330 likes | 470 Views
Security for Pervasive Health Monitoring Sensor Applications. Krishna Venkatasubramanian and Sandeep K. S. Gupta Ira A. Fulton School of Engineering Department of Computer Science and Engineering Arizona State University Tempe, Arizona sandeep.gupta@asu.edu. Thermal Management
E N D
Security for Pervasive Health Monitoring Sensor Applications Krishna Venkatasubramanian and Sandeep K. S. Gupta Ira A. Fulton School of Engineering Department of Computer Science and Engineering Arizona State University Tempe, Arizona sandeep.gupta@asu.edu
Thermal Management for Data Centers Pervasive Health Monitoring Criticality Aware-Systems Mobile Ad-hoc Networks ID Assurance • Goal: • Increasing computing capacity for datacenters • Energy efficiency • Features: • Online thermal evaluation • Thermal Aware Scheduling • Sponsor: • Goal: • Protect people’s identity & consumer computing from viral threats • Features: • PKI based • Non-tamperable, non-programmable personal authenticator • Hardware and VM based trust management • Sponsor: • Goal: • Container Monitoring for Homeland Security • Dynamic Supply Chain Management • Features: • Integration of RFID and environmental sensors • Energy management • Communication security • Sponsor: • Goal: • Protocols for mobile ad-hoc networks • Features: • Energy efficiency • Increased lifetime • Data aggregation • Localization • Caching • Multicasting • Sponsor: Intelligent Container IMPACT: Research Use-inspired research in pervasive computing & wireless sensor networking • Goal: • Pervasive Health monitoring • Evaluation of medical applications • Features: • Secure, Dependable and Reliable data collection, storage and communication • Sponsor: • Goal: • Evaluation of crisis response management • Features: • Theoretical model • Performance evaluation • Access control for crisis management • Sponsor: Medical Devices, Mobile Pervasive Embedded Sensor Networks BOOK: Fundamentals of Mobile and Pervasive Computing, Publisher: McGraw-Hill Dec. 2004
Motivation & Challenges • Motivation • By 2050 over 20% of population will be above 65. (US Department of Health ) • Possible Consequences: • Acute shortage of medical professionals. • Decline in quality of medical care. • Increase in medical costs. • Automated & continuous monitoring of patients can reveal problems at an early stage leading to better control. • Challenges • Integration of diverse technologies (micro – macro computing entities), for health monitoring. • Health management systems should be safe, dependable, secure and scalable system.
Camera EEG EKG BP SpO2 GPS Mp3 PDA/ Gateway Feedback for Adaptation Medical Sensor Plane Motion Sensor Actuation (drug-delivery) Management Plane Knowledge Generation Plane Doctor Physiological Data Knowledge Patient • Collect Medical Data • Local Processing • Medical Actuation • Storage Management • Sensor Management • Generate Context Generate Knowledge Pervasive Computing & Healthcare Pervasive Computing Pervasive Healthcare Use Pervasive Computing for day-to-day healthcare management (monitoring + treatment), made possible by development of biomedical sensors Personalized computing power available everywhere, by embedding computing in user’s environment. BSN • Features: • Merger of Physical and Virtual Space • Uses computing entities which are: - tiny/ cheap - specialized - unsupervised - interconnected • Features: • Extends BSN with embedded medical sensors • No time & space restrictions for healthcare • Better coverage and quality of care to all. Overview Some Applications Sports Health Management Assisted Living Disaster Relief Management Medical Facility Management GOAL:Enable independent living, general wellness and disease management.
Context Awareness • Medical Context • Aggregate of 4 base contexts. • Each physiological event has to be characterized by all 4 base contexts for accurate understanding on patient’s • health. • A contextual template can be created for specific physiological events for future reference. Physiological (EKG, Perspiration, Heart Rate) Context Processor Spatial (Home, Gym, Office, Hospital, Park) Medical Context Aggregate Context Temporal (Morning, Evening, Night) Sensor Network • Challenges • How to determine the aggregate medical context from the four base contexts? • How to create a contextual template for a patient? Environmental (Humidity, Temp) Base Context
Ayushman*: A Pervasive Healthcare System * Sanskrit for long life Environmental Sensors (Temperature etc) • Project @ IMPACT Lab, Arizona State University • Goal: To provide a dependable, non-intrusive, secure, real-time automated health monitoring. • Scalable and flexible to be used in diverse scenarios from home based monitoring to disaster relief, with minimal customization. Internet Stargate Gateway External Gateway Central Server Medical Sensors (EKG, BP) controlled By Mica2 motes Medical Professional Home/Ward Based Intelligence Body Based Intelligence Medical Facility Based Intelligence Vision • To provide a realistic environment (test-bed) for testing communication • protocols and systems for medical applications. K. Venkatasubramanian, G. Deng, T. Mukherjee, J. Quintero, V Annamalai and S. K. S. Gupta, "Ayushman: A Wireless Sensor Network Based Health Monitoring Infrastructure and Testbed", In Proc. of IEEE DCOSS June 2005
Ayushman: Remote Medical Monitoring • Testbed consists of medical devices interfaced using Crossbow motes to a PDA. • Medical devices integrated include: BP monitor (Suntech), EKG monitor (Vernier), Gait Monitor (MicaZ based sensors) and TelosB based environment sensor BP and EKG Monitoring • Supports query based and continuous data collection. • System Constrainst : • Low reliability • Lack of bandwidth • Low memory for processing. Gait Monitoring
Ayushman: Client Screen Shot Patient Details Current Sensor Value Sensor Values Trend Query Result: Archived Data Location of Server
Other Similar Projects • Proactive Health Project @ Intel • Developing sensor network based pervasive computing systems • Managing daily health and wellness of people at homes • Proactively anticipate patient’s need and improve quality of life. • Code Blue Project Sensor network based health monitoring @ Harvard • Developing sensor network based medical applications for: • Emergency Care • Disaster Management • Stroke patient rehabilitation • AMON Project @ ETH, Zurich • Developing multi-functional wearable health monitor • E.g.: BP, pulse, SpO2, ECG, Temperature • Aware Project @ the Center Pervasive Healthcare, University of Aarhus, Denmark. • Applying context aware computing to hospital scenarios • Developing context aware hospital bed, pill box which is aware of its patients.
Biomedical Sensors (Biosensors) Inter-Pulse-Interval (V’1) Inter-Pulse-Interval (V1) EKG EKG Inter-Pulse-Interval (V2) = = Inter-Pulse-Interval (V’2) PPG PPG • Physiological Values (PV): Measure Stimuli from bodye.g EKG, PPG(Photoplethysymograph) • PVs are universally collectable, vary with time and can have similar values in one human being • Biomedical Sensor Platforms • In-vivo sensors • Are primarily at experimental stage • Measure one stimuli • Wearable sensors • Groups of sensors packaged together • Products available • Have wireless capability • Generic Sensors • Measure environmental stimuli • Can perform wireless communication • Used in medical monitoring projects, Code Blue @ Harvard • Mica2, MicaZ, TelosB Nano-scale Blood Glucose level detector Developed @ UIUC Mica2 based EKG sensor AMON Wearable Health Monitor • Properties • Small form factor • Limited processor, memory, communication capabilities • Form large networks within body for energy- efficiency Life Shirt Ambulatory Monitoring
Base Station Leader Node (LN) Cluster Sensor Nodes (SN) Biosensor Net: Security & Energy-Efficiency • Security • Healthcare systems collect sensitivemedical data from a patient. • Patient’s privacy is a legal requirement (HIPAA). • Health information of a person can be taken advantage of. • Attacks • Fake emergency warnings. • Prevent legitimate emergency warnings • Battery power depletion • Tissue heating • Energy-Efficient Topologies • Biosensors have limited capabilities • Topological formations helps in reducing energy consumption • Many topologies possible: Cluster, Tree … • Cluster is one of the most energy-efficient topologies [HCB00]. • Security and Topology • Topology formation • Not traditionally secured • Open systems toattacks during topology formation. Example: Sinkholes • Securing topology formation a must
PVS: Physiological Value based Security ECG, Heart/Pulse Rate • Principle Idea: Use PVs as security primitives in biomedical sensor networks: • Hide cryptographic keys • Authenticate and secure biosensor communication • Examples: • Blood Pressure, Heart Rate, Glucose level • Temporal variations in different PVs. • Combination of multiple PV • PVs values at two location slightly different • Use Error Correction Codes like Majority Encoding for correction Blood Pressure + Blood Glucose Easier and safe key generation • Cheaper key distribution Sensors
Value Time Aspects of Physiological Values Required Properties of Physiological Values FOUND: Inter-Pulse-Interval (IPI), Heart Rate Variation (HPV) FUTURE QUEST: Find Others… • Universal • Should be measurable in everyone • Distinctive • Should be able to differentiate 2 individuals • Random • To prevent brute-force attacks • Timevariant • If broken, the next set of values should not be guessable. Physiological Certificate • Cert = MAC (Key, Data), γ Where γ = Key PV • hides the actual Key used for computing the Message Authentication Code (MAC) over the data for integrity protection.
PV Based Communication Measure Pre-defined PV @ Sender PVs & Receiver PVr Generate Random Key @ sender Randkey Cert = MAC(Randkey, Data) , γ where γ = PVs Randkey Compute Physiological Certificate with Key Rand on Data Send Message <Data, Cert, γ> Receiver message Unhide RandKeyusing PVr and γ from the Cert RandKey’= PVr Cert. γ Correct RandKey, verify certificate by computing MAC RandKey’’ = ECC(RandKey’) Cert == MAC (RandKey’’, Data) ? Error Correction Code used Majority Encoding [Juels99,CVG03]
Choosing Physiological Values PV1 PV0 • Identified PVs • Inter-Pulse-Interval (IPI) [PZ06]. • Heart Rate Variation (HRV) [BZZ05] • PV Distinctiveness Testing • Performanceevaluation criteria: • False Rejection Rate (FRR) • False Acceptance Rate (FAR) • FAR and FRR increased if two PVs lack synchronicity. • Randomness of PVs verified using Chi-Square Test. • Interference possible: • Drastic difference between PVs of two people will prevent un-wanted communication HRV HRV Encoder Encoder I1 Io 128 bits Hamming Distance 128 bits < 22 bits (same person) 90 bits (different person) Radio-range for Intended communication Interference
Advantage of Using PV Based Security Traditional Secure Biosensor Network Communication S R BS Topology Formation Key Distribution Secure Communication • Unsecured • Cluster • Linear • Use distributed keys • Diffie Hellman (ECC) • Pre-deployed Keys • Random Key Assignment… PV based Secure Biosensor Network Communication S R BS Secure Topology Formation Secure Communication • PV based security • Centralized Cluster Formation • Distributed Cluster Formation • Use PV for sensor-sensor secure communication Key Distribution Completely Eliminated VERY EFFICIENT
Cluster formation & Security Flaws LN3 LN1 LN2 Hello-Flood Attack • Leads to the formation of Sinkholes • The sinkhole can now mount selective forwarding attacks on the sensor in its “cluster”. Reason • All solicitations supposed to be from LN only. • Each LN is assumed to be trustworthy. Traditional Cluster Formation Technique SN1 SN2 SN3 SN4 SN5 SN6 Weaker signal Flaws in Traditional Cluster Formation Malicious Node LN1 LN2 SN1 SN3 SN2 • Problem: • Traditional cluster formation protocol is not secure.
Secure Cluster Formation • PV based inter-sensor communication • NO explicit key distribution Assumptions • Wireless Medium NOTTrusted • Base Station Trustworthy • Physical compromise of sensors not possible (ambulatory patient) • Jamming not considered • Leader Nodes identified apriori cluster formation Keying Structure • Pair-wise unique master Key Km shared by BS and each sensor. • Km pre-deployed. • Derive 2 keys from Km for each node X in the network • K’X-BS = H (Km, 1) • K’BS-X = H (Km,2) • H is a secure on-way hash function. • Symmetric cryptography used as asymmetric expensive Memory Footprint TinySec = 16.5KB Elliptic Key Cryptography 163bit key = 35KB • Clusters are temporary topologies. • Leader Nodes rotated at regular intervals. • Secure cluster formation protocol need to run every time clusters are formed
Centralized Cluster Formation Base Station Nc Message Complexity Solicitations = N Relays = N*p, p ≤ M Reply = N Total = O(N) NA NB Nc NA NB NC N4 N3 N1 N2 Solicitation (N3 *) :N3, MAC(K’N3 – BS, N3), Cert [N3] Relay (NC BS): N3, MAC(K’N3 – BS, N3), Cert [N3], NC, SS, MAC(K’NC – BS, NC | SS) Relay (NB BS): N3, MAC(K’N3 – BS, N3), Cert [N3], NB, SS, MAC(K’NB – BS, NB | SS) Reply (BS N3) : NC, MAC(K’BS – N3, NC) Use Nonce with each message for freshness
Distributed Cluster Formation NC NA NB Message Complexity Solicitations = M Reply = N Total Msgs = O(N) N1 N3 N2 N4 Solicitation (NB * ):NB, Cert [NB] Reply (N3 NB): N3, NB, Cert[ N3, NB] Reply (N2 NB): N3, NB, Cert[ N3, NB] Use Nonce with each message for freshness
Centralized Protocol Vulnerability Distributed Protocol • Relayed messages cannot be authenticated • BS rejects relays from spoofed LN • Spoofed LN cannot measure PV • Solicitation rejected Spoof LN Spoof Sensor Nodes • Adversary cannot measure PV • Illegal Cert appended to reply • Adversary cannot measure PV • Illegal Cert appended in solicitation • Potential energy loss at LNs forwarding bogus packets • BS rejects adversary as pair-wise key not used for computing MAC Compromise Physiological Values Will FAIL to protect Security Analysis
Entity Centralized Distributed Base Station 15.2KB --- Leader Node 12.8KB 12.5KB Sensor Node 13.5KB 13.9KB Prototype Implementation Promiscuous Listener Logical Setup: BS LN • Implementation on Mica2 motes. • Promiscuous listener used to see workings of the protocol. • Attacked the setup, • Spoofed LN • Spoof SN • Attacks Thwarted LN Smaller memory footprint than TinySec (16.5KB) as crypto routines directly instead of through TinySec, minimizing overhead. (Only MAC routines used) Spoofed LN SN SN Distributed Spoofed SN Centralized Actual Setup: File Sizes: Clusters SN LN LN LN LN Base Station
Conclusions and Future Work • Biosensor Network Management using secure energy-efficient topology construction. • Use of Physiological Values for establishing session keys between biosensors, for example: Inter-Pulse Interval and Heart-Rate Variation. • Prototyped protocol using Mica2 motes and tested resiliency by actively attacking it. • Future Work • Expand the set of Physiological Values used for securing biosensor communication. • Incorporate PVs into the implementation and evaluate efficiency
Communication Scheduling for PVS • PVs unpredictable vary with time • At a given time PVs measured at co-located sensors are similar • For communication necessary to follow schedule for efficient functioning • At MT, both sender & receiver measure a pre-decided PV • At ST, sender and receiver communicate using the PV measured in the MT before Sender Sequence 1 3 7 Receiver Sequence 6,9 7 * Measurement Time (MT) Solicitation Time (ST) Broadcast (used for solicitations) • Schedule is computed apriori by BS, based on network topology and communication requirements, and distributed to sensors • Every communication requires a new measurement of PV, old values are NEVER reused
Feasibility • Single PV for all sensors ? • All sensors cannot be expected to measure same PV. • Need enough PVs to allow senders and receivers to choose the one they have in common. • Multiple stimuli Measurement • Multi-modal wearable monitoring devices available • Vivago WristCare (Wrist Wearable) – patient activity, skin temperature, skin conductivity (http://www.istsec.fi/eng/Etuotteet.htm) • AMON (Wrist Wearable) – EKG, Blood Pressure, SpO2 [LA02] • Life Shirt (Smart Clothes)- EKG, perspiration, posture, SpO2 (http://www.vivometric.com) • For in-vivo sensors, such capabilities are not yet available to the best of our knowledge. • Powering sources: • Power-paper cells which can be printed (http://www.powerpaper.com) • Battery made of fiber that can be woven [AGS05] • Body movement and heat [ASG05] • Flexile solar cells, textile coils, even Bike dynamo [ASG05]
References • [Juels99] Ari Juels and Martin Wattenberg. “A fuzzy commitment scheme”. 1999. • [SGW01] Loren Schwiebert, Sandeep K. S. Gupta, Jennifer Weinmann et al., “Research Challenges in Wireless Networks of Biomedical Sensors”, The Seventh Annual International Conference on Mobile Computing and Networking, pp 151-165, Rome Italy, July 2001. • [HCB00] Wendi Rabiner Heinzelman, Anantha Chandrakasan, and Hari Balakrishnan, Energy-Efficient Communication Protocol for Wireless Microsensor Networks, Proceedings of the 33rd International Conference on System Sciences (HICSS '00), January 2000. • [CVG03] Sriram Cherukuri, Krishna K. Venkatasubramanian, Sandeep K. S. Gupta, BioSec: A Biometric Based Approach for Securing Communication in Wireless Networks of Biosensors Implanted in the Human Body, in International Conference on Parallel Processing Workshops, 2003, October 6-9, 2003, Kaohsiung, Taiwan. • [KW03] Chris Karloff and David Wagner, Secure Routing in Wireless Sensor Neworks: Attacks and Countermeasures, In Proceeding of IEEE International Conference on Communication month, July, 2003, Anchorage. • [LA02] Paul Lukowicz et al., AMON: A Wearable Computer for High Risk Patients, In Proc. of 6th IEEE International Symposium on Wearable Computers, 2002
References (contd..) • [BZZ05] Shu-Di Bao and Y. -T. Zhang and Yuang-Ting Zhang, Physiological Singal Based Entity Authentication for Body Area Sensor Networks and Mobile Healthcare Systems, In Proc. of the IEEE 27th Conference on Engineering in Medicine and Biology", Sept, 2005, China • [PZ06] Carmen C. Y. Poon, Yuan-Ting Zhang, A Novel Biometric method for Secure Wireless Body Area Sensor Network for Telemedicine and M-Health, IEEE Communications, April 2006. • [ASG05] Fabrice Axisa et al., Flexible Technologies and Smart Clothing for Citizen Medicine, Home Healthcare and Disease Prevention, In IEEE Trans on Info. Tech. in Biomedicine, 9(3), 2005 • [LG04] K. Van Laerhoven and H. -W. Gellersen, Spine versus Porcupine: a Study in Distributed Wearable Activity Recognition, In Proc. of 8th International Symposium on Wearable Computers, 2004, Arlington, VA. • [MWS04] David J. Malan, Matt Welsh, and Michael D. Smith, A Public-Key Infrastructure for Key Distribution in TinyOS Based on Elliptic Curve Cryptography, 1st IEEE International Conference on Sensor and Ad Hoc Communications and Networks, 2004