SafeQ: Secure and EfficientQuery Processing in Sensor Networks

Fei Chen and Alex X. LiuDepartment of Computer Science and Engineering

Michigan State University

2

Two-tiered Sensor Network A two-tiered sensor network [Ratnasamy et al. 2003]

Benefits─ Power saving for sensors

─ Memory saving for sensors

─ Query processing is efficient

Several products of storage nodes, such as StarGate and RISE, are commercially available

Data

DataData

Data

Storage Node

Sensor

Sensor

Query

Result

Sensor

Sink

Sensor

3

Storage nodes can be compromised

Storage nodes are attractive to be attacked─ Sensitive data collected by sensors are stored in storage nodes

It raises two security problems if a storage node is compromised─ How to preserve the privacy of sensor collected data and sink issued queries?

─ How to preserve the integrity of query result?

Data

DataData

Data

Storage Node

Sensor

Sensor

Query

Result

Sensor

Sink

Sensor

4

Preserving privacy─ A compromised storage node cannot gain information from sensor collected

data and sink issued queries─ A storage node can perform query processing

Preserving integrity─ The sink can detect whether a query result from a storage node

● includes forged data items● excludes any data items that satisfy the query

Problem Statement: Privacy and Integrity Preserving Range Queries

Collect n data itemsat time slot t

Storage Node

Query

Sensor Sink

d1, d2,…, dn t,[a,b]

5

Privacy Preserving Scheme To protect the privacy of sensor collected data

─ Encrypt each data item individually

How does a storage node process a query over encrypted data?

─ Using prefix membership verification technique

(1) ki,(4)ki

,(5)ki,(7)ki

,(9)ki

[3, 7]5 (binary expression 101)

{011, 1**}

PF(5)={101, 10*,1**,***}

Prefix family Prefix format

Prefix numericalization Prefix numericalization

{1011,1010, 1100,1000} {0111, 1100}HMAC hash HMAC hash

{hg(1011), hg(1010), hg(1100), hg(1000)} {hg(0111), hg(1100)}

Sensor (Key g ) Sink (Key g )Storage node

If two sets have a common element, 5 [3,7]

6

51 5

Integrity Preserving Scheme

Neighborhood Chaining

─ Encrypt the data item with its neighbors

(1)ki

1 4 7 9min max| |( )ki

(min|1|4)ki (1|4|5)ki

(4|5|7)ki(5|7|9)ki

Query: [3, 7]

(4)ki(5)ki

(7)ki(9)ki

(7|9|max)ki

[3, 7]

(min|1)ki (1|4)ki

(4|5)ki(5|7)ki

(7|9)ki

Query: [3, 7]

(9|max)ki

Verification Object

Query Result

1 9a. < 3 7 b. <

7

What if the query result is empty?

Verification Object

min (1|4)ki(4|5)ki

(5|7)ki (7|9)ki(9|max)ki

(min|1)ki

Query: [2,3]

Storage node only knows that no data item satisfies the query─ It doesn’t know which is the verification object

Storage node needs to know the position of the query among all data items.Storage node needs to know the position of the query among all data items.

8

Privacy Preserving Scheme V2

How does a storage node process a query over encrypted data?

[2, 3]{1, 4, 5, 7, 9}Sensor (Key g ) Sink (Key g )Storage node

Storage node returns (1|4)ki as verification object

min 1 4 5 7 9 max 2 3

9

Multi-dimensional Data To preserve privacy, we apply our 1-dimensional privacy preserving

techniques to each dimension of multi-dimensional data.

To preserve integrity, we build a multi-dimensional neighborhood chain.

X dimension

Y

dimension

(1,11)

(3,5)

(6,8)

(7,1)

(9,4)

(15,15)

(0,0)

The multi-dimensional neighborhood chain of the above example is

(0|1, 9|11)ki, (1|3, 4|5)ki

, (3|6, 5|8)ki, (6|7, 0|1)ki

, (7|9, 1|4)ki, (9|15, 11|15)ki

,

10

Range Queries in Event-driven Networks We have assumed that at each time slot, a sensor sends data to a storage

node. However, in event-driven networks, a sensor only reports data to a storage

node when certain event happens. Our idea:

Sensors report their idle period to the storage node when one of following two conditions holds:─ Sensors submit data after an idle period

─ The idle period is longer than a threshold, say γ

t1

Idle period: [t1, t2]ki

γTime axis

A grey unit denotes that the sensor has data to submit at that time slot.A blank unit denotes that the sensor has no data to submit at that time slot

t2

Idle period: [t1, t1+γ]ki

11

Optimization with Bloom Filters

0 1 0 1 0 1 0 1 0 1 0 1 0 1 ...... 1

-- -- -- -- -- -- -- ......

h1 h2

h3 h1 h2h3

1 1 11 1 1

hg(00011) , hg(00110),

1

A

h1 h2h3

hg(01001)

B

hg(p([min,1])), hg(p([1,4])), hg(p([4,5])), hg(p([5,7])), hg(p([7,9])), hg(p([9,max]))

1

1

Index: 0 1 2 3 4 5

12

Experimental Results (1/2) We conducted experiments on both S&L (prior art) and our schemes

─ We use SafeQ-Basic and SafeQ-Bloom to denote our schemes without and with Bloom filters

In terms of power consumption, for 3-dimensional data─ SafeQ-Bloom is 184.9 times less power for sensors and 76.8 times less power for storage nodes

─ SafeQ-Basic is 59.2 times less power for sensors and 76.8 times less power for storage nodes

3-dimensional data

Power consumption for storage nodesPower consumption for sensors

3-dimensional data

13

Experimental Results (2/2) In terms of space consumption, for 3-dimensional data

─ SafeQ-Bloom is 182.4 times less space for storage nodes

─ SafeQ-Basic is 58.5 times less space for storage nodes

Space consumption for storage nodes

3-dimensional data

14

Prior work (1/2) Sheng&Li scheme [Infocom 2008]

Two major drawbacks─ Fairly accurate estimating data items and queries [Hore et al. VLDB 2004]

─ Power and space consumption grows exponentionally with the number of dimensions.

Data:{1, 4, 5, 7, 9}

Storage Node

Query: [9,10]

Sensor Si (ki) Sink (ki )

{1,4}ki

0 4 5 9 10

{5}ki h(i||4||t||ki){7, 9}ki

Bucket IDs: 1 2 3 4 3, 4

h(i||4||t||ki)7 is out of the rangeProve empty bucket

{7, 9}ki

15

Prior work (2/2) Shi et al.’s scheme [Infocom 2009] and Zhang et al.’s scheme

[MobiHoc 2009]

Two major drawbacks─ A compromised sensor could easily compromise the integrity verification

functionality of the network by sending falsified bucket vectors to other sensors and storage nodes.

─ Fairly accurate estimating data items and quires [Hore et al. VLDB 2004]

Vi (1110)

Storage NodeSensor Si (ki)

0 4 5 9 10Bucket Vector Vi : 1 1 1 0

Data: {1, 4, 5, 7, 9}

Sensor Sj (kj)0 4 5 9 10

{4, 1110}kj {8, 1110}kj

Data: { 4, 8}

16

Contributions

Propose a novel privacy and integrity preserving range query protocol for two-tiered sensor networks

Propose an optimization technique using Bloom filters to significantly reduce the communication cost between sensors and storage nodes

Propose a solution for event-driven sensor networks

17

Questions

Thank you!