Privacy-preserving Event Detection in Pervasive Spaces

1
Privacy-preserving Event Detection in Pervasive
Spaces

• Bijit Hore, Jehan Wickramasuriya, Sharad
  Mehrotra,
• Nalini Venkatasubramanian, Daniel Massaguer

2
What is our pervasive space?

• No ordinary coffee room, one that is monitored !
• There are rules that apply
• If rule is violated, penalties may be imposed
• But all is not unfair individuals have right to
  privacy !
• Till an individual has not had more than his
  quota of coffee, his identity will not be
  revealed
• (Motivated by surveillance apps)

A Coffee room !
3
Issues to be addressed

• Modeling pervasive spaces
• How to implement its functionality?
• Adversary
• What kind of adversary?
• How powerful is he?
• Privacy
• Goal ? Ensure anonymity of individuals
• Necessary and sufficient conditions?
• Solution approach
• Meets the necessary and sufficiency conditions
• Practical/scalable?

4
Basic events, Composite events Rules

• Pervasive space generates stream of basic events
• Composite event is one or more sequence of basic
  events that comprise a pattern of interest
  (example on next page)
• Rule (Composite event, Action)
• Rules apply to groups of individuals, e.g.
• Coffee room rules apply to everyone
• Server room rule applies to everyone except
  administrators etc.

Pervasive Space with sensors

ekltBill, coffee-room, coffee-maker, exitgt

e2ltTom, coffee-room, coffee-cup, dispensegt
Stream of Basic Events
e1ltTom, coffee-room, , entergt
5
Composite events

• Composite event templates
• Detect the event when A student drinks more
  than 3 cups of coffee
• e1 ltu ? STUDENT, coffee_room,
• coffee_cup, dispensegt
• Detect the event when A student tries to
  accesses the IBM server in the server room
• e1 ltu ? STUDENT,server_room,, entrygt
• e2 ltu, server_room, , exitgt
• e3 ltu, server_room, IBM-server, login-attemptgt

6
Automata State Information

• Rule ? Automaton template
• (Rule, Individual) ? Instance of a template
  automaton object

ARX
ARY
ARZ
Rule R applies to X, Y, Z
3 automata that implement R for X, Y and Z
respectively
The number of automata in the state table is
proportional to the number of individuals who
interact with the space
7
System architecture adversary
Server
Secure Sensor node (SSN)
Rules DB

State Information (Encrypted)
Secure Sensor node (SSN)
Thin trusted middleware to obfuscate origin of
events

• Basic Assumptions about SSNs
• Secure data capture (Sensors are tamper-proof)
• Secure generation of basic events by SSN
• Trusted have computation power limited
  storage, can carry out encryption/decryption with
  secret key common to all SSNs

8
System architecture adversary (cont.)

• Adversary Server-side snooper who wants to
  deduce the identity of the individual associated
  with a basic-event.

Minimum requirement for security State
information is to be always encrypted on server
Recall Goal is to ensure a level k of anonymity
for each individual
9
Basic protocol
Return automata that (possibly) match e
(encrypted match)
Store updated automata
SERVER
SECURE SENSOR NODE
Query for set of (encrypted) automata that match
event e
Decrypt automata, advance the state of automata
if necessary
associate encrypted label with new state.
Write-back encrypted automata
Generate basic event e
Question Does encryption ensure complete
anonymity? NO! SSNs pattern of automata access
may cause identity disclosure
10
Example
U enters kitchen
U takes coffee
R1
U enters kitchen
U opens fridge
Applies to Tom Tom enters Kitchen ? 3 firings
R2
U enters kitchen
U opens microwave
R3
U enters kitchen
U takes coffee
R1
Applies to Bill Bill enters Kitchen ? 2 firings
U enters kitchen
U opens fridge
R2
On an event, the rows retrieved from state
table can disclose the identity of the individual
11
Characteristic access patterns of automata
The set of rules applicable to an individual
maybe unique ? potentially identify the individual
Rules applicable to TOM
Tom enters kitchen
Tom takes coffee
x
Characteristic patterns of x P1 x,y,z x
y Characteristic patterns of y P2 x,y,z
x,y y P3 x,y,z y,z y Characteristic
patterns of z P4 x,y,z y z
Tom leaves coffee pot empty
Tom takes coffee
Tom enters kitchen
y
Tom opens fridge
Tom leaves fridge open
Tom enters kitchen
Tom opens fridge
z

• The characteristic access patterns of rows can
  potentially reveal the identity of the automaton
  in spite of encryption

12
Partitioning events (unrestricted)
C1

• Goal Make the set of characteristic patterns
• associated with each automaton non-identifying
• (k-anonymous)
• Candidate solution
• Partition events into k-diverse groups
• Index automata (rows of the table) by events
  group-id instead of the event-label

Tom enters kitchen
Bill enters kitchen
Kate leaves microwave open
C2
Tom opens fridge
Kate enters kitchen
Bill takes coffee
Theorem Checking if an event-partitioning scheme
for a given set of automata is k-anonymous is
NP-Complete (The problem of checking the
existence of a fixed-point-free automorphism in
graphs can be reduced to this problem)
Tom leaves microwave open
Kate leaves fridge open
3-diverse event clusters
Bill leaves microwave open
C3
Does not guarantee 3-anonymity
13
Event clustering (restricted)

• Assign all events in an automaton into a single
  group
• If two automata have a common event, assign them
  to the same group ? Connected-groups of automata
• Combine connected-groups into k-diverse
  partitions
• Guarantees k-anonymity

C1
C2
All automata in a cluster are associated with the
same access pattern ? k-anonymity
14
Final partition-based protocol
Return all automata belonging to Partition(e)
Store updated automata
SERVER
SECURE SENSOR NODE
Determine Partition(e) (encrypted query)
Decrypt automata, Advance the state of automata
if necessary
Write-back all automata in Partition(e)
Generate basic event e
15
Minimum-cost clustering

• Each connected-group of automata is represented
  by a ball
• Each ball has a weight (accessed with a
  frequency)
• Each ball has a price (transmission overhead)
• Each ball has a color (denoting individual)
• Optimization problem Partition the set of balls
  into as many bins as required where the objective
  is to
• ? ( ? b.price ) ( ? b.weight )
• s.t. each bin has balls of at least k distinct
  colors

Minimize
bini
b?bini
b?bini
(Problem is NP-Hard reduction from
sum-of-squares problem)
16
Solution to optimization problem

• We give some simple heuristic solution that works
  well in practice
• Start with a random feasible partition meeting
  k-anonymity constraint
• Iterate determine best set of non-conflicting
  ball transfers between bins (i.e. those which
  reduce cost by largest amount) execute these
  transfers
• Iterate determine best set of non-conflicting
  ball exchanges between bins execute these
  exchanges
• Stop when no further cost-reduction is possible

17
Experiments

• Prototype built on SATware-Responsphere framework
• Responsphere communications, storage, computing
  framework consisting of approx. 200 sensors
• SATware middleware for deploying pervasive
  space applications
• Dataset for simulation
• Generate events based on real activities in
  office building
• 4 groups of people STUDENT, FACULTY, STAFF,
  VISITOR (300 in all)
• 3 regions KITCHEN, SERVER_ROOM, FACILITIES_ROOM
• 15 rules belonging to 2 classes of activities
  (i) protection of resources (ii) suspicious
  activity

18
Sample rules
19
Evaluation using realistic dataset

• Evaluation
• Simulated sequence of 1000 events measured
  communication cost between Server and SSNs
• Compare the following 2 partitioning algorithms
• k-individual partitioning all automata of an
  individual in a single group
• k-connected-group partitioning remove the above
  constraint

20
Comparison using synthetic data

• Cost differential increases (generally) as
  individuals components increase
• No clear trend as k increases

21
Conclusion

• Automaton-based model for events in pervasive
  spaces is proposed
• Notion of anonymity in pervasive space is
  formalized
• Necessary and sufficient conditions are derived
• Event-clustering based solution approach is
  outlined
• Efficiency criteria is modeled as a min-cost
  clustering problem a heuristic solution is
  proposed
• Challenges Future Work
• Designing a truly secure sensing-infrastructure
  is challenging
• Consider other interesting notions of privacy in
  pervasive spaces

22
Thank You !!
23
Secure sensor nodes

• IBM 4758 PCI Cryptographic Coprocessor
• Broadcom BCM5890 security applications processor