410 likes | 605 Views
563.5 Monitoring and Surveillance. Carl A. Gunter University of Illinois Fall 2007. Privacy. Made more important by advances in Networks Databases Sensor systems Has three aspects Technological Social Commercial. Case Studies.
E N D
563.5 Monitoring and Surveillance Carl A. Gunter University of Illinois Fall 2007
Privacy • Made more important by advances in • Networks • Databases • Sensor systems • Has three aspects • Technological • Social • Commercial
Case Studies • Location services in smart buildings: using building management capabilities to provide location services • Assisted living: monitoring health information from medical devices in homes
Case Study: LIS based on BAS • Smart buildings collect data on users through the Building Automation System (BAS) • BAS data protected because of privacy concerns • BAS data could be used to aid building users • It could be used to implement a Location Information System (LIS) Boyer Tan Gunter 06
Raw Data Sources • Door Lock System • Occupancy Sensors • Network Jack Activity • Application Software, such as AIM • Video Surveillance • Wireless Network • GPS • RFID Tags • Telephone
The Seibel Center • Andover Continuum BAS • Uses electronic door locks and occupancy sensors • Case study for a Location Information System
How to Build an LIS • Define an Ownership Model • Determine the environment events of interest and how to deduce them • Develop a model for privacy-information sharing for events
Ownership Model • U, set of users • L, setof locations • S, set of system events • T, a set of values with a linear ordering, signifying time • time : STwhich determines the time of an event • user : SU U {} which determines the users associated with an event • loc : S L which determines the location in which an event occurred • o : L 2U which determines the owner of a location • : S2U which determines the owner of an event
Environmental Events • An aggregate event • Deduced from a set of system events • E is the set of environment events in an LIS • induce : 2S2E determines the set of environment events that can be deduced from a set of system events • Applies a set of deduction rules of the following form:
Privacy Policy • System events protected to protect user’s privacy • We define 2 indexed families of functions: • filter : UxU(2S2S) • mask : UxU(2E2E) • Users are able to define 2 functions that establish their privacy policy • filteruv : 2S2S • maskuv : 2E2E
Formal Definition of LIS • A Location Information System, L, between an ownership model and set, E, of environment events consists of three functions: • filter : UxU(2S2S) • mask : UxU(2E2E) • induce : 2S2E
Reveal • We also define a family of functions reveal : UxU(2S2E) which performs a look of environment events in an LIS • revealuvis the function that v calls when he wishes to learn something about u
Janus’s Map: Ownership • Locations in Siebel Center • G={floor, wing, room}, the set of location granularities • Lfloor L, Lwing L, Lroom L • Locations are defined as a tuple: Lfloor x (Lwing U {})x (Lroom U {}) • Events • Defined as a tuple (UU {}) x L x T x • is a set of event types • type : S returns the type of an event
Janus’s Map: Ownership (con’t) • ois static policy that maps room ownership • assigns ownership of an event s first to the user(s) and then to o(loc(s))
Janus’s Map: Environment Events • The main goal of Janus’s Map is to determine location information about users in the building • E is defined as a set of tuples U x L x T x P • P = {In,Near} defines a users proximity to a location
Janus’s Map: Privacy Policy • Users define rules from which the functions filteruv and maskuv are derived • System events are filtered based on time, date, event type, and location • Environment events are masked to hide detailed location information
An Example: System Events What happens when Bob searches for Alice?
An Example: Filtering Events • Alice’s Filtering Policy for Bob: Events must: • Occur Any day between 08:00 and17:00 • Be of type ValidAccess, DoorAjar, or OccupancySensorTrue • After the filtering policy is applied:
An Example: Event deduction • Rule: if a ValidAccess event occurs followed by a DoorAjar followed by a OccupancySensorTrue event all in the same location we can deduce that the users who performed the ValidAccess was in the room at the time of the OccupancySensorTrue event as well as that there were near the room at the time of the ValidAccess event. • We can deduce: • (Alice, SC4309, 1/1/2006 10:01, Near) • (Alice, SC4309, 1/1/2006 10:03, In)
An Example: Masking • Alice’s Masking policy for Bob: • Bob can only know what floor Alice is on, not the room • Bob is finally returned: • (Alice, SC4, 1/1/2006 10:01, Near) • (Alice, SC4, 1/1/2006 10:03, In)
Architecture for Janus’s Map Rule Database Door Rights List Rules Owners Door Access Database Access Control Module Alice’s door accesses Alice? Location Service Data Aggregator Alice’s Location For Bob Aggregated Data Data Cleaner Internet Occupancy Sensor System Room Occ.
Rules in Janus’s Map • 3 Parts • Targets • Data Access • Visibility • Example: • Target: Bob, Carol • Number of past entries: 5 • Event types: Valid Access only • Event time: Between 8am and 5pm • Event date: From Jan. 1, 2006 to Jan 1, 2007 • Event days: Monday - Friday • Rooms: All • Visible fields: Event Type, Event Time, Room • Granularity: Wing
Digital Rights Management Problem • Bob can keep track of long term data on Alice by aggregating the data himself • Similar to the problem of copying digital media • Alice has no control over what Bob does once he has her data. • An LIS should be designed to make it difficult for Bob to use Alice’s data in inappropriate ways
Summary on Janus’s Map • It is possible to provide a foundation for sharing BAS data based on an ownership model, inference rules for environment events, and a system for discretionary control • This can be practically applied to develop an LIS in a smart building
Growing industry in monitoring patients at home Options for chronic illnesses Reduces visits to hospitals and ERs Allows for remote monitoring of status Lets patients be more involved in their own care Case Study: Assisted Living
State of the art • Telemedicine systems • Home health monitoring systems • Honeywell HomMed • Medical Monitors Limited, Australia • Bristol-Myers Squibb CML Medical Monitor • All are proprietary single-vendor solutions • Some communicate by telephone to a monitoring service • Some sell servers to clinicians so they can receive information from patients • Some are moving to using the Internet for communications
Technical Goals • Let patients and clinicians communicate information via remote communication devices and protocols that… • Allow for extensible and multi-vendor solutions • Do not interfere with current medical information practice (i.e. referrals, sharing records, etc.) • Let patients access their records • Let authorized family members and caregivers access relevant records • Are provably secure against attack • Aid in enforcing regulatory compliance • Restricts a service provider to know only what it needs
Toward Open Protocols • Specification of protocols for the various parties in the system • Step towards open APIs for multi-vendor device integration • Explicitly identifying steps for bootstrapping and transmission while supporting the technical goals • Pushing boundaries of formal protocol specification and security verification • Precise definition of messages, content • Verification of multi-party protocols with different agents and a concrete application • Verification of semi-trusted entity (ALSP) using a variation of a correspondence theorem May Shin Gunter 06
Issues • Security • Privacy information must be protected during transmissions • Devices should be authenticated to use home-network resources • Reliability • Health information should be delivered correctly • Usability • Easy-of-use is important for elderly people • Interoperability • Heterogeneous and distributed devices should be integrated
Architecture • Drop-Box architecture • Medical Devices • Monitoring Service • Clinician Service • Home-Network Protection • USB token-based approach • Web service-based approach • Web service standards: SOAP, WS-Security, WS-Reliability • Security • (End-to-End Confidentiality • and Integrity) • Reliability • Security • (Availability) • Usability • Interoperability
Drop-Box Architecture Monitoring Service Clinician Medical Device Store & Forward Enc[Health status] Enc[Reminder ]
Functionalities Home Network Protection & Usability Reliability End-to-End Secure Communication Interoperability
Security tokens • Digital Signatures for authentication • Symmetric and asymmetric encryption • Individuals do not have public keys. Clinicians and ALSP do
Message types • Report – standard message of medical reading • Alarm – non-standard medical reading • May require soon or immediate medical treatment
Message Encryption • Messages are encrypted twice Header Information (Including sender, recipient, data ID etc.) Header Information (Including sender, recipient, data ID etc.) Header Information (Including sender, recipient, data ID etc.) Medical data (readings, checksum, etc) Medical data (readings, checksum, etc) Medical data (readings, checksum, etc) Only authorized people can see Stored in ALSP Transmitted over network
Attack Model • Dolev-Yao style attack model • Often referred to as a “symbolic attacker” • Attacker controls the channel • Can insert garbage on the channel • Can indefinitely delay, repeat, and take apart messages • Log all previous messages to make new ones • Worst it can do is delete it • Cryptography is perfect • Attacker can not guess keys or correct signatures • Can not take apart or cryptographically analyze encrypted blobs • Proof is a correspondence theorem: If event B is observed then even A occurred before it • Attacker can not issue events
Theorems • Messages received imply they were sent • If a clinician receives a reading, the patient sent it (trusting ALSP) • Attacker can not discover the reading, even if the ALSP reveals all of its secrets • Corollary: The ALSP can not discover the reading
Formal Verification • TulaFale [MS Research Samoa] • An applied Pi calculus derived language • Agents are processes that communicate over named channels • Messages are composed with symbolic cryptographic primitives • Proofs [Blanchet’s ProVerif] • Correspondence between a message being received and having been sent by an authorized agent • Show that the ALSP can not derive the medical readings
Summary on Assisted Living • Careful design of architecture and protocols • Formal specification of protocols • Formal verification of protocols • Success using off-the-shelf tools for a quick turn around on architecture design, protocol specification, and security verification
Conclusions • There will be increasing opportunities for monitoring and surveillance • There will be increasing use of monitoring and surveillance • Techniques to control these techniques so that the best serve stakeholders will be a pivotal concern