hui zhang haifeng chen guofei jiang xiaoqiao meng kenji yoshihira nec labs america
DESCRIPTION
Enabling Information Confidentiality in Publish/Subscribe Overlay Services. Hui Zhang Haifeng Chen Guofei Jiang Xiaoqiao Meng Kenji Yoshihira NEC Labs America Abhishek Sharma University of Southern California. Outline. Problem statement - PowerPoint PPT PresentationTRANSCRIPT
1©NEC Laboratories America
Hui Zhang Haifeng Chen Guofei Jiang
Xiaoqiao Meng Kenji YoshihiraNEC Labs America
Abhishek Sharma
University of Southern California
Enabling Information Confidentiality in
Publish/Subscribe Overlay Services
2©NEC Laboratories America
Outline
Problem statement Information confidentiality in pub/sub overlay services
Information foiling Mechanism description Performance metrics
Fake message generation schemes Evaluation Conclusions & future work
3©NEC Laboratories America
Publish/Subscribe overlay services
Publisher Y
Publisher X
Subscriber B
Subscriber A
Broker network
Subscription
Event
4©NEC Laboratories America
Information confidentiality in pub/sub services
Publish/subscribe decouples publishers and subscribes. Events are characterized into classes, without knowledge of what (if
any) subscribers there may be. Subscribers express interest in one or more classes, and only receive
messages that are of interest, without knowledge of what (if any) publishers there are.
New confidentiality problems in this content-based routing process Can the broker network perform content-based routing without the
publishers trusting the broker network with the event content? Information confidentiality
Can subscribers obtain dynamic data without revealing their subscription functions (content) to the publishers or broker network?
Subscription confidentiality
Can publishers control which subscribers may receive particular events?
Publication confidentiality
5©NEC Laboratories America
Problem definition
Formulation of pub/sub confidentiality as a communication problem. Upon an event e, the broker determines if each subscription s
in the active subscription set matches the event based on a function f(e; s), but without learning the information contained in e and s.
Threat model: a broker is assumed to be computationally bounded and exhibits a semi-honest behavior.
6©NEC Laboratories America
Information foiling – the mechanism
7©NEC Laboratories America
Information foiling – the mechanism
1. Subscriber: for each active subscription, generates ks foiling subscriptions, and send them in a random order to the broker which store them all as active subscriptions.
2. Publisher: for each event, generates kp foiling events, and send them in a random order to the broker.
3. Broker: upon each arriving event e, decides the subset of the active subscription set and send one notification for each matched subscription.
4. (optional) Subscriber: upon a notification associated with one authentic subscription, sends a confirmation request to the publisher.
5. (optional) Publisher: upon a confirmation request, sends a reply to the subscriber upon the authenticity of the related event.
8©NEC Laboratories America
Information foiling – performance metrics
Assume the attacker has a function F : f{e, Ee} -> G, that takes the composite message set {e, Ee} as input and outputs a message set G {e, Ee} consisting of messages that the attacker perceives as useful.
Metric 1: indistinguishability defined as , where I(e, G) = 1 if e 2 G; 0 otherwise.
Metric 2: truth deviation dened as , where D(e, g) is the difference
between the values of messages e and g.
Metric 3: communication overhead it depends not only on the information foiling mechanism but
also on the actual data distributions of the authentic events and subscriptions.
9©NEC Laboratories America
Fake message generation – a probabilistic model
Consider an event message m with L attributes. Let the value Vi for attribute Ai in m be a random variable taking
values in V according to a probability mass function pVi .
Let Vm = (V1, V2, …, VL), represent m, i.e., a vector of random variables associated with message taking values in VL.
Each of the K foiling messages generated by the information foiling scheme for m can be thought of as a random variable vector taking values in VL.
We discussed three scenarios where different fake message generation schemes are designed with the performance requirements defined on the 3 metrics. The scenarios are differentiated based on the foiler/attacker’s
knowledge on the pmf for Vm:
10©NEC Laboratories America
Evaluation - methodology
Pub/sub service: stock quoting Stock price volatility is a random walk with variance a normal
distribution [Black-Scholes model]
Fake message generation: Si
t = St + ni , where Sit is the i-th fake message for the authentic
stock price information St, and ni is white Gaussian noise.
Attacker’s strategy: Uniform Sampling: The attacker picks each of the K+1 messages as
the correct message with the same probability. Extended Kalman Filter : Use an extended Kalman filter to generate
estimates , and then picks the observed message j which is
data trace: finance.yahoo.com
11©NEC Laboratories America
Evaluation results - 1
The curve labeled “Sig. Events” shows the probability of correct guess by the attacker when the stock price changes by a large amount.
12©NEC Laboratories America
Evaluation results - 2
A value of “Factor-10” means the variance of the noise was 10 times the variance of stock price. higher variance
for the added noise achieves a higher truth deviation.
13©NEC Laboratories America
Conclusion and Future Work
We propose a security mechanism called “information foiling” to address new confidentiality problems arising in pub/sub overlay services. Information foiling extends Rivest’s ”Chaffing and Winnowing” idea. Our scheme is complementary to the traditional cryptography-based
security schemes and offers probabilistic guarantees on information confidentiality.
Many interesting open problems for future work. The need for a stronger guiding theory to better understand An analytic study on the fundamental trade-off between the fake
message number, indistinguishability, and truth deviation is important.
Investigating the interaction between a foiler and an attacker in game theory.
The designs of optimal FMG schemes for other interesting and important application scenarios are needed.
©NEC Laboratories America
Thank you!
Questions?