safeq: secure and efficient query processing in sensor networks fei chen and alex x. liu department...
Post on 21-Dec-2015
215 views
TRANSCRIPT
SafeQ: Secure and EfficientQuery Processing in Sensor Networks
Fei Chen and Alex X. LiuDepartment of Computer Science and Engineering
Michigan State University
2
Two-tiered Sensor Network A two-tiered sensor network [Ratnasamy et al. 2003]
Benefits─ Power saving for sensors
─ Memory saving for sensors
─ Query processing is efficient
Several products of storage nodes, such as StarGate and RISE, are commercially available
Data
DataData
Data
Storage Node
Sensor
Sensor
Query
Result
Sensor
Sink
Sensor
3
Storage nodes can be compromised
Storage nodes are attractive to be attacked─ Sensitive data collected by sensors are stored in storage nodes
It raises two security problems if a storage node is compromised─ How to preserve the privacy of sensor collected data and sink issued queries?
─ How to preserve the integrity of query result?
Data
DataData
Data
Storage Node
Sensor
Sensor
Query
Result
Sensor
Sink
Sensor
4
Preserving privacy─ A compromised storage node cannot gain information from sensor collected
data and sink issued queries─ A storage node can perform query processing
Preserving integrity─ The sink can detect whether a query result from a storage node
● includes forged data items● excludes any data items that satisfy the query
Problem Statement: Privacy and Integrity Preserving Range Queries
Collect n data itemsat time slot t
Storage Node
Query
Sensor Sink
d1, d2,…, dn t,[a,b]
5
Privacy Preserving Scheme To protect the privacy of sensor collected data
─ Encrypt each data item individually
How does a storage node process a query over encrypted data?
─ Using prefix membership verification technique
(1) ki,(4)ki
,(5)ki,(7)ki
,(9)ki
[3, 7]5 (binary expression 101)
{011, 1**}
PF(5)={101, 10*,1**,***}
Prefix family Prefix format
Prefix numericalization Prefix numericalization
{1011,1010, 1100,1000} {0111, 1100}HMAC hash HMAC hash
{hg(1011), hg(1010), hg(1100), hg(1000)} {hg(0111), hg(1100)}
Sensor (Key g ) Sink (Key g )Storage node
If two sets have a common element, 5 [3,7]
6
51 5
Integrity Preserving Scheme
Neighborhood Chaining
─ Encrypt the data item with its neighbors
(1)ki
1 4 7 9min max| |( )ki
(min|1|4)ki (1|4|5)ki
(4|5|7)ki(5|7|9)ki
Query: [3, 7]
(4)ki(5)ki
(7)ki(9)ki
(7|9|max)ki
[3, 7]
(min|1)ki (1|4)ki
(4|5)ki(5|7)ki
(7|9)ki
Query: [3, 7]
(9|max)ki
Verification Object
Query Result
1 9a. < 3 7 b. <
7
What if the query result is empty?
Verification Object
min (1|4)ki(4|5)ki
(5|7)ki (7|9)ki(9|max)ki
(min|1)ki
Query: [2,3]
Storage node only knows that no data item satisfies the query─ It doesn’t know which is the verification object
Storage node needs to know the position of the query among all data items.Storage node needs to know the position of the query among all data items.
8
Privacy Preserving Scheme V2
How does a storage node process a query over encrypted data?
[2, 3]{1, 4, 5, 7, 9}Sensor (Key g ) Sink (Key g )Storage node
Storage node returns (1|4)ki as verification object
min 1 4 5 7 9 max 2 3
9
Multi-dimensional Data To preserve privacy, we apply our 1-dimensional privacy preserving
techniques to each dimension of multi-dimensional data.
To preserve integrity, we build a multi-dimensional neighborhood chain.
X dimension
Y
dimension
(1,11)
(3,5)
(6,8)
(7,1)
(9,4)
(15,15)
(0,0)
The multi-dimensional neighborhood chain of the above example is
(0|1, 9|11)ki, (1|3, 4|5)ki
, (3|6, 5|8)ki, (6|7, 0|1)ki
, (7|9, 1|4)ki, (9|15, 11|15)ki
,
10
Range Queries in Event-driven Networks We have assumed that at each time slot, a sensor sends data to a storage
node. However, in event-driven networks, a sensor only reports data to a storage
node when certain event happens. Our idea:
Sensors report their idle period to the storage node when one of following two conditions holds:─ Sensors submit data after an idle period
─ The idle period is longer than a threshold, say γ
t1
Idle period: [t1, t2]ki
γTime axis
A grey unit denotes that the sensor has data to submit at that time slot.A blank unit denotes that the sensor has no data to submit at that time slot
t2
Idle period: [t1, t1+γ]ki
11
Optimization with Bloom Filters
0 1 0 1 0 1 0 1 0 1 0 1 0 1 ...... 1
-- -- -- -- -- -- -- ......
h1 h2
h3 h1 h2h3
1 1 11 1 1
hg(00011) , hg(00110),
1
A
h1 h2h3
hg(01001)
B
hg(p([min,1])), hg(p([1,4])), hg(p([4,5])), hg(p([5,7])), hg(p([7,9])), hg(p([9,max]))
1
1
Index: 0 1 2 3 4 5
12
Experimental Results (1/2) We conducted experiments on both S&L (prior art) and our schemes
─ We use SafeQ-Basic and SafeQ-Bloom to denote our schemes without and with Bloom filters
In terms of power consumption, for 3-dimensional data─ SafeQ-Bloom is 184.9 times less power for sensors and 76.8 times less power for storage nodes
─ SafeQ-Basic is 59.2 times less power for sensors and 76.8 times less power for storage nodes
3-dimensional data
Power consumption for storage nodesPower consumption for sensors
3-dimensional data
13
Experimental Results (2/2) In terms of space consumption, for 3-dimensional data
─ SafeQ-Bloom is 182.4 times less space for storage nodes
─ SafeQ-Basic is 58.5 times less space for storage nodes
Space consumption for storage nodes
3-dimensional data
14
Prior work (1/2) Sheng&Li scheme [Infocom 2008]
Two major drawbacks─ Fairly accurate estimating data items and queries [Hore et al. VLDB 2004]
─ Power and space consumption grows exponentionally with the number of dimensions.
Data:{1, 4, 5, 7, 9}
Storage Node
Query: [9,10]
Sensor Si (ki) Sink (ki )
{1,4}ki
0 4 5 9 10
{5}ki h(i||4||t||ki){7, 9}ki
Bucket IDs: 1 2 3 4 3, 4
h(i||4||t||ki)7 is out of the rangeProve empty bucket
{7, 9}ki
15
Prior work (2/2) Shi et al.’s scheme [Infocom 2009] and Zhang et al.’s scheme
[MobiHoc 2009]
Two major drawbacks─ A compromised sensor could easily compromise the integrity verification
functionality of the network by sending falsified bucket vectors to other sensors and storage nodes.
─ Fairly accurate estimating data items and quires [Hore et al. VLDB 2004]
Vi (1110)
Storage NodeSensor Si (ki)
0 4 5 9 10Bucket Vector Vi : 1 1 1 0
Data: {1, 4, 5, 7, 9}
Sensor Sj (kj)0 4 5 9 10
{4, 1110}kj {8, 1110}kj
Data: { 4, 8}
16
Contributions
Propose a novel privacy and integrity preserving range query protocol for two-tiered sensor networks
Propose an optimization technique using Bloom filters to significantly reduce the communication cost between sensors and storage nodes
Propose a solution for event-driven sensor networks