pervasive Spaces - PowerPoint PPT Presentation

About This Presentation
Title:

Privacy-preserving Event Detection in Pervasive Spaces

Description:

Title: Fhdsfrhs Author: Information and Computer Science Last modified by: Bijit Hore Created Date: 10/24/2004 8:15:24 AM Document presentation format – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 24
Provided by: Informat2123
Learn more at: https://ics.uci.edu
Category:

less

Transcript and Presenter's Notes

Title: Privacy-preserving Event Detection in Pervasive Spaces


1
Privacy-preserving Event Detection in Pervasive
Spaces
  • Bijit Hore, Jehan Wickramasuriya, Sharad
    Mehrotra,
  • Nalini Venkatasubramanian, Daniel Massaguer

2
What is our pervasive space?
  • No ordinary coffee room, one that is monitored !
  • There are rules that apply
  • If rule is violated, penalties may be imposed
  • But all is not unfair individuals have right to
    privacy !
  • Till an individual has not had more than his
    quota of coffee, his identity will not be
    revealed
  • (Motivated by surveillance apps)

A Coffee room !
3
Issues to be addressed
  • Modeling pervasive spaces
  • How to implement its functionality?
  • Adversary
  • What kind of adversary?
  • How powerful is he?
  • Privacy
  • Goal ? Ensure anonymity of individuals
  • Necessary and sufficient conditions?
  • Solution approach
  • Meets the necessary and sufficiency conditions
  • Practical/scalable?

4
Basic events, Composite events Rules
  • Pervasive space generates stream of basic events
  • Composite event is one or more sequence of basic
    events that comprise a pattern of interest
    (example on next page)
  • Rule (Composite event, Action)
  • Rules apply to groups of individuals, e.g.
  • Coffee room rules apply to everyone
  • Server room rule applies to everyone except
    administrators etc.

Pervasive Space with sensors

ekltBill, coffee-room, coffee-maker, exitgt

e2ltTom, coffee-room, coffee-cup, dispensegt
Stream of Basic Events
e1ltTom, coffee-room, , entergt
5
Composite events
  • Composite event templates
  • Detect the event when A student drinks more
    than 3 cups of coffee
  • e1 ltu ? STUDENT, coffee_room,
  • coffee_cup, dispensegt
  • Detect the event when A student tries to
    accesses the IBM server in the server room
  • e1 ltu ? STUDENT,server_room,, entrygt
  • e2 ltu, server_room, , exitgt
  • e3 ltu, server_room, IBM-server, login-attemptgt

6
Automata State Information
  • Rule ? Automaton template
  • (Rule, Individual) ? Instance of a template
    automaton object

ARX
ARY
ARZ
Rule R applies to X, Y, Z
3 automata that implement R for X, Y and Z
respectively
The number of automata in the state table is
proportional to the number of individuals who
interact with the space
7
System architecture adversary
Server
Secure Sensor node (SSN)
Rules DB

State Information (Encrypted)
Secure Sensor node (SSN)
Thin trusted middleware to obfuscate origin of
events
  • Basic Assumptions about SSNs
  • Secure data capture (Sensors are tamper-proof)
  • Secure generation of basic events by SSN
  • Trusted have computation power limited
    storage, can carry out encryption/decryption with
    secret key common to all SSNs

8
System architecture adversary (cont.)
  • Adversary Server-side snooper who wants to
    deduce the identity of the individual associated
    with a basic-event.

Minimum requirement for security State
information is to be always encrypted on server
Recall Goal is to ensure a level k of anonymity
for each individual
9
Basic protocol
Return automata that (possibly) match e
(encrypted match)
Store updated automata
SERVER
SECURE SENSOR NODE
Query for set of (encrypted) automata that match
event e
Decrypt automata, advance the state of automata
if necessary
associate encrypted label with new state.
Write-back encrypted automata
Generate basic event e
Question Does encryption ensure complete
anonymity? NO! SSNs pattern of automata access
may cause identity disclosure
10
Example
U enters kitchen
U takes coffee
R1
U enters kitchen
U opens fridge
Applies to Tom Tom enters Kitchen ? 3 firings
R2
U enters kitchen
U opens microwave
R3
U enters kitchen
U takes coffee
R1
Applies to Bill Bill enters Kitchen ? 2 firings
U enters kitchen
U opens fridge
R2
On an event, the rows retrieved from state
table can disclose the identity of the individual
11
Characteristic access patterns of automata
The set of rules applicable to an individual
maybe unique ? potentially identify the individual
Rules applicable to TOM
Tom enters kitchen
Tom takes coffee
x
Characteristic patterns of x P1 x,y,z x
y Characteristic patterns of y P2 x,y,z
x,y y P3 x,y,z y,z y Characteristic
patterns of z P4 x,y,z y z
Tom leaves coffee pot empty
Tom takes coffee
Tom enters kitchen
y
Tom opens fridge
Tom leaves fridge open
Tom enters kitchen
Tom opens fridge
z
  • The characteristic access patterns of rows can
    potentially reveal the identity of the automaton
    in spite of encryption

12
Partitioning events (unrestricted)
C1
  • Goal Make the set of characteristic patterns
  • associated with each automaton non-identifying
  • (k-anonymous)
  • Candidate solution
  • Partition events into k-diverse groups
  • Index automata (rows of the table) by events
    group-id instead of the event-label

Tom enters kitchen
Bill enters kitchen
Kate leaves microwave open
C2
Tom opens fridge
Kate enters kitchen
Bill takes coffee
Theorem Checking if an event-partitioning scheme
for a given set of automata is k-anonymous is
NP-Complete (The problem of checking the
existence of a fixed-point-free automorphism in
graphs can be reduced to this problem)
Tom leaves microwave open
Kate leaves fridge open
3-diverse event clusters
Bill leaves microwave open
C3
Does not guarantee 3-anonymity
13
Event clustering (restricted)
  • Assign all events in an automaton into a single
    group
  • If two automata have a common event, assign them
    to the same group ? Connected-groups of automata
  • Combine connected-groups into k-diverse
    partitions
  • Guarantees k-anonymity

C1
C2
All automata in a cluster are associated with the
same access pattern ? k-anonymity
14
Final partition-based protocol
Return all automata belonging to Partition(e)
Store updated automata
SERVER
SECURE SENSOR NODE
Determine Partition(e) (encrypted query)
Decrypt automata, Advance the state of automata
if necessary
Write-back all automata in Partition(e)
Generate basic event e
15
Minimum-cost clustering
  • Each connected-group of automata is represented
    by a ball
  • Each ball has a weight (accessed with a
    frequency)
  • Each ball has a price (transmission overhead)
  • Each ball has a color (denoting individual)
  • Optimization problem Partition the set of balls
    into as many bins as required where the objective
    is to
  • ? ( ? b.price ) ( ? b.weight )
  • s.t. each bin has balls of at least k distinct
    colors

Minimize
bini
b?bini
b?bini
(Problem is NP-Hard reduction from
sum-of-squares problem)
16
Solution to optimization problem
  • We give some simple heuristic solution that works
    well in practice
  • Start with a random feasible partition meeting
    k-anonymity constraint
  • Iterate determine best set of non-conflicting
    ball transfers between bins (i.e. those which
    reduce cost by largest amount) execute these
    transfers
  • Iterate determine best set of non-conflicting
    ball exchanges between bins execute these
    exchanges
  • Stop when no further cost-reduction is possible

17
Experiments
  • Prototype built on SATware-Responsphere framework
  • Responsphere communications, storage, computing
    framework consisting of approx. 200 sensors
  • SATware middleware for deploying pervasive
    space applications
  • Dataset for simulation
  • Generate events based on real activities in
    office building
  • 4 groups of people STUDENT, FACULTY, STAFF,
    VISITOR (300 in all)
  • 3 regions KITCHEN, SERVER_ROOM, FACILITIES_ROOM
  • 15 rules belonging to 2 classes of activities
    (i) protection of resources (ii) suspicious
    activity

18
Sample rules
19
Evaluation using realistic dataset
  • Evaluation
  • Simulated sequence of 1000 events measured
    communication cost between Server and SSNs
  • Compare the following 2 partitioning algorithms
  • k-individual partitioning all automata of an
    individual in a single group
  • k-connected-group partitioning remove the above
    constraint

20
Comparison using synthetic data
  • Cost differential increases (generally) as
    individuals components increase
  • No clear trend as k increases

21
Conclusion
  • Automaton-based model for events in pervasive
    spaces is proposed
  • Notion of anonymity in pervasive space is
    formalized
  • Necessary and sufficient conditions are derived
  • Event-clustering based solution approach is
    outlined
  • Efficiency criteria is modeled as a min-cost
    clustering problem a heuristic solution is
    proposed
  • Challenges Future Work
  • Designing a truly secure sensing-infrastructure
    is challenging
  • Consider other interesting notions of privacy in
    pervasive spaces

22
Thank You !!
23
Secure sensor nodes
  • IBM 4758 PCI Cryptographic Coprocessor
  • Broadcom BCM5890 security applications processor
Write a Comment
User Comments (0)
About PowerShow.com