SIVA: Security Intelligence Verification Algorithm for Location based Services [1 ed.]

Abstract The basic objective of SIVA is to verify the security and privacy of location based information and communicati

309 114 341KB

English Pages 9 Year 2014

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
The work is organized as follows. Section 1 starts with introduction which defines the problem of smart grid topology and location privacy. It reviews existing literature and analyzes the gaps, states research methodology and contributions of the work. Section 2 presents SIVA. Section 3 analyzes SIVA in terms of security intelligence, computational and communication complexity. Section 4 outlines the system architecture of location based access control system based on SIVA and section 5 concludes the work by highlighting several applications.
Recommend Papers

SIVA: Security Intelligence Verification Algorithm for Location based Services [1 ed.]

  • Commentary
  • This work is focused on location privacy.
  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

SIVA: Security Intelligence Verification Algorithm for Location based Services Sumit Chakraborty Fellow, Management Information Systems (Indian Institute of Management Calcutta), BEE (Jadavpur University), India E-mail: [email protected], [email protected]; Phone: 91-9940433441 Abstract The basic objective of SIVA is to verify the security and privacy of location based information and communication services based on collective intelligence. The security intelligence of a location based services should be analyzed through a multidimensional view : (P1) topology in terms of number of sensors, relays, base stations, sub-stations and their connectivity in a smart grid; (P2) identity of the objects associated with the topology; (P3): position or location of the objects in terms of X, Y and Z coordinates, longitude, latitude, radius, zone and distance between the objects; (P 4) movement of mobile objects in terms of speed or velocity, acceleration, direction, route map and distance from source and destination and (P 5) collective intelligence in terms of workflow control pattern, resources allocation and their roles, collaborative intelligence, coordination and integration strategies. The research methodology is basically case based reasoning on a smart grid. The basic components of the smart grid are sensors, relays, wireless communication channel and base station; the application domains are sensor networks, mobile communication and SCADA system. The objective is to optimize system performance and security intelligence of the smart grid subject to a set of constraints such as cost of communication and quality of service. The topology of the smart grid consists of n sensor nodes and m relays with a specific range of communication. For instance, it is required to compute a Steiner tree interconnecting all nodes with minimum number of Steiner points such that the Euclidean length of each edge is no more than the given positive constant. Effective location based services requires efficient processing of access requests to find the past, present and future location of the mobile agents or objects. But, it raises several security and privacy concerns and demands a comprehensive security policy. Location based access control is important to preserve the privacy of the mobile objects or agents in terms of their identities, position, path movement and interaction. Traditional authentication and privacy protection techniques are not sufficient to ensure the security of a smart grid efficiently in a robust way. This work presents Security Intelligence Verification Algorithm (SIVA) for a smart grid based on threats analytics. It defines the security intelligence of the grid comprehensively with a novel concept of collective intelligence and location based access control mechanism. The basic objective is to search for the desired moving objects that satisfy the query and identify and enforce the relevant security policies. SIVA is analyzed from the perspectives of security intelligence, communication complexity and computational intelligence. The security intelligence of SIVA is defined in terms of location privacy: topology, identity, position, path, movement and interaction; authentication, authorization, correct identification, confidentiality and audit; fairness, correctness, transparency, accountability, trust, non-repudiation and data integrity; reliability, consistency, liveness, deadlock freeness, safety and reachability. The computational intelligence is associated with the complexity of Steiner tree or disc graph and location based access control policies such as obfuscation and anonymity algorithms. The cost of communication is a function of number of sensor nodes and relays in the smart grid and communication protocol. But, a complex security and privacy policy may incur computation and communication overhead and may degrade the performance of the grid. It is essential to organize the mobile objects, their profile and authorizations and serve access requests efficiently. SIVA verifies location privacy in terms of position based conditions on the location of the sensors and relays, movement based conditions on the mobility, interaction and information privacy of identity, position and path of the mobile objects. It also verifies the effectiveness of location privacy strategies in terms of anonymity, policy and obfuscation. Privacy should be enforced at different levels for different applications based on rational reasoning. Keywords: Location privacy, Security intelligence, Verification algorithm, Smart grid, Sensor networks, Mobile communication, Computational complexity, Steiner tree, Communication cost.

1. Introduction The basic function of a smart grid is that a set of sensors send data to a base station through a set of relays at optimal cost of communication. A smart grid is vulnerable to various types of malicious attacks. The basic objective is to verify the security intelligence of the grid comprehensively through collective intelligence. A smart grid is essential for various types of applications such as sensor networks, mobile communication networks and SCADA of a power grid. The grid may have fixed or dynamic topology. It must ensure security through intelligent design of topology. The dynamic topology of a smart grid is applicable for mobile communication. The progress in location technologies (e.g. GPS) are fostering the development of emerging location based services that make use of the location information of mobile objects or agents; the basic concepts of location based access control systems and the related issues of information security and privacy have been analyzed in [1-18]. These works address location privacy policies, anonymity and obfuscation based techniques. Location based Access Control (LBAC) systems integrate access control mechanisms with access conditions based on position, movement, interaction and path of the mobile objects. The privacy of location information is very important for emerging location based services, social networks and monitoring services enriched with data indicating where the mobile objects are, how they are moving or whether are close to specific locations. Location based services use complex GPS and location information for different objectives while the sensor and relays gather, communicate and the base station analyzes the complex data. Location privacy is defined as the rights of the mobile objects or agents to decide how, when and for which objectives their location data may be disclosed to the other agents. The violation of location privacy results various types of threats such as physical attacks or harassment, user profiling, unsolicited advertising and denial of services (DoS) [1]. The disclosure of information on the location of the mobile objects may be exploited without their consent or approval for promotion and advertising in mobile commerce or denial of services. The disclosed data of the location, identity and path of a mobile agent may be used for physical assaults of the mobile objects or agents by the malicious adversaries. The violation of location privacy may be used for user’s profiling to infer other sensitive personal data on healthcare, likes and dislikes. It is really challenging to develop a

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

1

secure, efficient, real-time and scalable access control mechanism. The review of existing works could not find out an efficient algorithmic mechanism from the perspective of comprehensive security intelligence, computational and communication complexity. The existing works have several gaps. The security intelligence of location based service has been defined weakly, incompletely and imprecisely. The security protocols lack intelligent model checking or system verification mechanisms based on rational threat analytics. Location privacy is an important issue for a smart grid but there are no comprehensive solutions for its protection. Existing techniques are focused on anonymity and obfuscation. Anonymity is applicable to the mobile and online services which do not require the identity of the users to ensure service quality. The contributions of the present work are as follows. This work presents security intelligence verification algorithm (SIVA) based on threats analytics and case based reasoning. It defines the security intelligence of a location based service comprehensively based on collective and collaborative intelligence. It explores the risk of various attacks on a smart grid in terms of location privacy and corruption of topology, objects, agents, data and communication protocol. SIVA is designed in terms of agents, input, output, smart grid topology, communication protocol, revelation principle and model checking strategies. It recommends a set of intelligent model checking moves for the verification of security intelligence of the smart grid. SIVA is analyzed from the perspective of security intelligence, computation and communication complexity. The research methodology adopted in the present work includes case based reasoning, threat analytics and review of relevant literature on smart grid and location based access control system. The logic of SIVA is explored through case based reasoning on smart grids related to sensor network, mobile communication network and SCADA protection system for power grid. The model checking algorithm assesses the risks of various malicious attacks and the relevant risk mitigation plans. The basic building blocks of the proposed algorithmic mechanism are secure multi-party computation, data security and location based access control. The work is organized as follows. Section 1 starts with introduction which defines the problem of smart grid topology and location privacy. It reviews existing literature and analyzes the gaps, states research methodology and contributions of the work. Section 2 presents SIVA. Section 3 analyzes SIVA in terms of security intelligence, computational and communication complexity. Section 4 outlines the system architecture of location based access control system based on SIVA and section 5 concludes the work by highlighting several applications.

2. Security Intelligence Verification Algorithm (SIVA) Assumptions: a. For a given set of sensors and the communication range of a relay r, the objective is to place minimum number of relays between each pair of sensors such that there is a path through sensors and /or relays and the consecutive vertices of the path are within distance r if both vertices are relays and within distance q otherwise. The two-tier version restricts that the path must go through relays and not through sensors. b. The smart grid must satisfy the basic requirements of security and privacy comprehensively based on collective intelligence. c. The analytics must explore the risk of all possible threats on a smart grid. d. Another critical issue is low computation and communication overhead for security intelligence. e. The system must support scalability and reliability. The sensors distribute real-time data reliably through a private communication channel, the recipient i.e. the base station validates and uses the received data as it arrives. Reliability detects missing or corrupted data. Agents: Smart grid system administrator (A); Input: Smart grid architecture comprising of sensors, relays, base station and communication channel; communication range of relays; 1. A designs a smart grid with optimal location points and correct estimation of resources. Call minimum spanning Steiner tree heuristics. Input : A set S of n sensor nodes, m relays in the smart grid, base station and communication channel, a positive constant on range of communication (r) or edge bound; Output: A feasible Steiner tree (T) for S; 1.1 Compute a minimum spanning tree (T) for S interconnecting all nodes with minimum number of Steiner points so that the Euclidean length of each edge is no more than r. 1.2 Divide each edge in T into components of length at most r with minimum number of Steiner points. 1.3 Generate final tree as T with a set of blobs, clouds, stabs, hubs and forests. The basic objectives are to optimize system performance and security intelligence approximately subject to constraints on cost of communication and quality of service. 2. A generates and distribute keys to the sensor nodes for private communication : (encryption and decryption) or digital signature or (signcryption and unsigncryption); also defines strategies for privacy preserving data mining in terms of obfuscation, randomization, summarization, aggregation, generalization, suppression, de-identification and k-anonymity. 3. The sensors sense data stream (Dj; j=1,..,x) or secret (D) and transmit the same through relays to the base station server selecting a set of intelligent moves from the list of unidirectional or bidirectional, synchronous or asynchronous, single or multiple rounds of communication, FIFO, LIFO, priority queue, load consolidation and data filtering. The private data is signcrypted. 4. The base station server unsigncrypts the data; verifies security intelligence and identifies points of corruption on a smart grid, data, communication protocol and payments function. 4.1 location based access control : position based conditions on the location of the mobile objects, movement based conditions on the mobility of the objects and interaction; 4.2 system performance : flaws on topology in terms of number of sensors, relays, base stations and network connectivity, reliability, consistency, liveness, deadlock freeness, safety, reachability and lack of synchronization; 4.3 information security : privacy -identity, position and path; authentication, authorization and correct identification; 4.4 secure multi-party computation : audit fairness, correctness, transparency, trust, integrity, accountability, confidentiality, commitment and non-repudiation of computation;

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

2

4.4 malicious attacks : Assess and mitigate the risks of false data injection, sybil, node replication, wormhole, blackhole, jellyfish, rushing, neighbor, coremelt, node deletion or compromise, poor QoS, flaws in communication plan, malicious business intelligence, corruption in secret sharing and information leakage. 5. Call threat analytics and assess risks of single or multiple attacks on smart grid; analyze system performance, sensitivity, trends, exception and alerts. Call obfuscation or anonymity or policy based techniques to ensure location privacy. What is corrupted or compromised: agents, communication schema, data schema, application schema, computing schema and mechanism of the smart grid? Time: what occurred? what is occuring? what will occur? assess probability of occurrence and impact. Insights : how and why did it occur? do cause-effect analysis. Recommend : what is the next best action? Predict : what is the best or worst that can happen? Output : Pl (Location privacy plan of smart grid), Security intelligence.

3. SIVA Complexity Analysis 3.1 Security Intelligence and Threat Analytics Theorem 1: The security of a smart grid depends on its topology, optimal numbers of sensors and relays and their connectivity with the base station. SIVA verifies location based access control mechanism in terms of position based conditions on the location of the sensors, relays and base station, movement based conditions on the mobility, interaction and information privacy of identity, position and path of the objects or agents. It also verifies the effectiveness of location privacy strategies in terms of anonymity, policy and obfuscation. A smart grid is essential for various types of location based services such as sensor networks, mobile communication networks and SCADA of a power grid. A smart grid may have fixed or dynamic topology. Let us first consider the fixed topology of a smart grid. A sensor network consists of a large number of low cost sensors and relatively expensive relays having a specific communication range. The security intelligence of the smart grid is highly dependent on its topology i.e. optimal number of sensors and relays should be placed and connected to the base station and also the communication model. There are one tier and two tiers communication models which differ in whether direct communication between sensors is allowed. In both models, a sensor and a relay can communicate if the distance between those objects is at most q; two relays can communicate if the distance between them is at most r. In one-tier model, two sensors can communicate if the distance is at most q. In two-tier model, two sensors can not communicate; the sensors only link to relays but not to other sensors. The basic objective is to design a smart grid with n sensors and m relays subject to the constraints of communication range of the relays and the sensors [19-22]. The topology of the smart grid must ensure security intelligence through correct estimation of number of sensors and relays, network connectivity and adequate coverage of area.

Blob and cloud

Stab

Hub

Star network

Fig. 1: Topology of smart grid for location based service The existing works have defined location privacy weakly and incompletely for location based services. The basic objective of SIVA is to verify the security and privacy of location based information and communication services based on collective intelligence. The security intelligence of a location based services is associated with a set of parameters : (P 1) topology in terms of number of sensors, relays, base stations, sub-stations and their connectivity (Fig.1); (P2) identity of the objects of the topology; (P3): position or location of the objects in terms of X, Y and Z coordinates, radius, zone and distance between the objects; (P 4) movement of mobile objects in terms of speed or velocity, direction, route map and distance from source and destination and (P5) collective intelligence in terms of workflow control (e.g. sequential or parallel constraints), resources allocation and their role, collaborative intelligence, coordination and integration strategies. The topology of a smart grid associated with location based services is a critical privacy parameter. A malicious agent may try to access the data on the configuration of the smart grid. The topology may be a simple Steiner tree or a complicated graph having blobs and clouds, hubs, stabs and forests. Figure 1 shows two disk graphs: graph G = (V;E) and F = (V; F)

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

3

where E and F have different constraints based on distance between two objects. Let V be a given set of sensors shown as dots; solid lines are edges in E and F and the dashed lines are edges in F only. A stab is a relay with infinite communication range. A hub is a relay without the ability to communicate with the other relays. The placement of stab and hub is basically a set cover problem to ensure efficient communication in the smart grid. A blob is the union of disks centered at the sensors that belong to the graph G. A cloud is the union of the unit disks centered at the sensors that belong graph F. The sensors in a blob can communicate with each other without relays; the sensors in a cloud may not communicate with each other though their disks may overlap. The system administrator of the base station must preserve the privacy of the data on topology and configuration of the network. Each sensor or relay should know its neighbors transparently. They should not have the access to the data on smart grid topology. The topology of the smart grid must have different views.

Dimensions

Location Privacy Parameters

P1 Smart grid topology P2 Identity P3 Position or location P4 Movement P5 Collective intelligence and interaction Table 1 : Multi-dimensional view of location privacy Next, let us consider a mobile smart grid. The location data may be approximately computed with a margin of error and time. The grid provides the infrastructure for managing and evaluating location based access control policies. SIVA verifies various types of location based conditions. Position based conditions evaluates the location of the mobile objects whether the object is at a certain or in the proximity of other entities. Movement based conditions check velocity, acceleration and direction of the mobile objects. Interaction based conditions check multiple entities within a given area. Each sensor or mobile object is identified through an identifier. Location privacy is an important issue for a smart grid. SIVA verifies security intelligence in terms of identity, position and path privacy. The identities of a mobile object may be directly or indirectly inferred from its location data. The basic objective of the revelation principle of SIVA is to restrict the disclosure of identity of the objects strategically at different levels of privacy. Another important aspect is position privacy to protect the position data of the mobile objects by decreasing the accuracy of location data. Position privacy is suitable where identities of the mobile objects are required for effective service provisioning and less accurate location information does not affect the service quality significantly. The basic objective of path privacy is to protect the privacy of the data related to the motion of the mobile objects. A location based service may be exploited to compromise path privacy for tracking the mobile objects secretly with malicious intention. Location privacy techniques may be policy, obfuscation and anonymity based. These techniques are partially overlapped in scope. Anonymity based techniques are used to protect identity privacy and are less suitable for protecting position privacy. Obfuscation based techniques protect position protection and less appropriate for identity privacy. Both anonymity and obfuscation based techniques protect path privacy. Obfuscation based techniques protect location privacy by degrading the accuracy of location data still maintaining an association with the identity of mobile objects. Obfuscation can provide high service quality and a high privacy level; it also considers the errors in measurement of area by location technologies. The location measurement of a mobile object is a circular area Area (r, xc, yc, zc), where (xc, yc, zc) is geographical coordinates (also it may be latitude and longitude) and r indicates the radius and the real position of the mobile object. Anonymity based techniques focus on identity and path privacy protection. Anonymity based approaches strongly depend on the number of mobile objects joining the anonymity service and on the number of objects colocated in the same mix zone at the same time. K-anonymity-based techniques may protect path privacy. The basic building blocks of location privacy are location privacy policies which control revelation principle, business rules and information disclosure strategies of location data for a smart grid. It also preserves the privacy of data communication between sensors and base stations through relays. Generally, the service provider defines location privacy policy and the mobile objects or service consumers agree and accept the policies through negotiation. In fact, location privacy depends on the risks of other different types of threats and malicious attacks on a location based service such as the corruption of entities associated with the location services, data corruption and compromised communication protocol. Theorem 2 explains the risks and impact of various types of malicious attacks on location privacy through intelligent threat analytics.

Theorem 2: SIVA calls intelligent threat analytics rationally to assess other risks on a smart grid. These threats have negative impact on location privacy directly or indirectly. The location privacy may be preserved in some cases but a malicious attack may affect the operation of a smart grid dangerously. The security intelligence of SIVA is defined with a novel concept of collective intelligence and in terms of a set of properties of secure multi-party computation: authentication, authorization, correct identification, privacy: group, forward and backward, confidentiality and audit; fairness, correctness, transparency, accountability, trust, non-repudiation and data integrity; reliability, consistency, liveness, deadlock-freeness, safety and reachability [23-26]. SIVA must address correct identification, authentication, authorization, privacy and audit for various types of mechanisms with the smart grid. The system administrator of the base station must authenticate the sensors and relays efficiently. The sensors must be able to identify target and sense desired data correctly. Only, the authorized agents should have access to location privacy parameters. A smart grid needs fair allocation of resources for efficient operation. For any secure service, the system should ask the identity and authentication of one or more agents involved in a communication. The agents of the same trust zone may skip authentication but it is essential for all sensitive communication across different trust boundaries. After the identification and authentication, a service should address the issue of authorization. The system should be configured in such a way that an unauthorized agent cannot perform any task out of scope. The system should ask the credentials of the requester; validate the credentials and authorize the agents to perform a specific task as per agreed protocol. Each agent should be assigned an explicit set of access rights according to role. Privacy is another important issue; an agent can view only the information according to authorized access rights. A protocol preserves privacy if no agent learns anything more than its output; the only information that should be disclosed about other

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

4

agent’s inputs is what can be derived from the output itself. The privacy of data may be preserved in different ways such as adding random noise to data, splitting a message into multiple parts randomly and sending each part to an agent through a number of parties hiding the identity of the source, controlling the sequence of passing selected messages from an agent to others through serial or parallel mode of communication, dynamically modifying the sequence of events and agents through random selection and permuting the sequence of messages randomly. The agents must commit the confidentiality of broadcasted data in case of private communication. The system administrator must be able to audit the efficiency of the mechanisms of the smart grid at anytime in terms of fairness, correctness, transparency, accountability, confidentiality and trust. There are some other important parameters of security intelligence: fairness, correctness, transparency, accountability and trust. SIVA must ensure correctness if the sending agent i.e. sensor nodes communicate correct data free from any false data injection attack through a set of relays and each recipient receives the same correct data in time without any change and modification done by any malicious agent. The fairness of the mechanism is associated with the commitment, honesty and rational reasoning on payment function, trust and quality of service. Fairness ensures that something will or will not occur infinitely often under certain conditions. The recipient expects fairness in private communication. The sensors expect fairness from the recipients in terms of true feedback and commitment on confidentiality of sensor data. The mechanism must ensure the accountability and responsibility of the agents in access control, data integrity and nonrepudiation. The transparency of the mechanism is associated with communication protocols, revelation principle and automated system verification procedures. In fact, the issues of correctness, fairness, transparency and accountability are all interlinked. There are some other important parameters of security intelligence for a smart grid. The performance of the data stream and quality of service is expected to be consistent and reliable. Reachability ensures that some particular state or situation can be reached. Safety indicates that under certain conditions, an event never occurs. Liveness ensures that under certain conditions an event will ultimately occur. Deadlock freeness indicates that a system can never be in a state in which no progress is possible; this indicates the correctness of a real-time dynamic system. SIVA calls threat analytics to assesses risks of single or multiple threats on the smart grid such as false data injection attack, sybil, node replication, wormhole, blackhole, jellyfish, rushing, neighbor, coremelt, node deletion, flaws in broadcast schedule, poor QoS, malicious business intelligence, shilling, corruption in secret sharing and information leakage through weak security algorithms. A malicious agent can exploit the configuration of a smart grid to launch false data injection attack against state estimation and introduce arbitrary errors into certain state variables. In an open environment, sensor nodes operate without any supervision; a malicious attacker can capture a node for reconfiguration or extract the private data stored in the node through cryptanalysis. An attacker may be able to deploy multiple physical nodes with same identity through cloning or node replication attack. An adversary may be able to deploy multiple identities of a node to affect the trust and reputation of a broadcasting system through Sybil attack. The attacker may be able to build an additional communication channel to capture private communication in sensor network through wormhole attack. A key can be compromised either by physical extraction from a captured node or by breach in security protocol. The denial of service attack renders a node by overloading it with unnecessary operations and communication and may be able to make the whole distributed computing system inoperable. Coremelt attacks can target communication links blocking the exchange of useful information and results traffic congestion in broadcast network. There are other possibilities of different types of attacks on multicast such as blackhole, jellyfish, neighbor and rushing attack. There are risks of snooping, phishing, cross site scripting, distributed denial of service, unauthenticated request forgery, authenticated request forgery, intranet request forgery and exploitation of distribution on web enabled smart grid. The basic objective of the threat analytics is to assess risks of different types of malicious attacks and explore risk mitigation plans accordingly. All these attacks can threaten location privacy directly or indirectly.

Theorem 3: SIVA explores different scenarios of corruption of the smart grid in terms of entities and agents (sensors, relays, base station, system administrator), data, communication channel, protocol and system. Any type of corruption can violate location privacy seriously. Model checking is an automated technique for verifying a finite state concurrent system. It represents a system by automata, represents the property of a system by logic and designs model checking algorithm accordingly. The basic objective of verification or model checking algorithm of SIVA is to ensure secure communication of the smart grid. It provides one or more security services by detecting, preventing or recovering from one or more threats. In SIVA, corruption may occur in various ways. The first scenario is related to corrupted sender and honest recipients; the sending agent is compromised by an adversary and broadcasts false data to the recipients; the corrupted sender gets payment from the adversary. The second scenario is associated with honest sender and corrupted recipients; the sending agent is an honest, rational and fair player and broadcasts correct message. But, several recipients are compromised by the adversary. It can be direct or indirect attack. In case of direct attack, the malicious agents get the decryption keys from the corrupted recipients and intercept the secret message directly. In case of indirect attack, several corrupted recipients receive the secret message and disclose the same to the adversary. The third scenario is related to corrupted sender and corrupted recipients where both the sender and some recipients are compromised. The fourth scenario is associated with corrupted communication channel; the malicious adversary can capture the secret data directly from the communication channel though the sender and the recipients are not corrupted. Alternatively, the adversary may delay the flow of data by creating congestion in the communication network. In worst case, both the sender and the recipients are corrupted and the channel is unsecured. Let us consider adversarial model. The adversary is capable of corrupting a set of recipients so that the adversary can access to the keys of the corrupted players. The corruption strategy indicates when and how parties are corrupted. In case of static corruption model, the adversary is given a fixed set of parties whom it controls. Honest parties remain honest throughout and corrupted parties remain corrupted. In case of adaptive corruption model, adaptive adversaries are given the capability of corrupting parties during the computation. The choice of who to corrupt, and when can be arbitrarily decided by the adversary and may depend on its view of the execution.

Theorem 4: The base station must verify the correctness and consistency of data communication to detect false data injection and shilling attack in SIVA.

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

5

Threats: False data injection attack; Objective : Semi-automated system verification; Risk assessment : (a) Sense incorrect, fraudulent and false data communication through logical and analytical reasoning. (b) Detect the risk of data swap.

Risk mitigation: (a) Audit revelation principle and validate quality of statistics; check consistency and rationality of broadcast. (b) Verify fairness, correctness and trust in recommender system performance; do multi-dimensional view analysis. (c) Identify sources of data corruption. (d) Reject false data broadcast, complain to the service provider and impose penalty in payment function. (e) Verify transparency of a business process. (f) Set up interleaved hop-by-hop authentication schemes that ensure that the base station can detect false data immediately when no more than t nodes are compromised. Sensor node attestation verification is a critical requirement of a smart grid : check if a sensor node is tampered by an adversary; check the configuration and correct setting of each sensor node; detect whether malicious software is loaded into sensor nodes; verify the integrity of the code; perform secure code updates and ensure untampered execution of code. Each node should be attested with a valid digital test certificate. The verification algorithm must verify the identity and tampering status of each node. The basic objective of device attestation is that a malicious agent should not be able to configure or change correct setting of each node. A challenge response protocol is employed between a trusted external verifier and a sensor node.

3.2 Computation and Communication Complexity The cost of computation of SIVA is mainly associated with the complexity of threat analytics, security intelligence verification or model checking algorithms, location based access control policies such as obfuscation and k-anonymity algorithms and signcryption and unsigncryption algorithms used for private communication. It also depends on the complexity of topology of a smart grid such as Steiner tree or disc graphs configuration, number of sensors, relays, base stations, blobs, clouds, hubs, stabs and forest [27]. The cost of communication depends on of number of sensor nodes and relays in the smart grid and the complexity of private communication protocol. The other computation cost is associated with computation of minimum spanning tree (T) for a set of sensors, relays and base stations interconnecting all nodes with minimum number of Steiner points so that the Euclidean length of each edge is no more than r. It is required to divide each edge in T into components of length at most r with minimum number of Steiner points. The next critical task is to generate final tree as T with a set of blobs, clouds, stabs, hubs and forests. The basic objectives are to optimize system performance and security intelligence approximately subject to constraints on cost of communication and quality of service. Various polynomial time approximation schemes exist for the computation of Steiner tree and set covering problem [19,21]. But, it is out of scope of this work.

4. System Architecture for SIVA This section outlines the architecture of an automated system verification tool for SIVA. The architecture outlines the basic overview of application, computing, networking, data and security schema. Let us first consider the application schema. The verification system must check three critical components of smart grid: location based access control, communication protocol and payment function. It requires both automated and semi-automated verification options. The verification system calls threat analytics and a set of model checking algorithms for various phases : exploratory phase for locating errors, fault finding phase through cause effect analysis, diagnostics tool for program model checking and realtime system verification. Model checking is basically the process of automated verification of the properties of a smart grid. Given a formal model of a system and property specification in some form of computational logic, the task is to validate whether or not the specification is satisfied in the model. If not, the model checker returns a counter example for the system’s flawed behavior to support the debugging of the system. Another important aspect is to check whether or not a knowledge based system is consistent or contains anomalies through a set of diagnostics tools. There are two different phases: explanatory phase to locate errors and fault finding phase to look for short error trails. Model checking is an efficient verification technique for communication protocol validation, embedded system, software programmers, workflow analysis and schedule check. The basic objective of the model checking algorithm is to locate errors in a system efficiently. If an error is found, the model checker produces a counter example how the errors occur for debugging of the system. A counter example may be the execution of the system i.e. a path or tree. A model checker is expected to find out error states efficiently and produce a simple counterexample. There are two primary approaches of model checking: symbolic and explicit state. Symbolic model checking applies a symbolic representation of the state set (e.g. BDD) for property validation. Explicit state approach searches the global state of a system by a transition function. The smart grid system must have a set of modules such as (b) threat analytics, (c) model checking, (d) data visualization and (e) system performance scorecard (SPS). These modules should be integrated with the base station through efficient interfaces. The application should have following components: file, components, history, tools and help. The component module should have anti-virus, anti-spyware, e-mail scanner; update manager, license, system protection analyzer and identity protection sub-modules. The history module should have scan results, virus vault and event history log submodules. The tools should have scan computer, scan selected folder, scan file, update and advanced settings. The speed and priority of scanning should be controlled through user interface. The scan results should show the entities, tested objects, scan results, infections, spyware, warnings and root kits. The virus vault should have event history, virus name, path to file and original object name. The computing schema is mainly associated with threat analytics and model checking algorithms. They interact with each other in real-time in an web enabled distributed computing environment. The basic components of a privacy aware location based access control system should be logically integrated with the application schema. The service consumers or mobile objects define privacy preferences at the location middleware and interact with the access control engine to gain access to a business application. A service provider offers resources protected by location privacy policies through the business application. It relies on the access control engine for evaluating policies based on the location. The access control engine evaluates and enforces privacy policies. The location middleware is the trusted gateway between the service consumers and access control engine. It manages communications with the location provider and enforces both

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

6

privacy preferences of the service consumers and the need of location accuracy requested by access control engine. Location provider manages sensing technologies and computes location of the mobile objects to the location middleware. The threat analytics should be equipped with a set of data visualization tools and system performance scorecard. The data schema should have specific data of various entities such as service provider, service consumers, channels, network topology, sensors, relays and base stations. The networking schema should have a wireless internet schema in distributed computing environment.

Security Intelligence Exploratory module : locate errors

Fault finding: Cause-effect analysis

Diagnostics tool: program model checking

Real-time system verification

Threat analytics

Model checking algorithms

Automated verification

Semi-automated verification

Communication protocol

Broadcast schedule

Payment function

Security Intelligence Verification Algorithm (SIVA) Fig. 2: Automated Verification System Architecture Finally, let us consider about the security schema. The verification system should analyze the security intelligence of the broadcasting system based on collective intelligence comprehensively. The output of the verification system is expected to be security intelligence. The threat analytics should analyze system performance, sensitivity, trends, exception and alerts along two dimensions such as time and insights. The analysis on time dimension may be as follows: what is corrupted or compromised in the broadcasting system: agents, communication schema, data schema, application schema, computing schema and broadcast mechanism? what occurred? what is occuring? what will occur? Assess probability of occurrence and impact. The analysis on insights may be as follows : how and why did the threat occur? What is the output of cause-effect analysis? The analytics also recommends what is the next best action? It predicts what is the best or worst that can happen?

5. Applications It is an interesting option to explore the importance o location privacy in various applications. Let us look at following test cases. [Test Case 5.1 - Defense Surveillance] : Sensor networks are often deployed in critical defense applications where there is high risk of false data injection attack. The basic objectives of the adversaries are to inject false data into the network by compromising sensor nodes, deceive the base station of the smart grid or compromise the relaying nodes. Standard authentication mechanisms cannot prevent this attack if the adversary is able to compromise one or a small number of sensor or relay nodes. In figure 3, a set of sensor nodes are deployed at strategic critical locations for the surveillance of the opposing forces and monitor their activities such as supply chain management of ammunition plants, tank movements, ship arrivals or departures at ports. A base station is set up at a private site to control and collect data from the sensors. The sensors collect data and send to the base station through relays. The smart grid may be threatened by various attacks by the adversary such as physical destruction of sensor nodes, security attacks on the routing and data link protocols and resource consumption attacks to deplete the limited energy of the sensors. The adversary may compromise several sensor nodes and then use the compromised nodes to inject false data into the network. SIVA is effective to detect such type of insider attack.

Ships

Base station 2

Relays Base station 1 Sensors

Fig. 3: Smart Grid for Defense Application [ Test Case 5.2 - Location Privacy of Air & Vehicle Navigation System ] : The use of mobile phones, laptops, tablets and internets during flight is a very debatable issue. The passengers of an aircraft should not be allowed to use

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

7

mobile or internet phones or use e-mail and online social networking services during flight. It affects path privacy of an air craft and position privacy and security of the internal environment of the aircraft seriously if the information is exchanged in real-time with external adversaries through mobile phone call, e-mail or social networking service. The same issue is applicable to GPS enabled vehicle navigation system. A malicious agent many monitor the movement and position of a car by compromising with location service provider and may exercise physical assaults on the mobile objects and agents. The privacy of the passengers will be at stake if CCTVs or cameras or sensors are fitted inside the toilet of an aircraft. The location of the sensors is very important so that it can take image of non-private zone of the toilet effectively. The sensors (i.e. smoke detectors) should be inaccessible by any entity. The problem should be tackled by laws, threats, punishments, public awareness and education system. The passengers should be given alert in advance regarding the threats on their privacy. The provision of GPS as vehicle navigation system is very important for monitoring logistics operations of surface, rail, water and air transport systems. But, it may increase the cost of luxury cars significantly. It is an interesting option to provide secure GPS service at low cost for a wide range of applications. [ Test Case 5.3 - Unmanned Aerial Vehicle (UAV) ] : Drones or Unmanned Aerial Vehicles (UAV) may be useful for periodic military surveillance and terrorism control at critical, risky, remote and dangerous zones to reduce the healthcare and logistical constraints of the defense workforce and also for the relief operations in case of natural and artificial disasters. UAVs should be fitted with sensors such as cameras for security surveillance. But, the flying of the same UAV in urban zone may violate the security and privacy issues of the innocent citizen. Let us recall the assassination of the geopolitical thriller film ‘Syriana’ : a guided bomb from a circling predator drone had a strike on the automobile car of Prince Nasir and his family killing them with high precision. An adversary or malicious agent may hack the routing plan of an UAV and may distribute dangerous explosives or poisonous creatures or chemical weapons (e.g. napam bomb) on the roof-top of the residential buildings in e-commerce, e-business or online retail trading. Wrong items may be distributed to the wrong people or there is chance of theft. A private UAV operator may help an adversary or malicious agent to take retaliation on a target entity. It may result collision of UAV with the aircrafts or helicopters. Different vehicles should fly at different altitudes through intelligent air traffic control system. There are also threats of different types of attacks on web enabled information system (e.g. transportation management system, air traffic control system and SCADA system). The loss of control on drones or UAV may result accidents. There is another threat of significant number of job losses in various business models. So, the UAVs should be operated with a cautious and rational approach, security protocols and with proper permission and approval mechanisms from authorized entities.

[ Test Case 5.4 - Shilling attack ]: Today’s mobile commerce is closely associated with advertising as a recommender system. The violation of location privacy may result various types of threats in terms of user profiling and unsolicited advertising and promotion. The disclosure of information on the location of the mobile objects may be exploited without their consent or approval for promotion and advertising in mobile commerce. There is risk of shilling attack in the form of push and nuke attacks where the rating of target items are increased and lowered intentionally. An m-commerce service can push a set of targeted items of poor quality and brand to the public through fraudulent adwords, rank lists, euphemism and attractive presentation of the popular brand ambassadors. Fraudulent advertisements may be broadcasted for fake interview calls in human resource management. Alternatively, a corrupted service may be involved in brand dilution through baseless, mischievous and false propaganda. But after the disclosure of the information on such types of malicious attacks, the recipients i.e. service consumers may lose their trust in digital marketing. It is essential to audit malicious business intelligence on payment function and transparency of payment mechanism associated with location based services. The basic objective of SIVA is to verify the security intelligence of a smart grid. This is applicable to the protection schema of sensor and mobile communication networks and SCADA system. This study can be extended in various ways. SIVA may focus on financial intelligence in terms of corrupted payment function mechanism. The payment function should be designed innovatively, fairly and rationally in terms of intelligent contract, pricing strategy, payment terms, incentives and penalty function. The payment function is negotiated through various ways such as choice of payment terms and mode, price change and price protection strategies. The malicious business intelligence is also associated with the flaws in communication protocol, delay in schedule, error in scheduling logic and exception handling error. It is essential to audit malicious business intelligence by verifying transparency and accountability of the payment mechanism and negotiated service plan from the perspectives of violation in contractual clauses among the agents, flaws in payment function computation or pricing algorithm, channel and package configuration and commitment. The business intelligence of the grid may be explored through innovative payment function, penalty function and pricing algorithms based on algorithmic game theory and secure multi-party computation. Innovative smart grid should be designed based on smart service oriented computing, networking, data, application and security schema. An adaptively secure smart grid is expected to be a resilient system. The resiliency measures the ability to and the speed at which the system can return to normal performance level following a disruption. The vulnerability of a smart grid to a disruptive event or threat should be viewed as a combination of likelihood of a disruption and its potential severity. It is essential to do two critical tasks: assess risks and mitigate the assessed risks. To assess risks, the security intelligence should be explored as what can go wrong in a smart grid? what is the probability of the disruption? how severe it will be? what are the consequences if the disruption occurs?

References 1. 2. 3. 4. 5.

M.Gertz and S.Jajodia (Editors). 2008. Handbook of database security applications and trends. Springer. P. McDaniel and S. McLaughlin. 2009. Security and Privacy Challenges in the Smart Grid. IEEE Security & Privacy. 75–77. M. Jawurek, F. Kerschbaum and G. Danezis. 2012. Privacy Technologies for Smart Grids - A Survey of Options. Technical Report MSR-TR-2012-119. Microsoft Research. A.R. Beresford and F. Stajano. 2003. Location privacy in pervasive computing. IEEE Pervasive Computing 2(1), 46– 55. C. Bettini, A.X.Wang and S.Jajodia. 2005. Protecting privacy against location-based personal identification. In: Proc. of the 2nd VLDB Workshop on Secure Data Management, LNCS 3674, Springer-Verlag.

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

8

6. 7. 8. 9. 10.

11. 12.

13.

14.

15.

16.

17.

18. 19. 20. 21. 22. 23. 24. 25. 26. 27.

M. Gruteser and D.Grunwald. 2003. Anonymous usage of location-based services through spatial and temporal cloaking. In: Proc. of the 1st International Conference on Mobile Systems, Applications, and Services. M. Duckham and L. Kulik. 2005. A formal model of obfuscation and negotiation for location privacy. In: Proc. of the 3rd International Conference PERVASIVE 2005, Munich, Germany. V. Ciriani, S. De Capitani di Vimercati, S. Foresti and P.Samarati. 2007. K-Anonymity. In: Security in Decentralized Data Management. Springer. P. Samarati. 2001. Protecting respondents’ identities in microdata release. IEEE Transactions on Knowledge and Data Engineering 13(6), 1010–1027. C. Ardagna, M. Cremonini, E.Damiani, S. De Capitani di Vimercati and P. Samarati. 2006. : Supporting locationbased conditions in access control policies. In: Proc. of the ACM Symposium on Information, Computer and Communications Security (ASIACCS’06), Taipei, Taiwan. P. Bonatti and P. Samarati. 2002. A unified framework for regulating access and information release on the web. Journal of Computer Security 10(3), 241–272. N.Marsit, A. Hameurlain,Z. Mammeri and F. Morvan.2005. Query processing in mobile environments: a survey and open problems. In: Proc. of the 1st International Conference on Distributed Framework for Multimedia Applications (DFMA’05), Besancon, France. T. van der Horst, T. Sundelin, K. Seamons and C. Knutson. 2004. Mobile trust negotiation: Authentication and authorization in dynamic mobile networks. In: Proc. of the 8th IFIP Conference on Communications and Multimedia Security, Lake Windermere, England. B. Ho and M. Gruteser. 2005. Protecting location privacy through path confusion. In: Proc. of IEEE/ CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Athens, Greece. C. Ardagna, M. Cremonini, E. Damiani, S. De Capitani di Vimercati and P. Samarati. 2007. A middleware architecture for integrating privacy preferences and location accuracy. In: Proc. of the 22nd IFIP TC-11 International Information Security Conference (SEC 2007), Sandton, South Africa. C.Ardagna, M. Cremonini, E. Damiani, S. De Capitani di Vimercati and P. Samarati. 2007. Location privacy protection through obfuscation-based techniques. In : Proc. of the 21st Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Redondo Beach, CA, USA, July. V. Atluri and H. Shin. 2006. : Efficient enforcement of security policies based on tracking of mobile users. In: Proc. of the 20th Annual Working Conference on Data and Applications Security, Sophia Antipolis, France (July-August) 237– 251. V. Atluri. Mobile Commerce, in The Handbook of Computer Networks, Volume III Distributed Networks, Network Planning, Control, Management and Applications, Part 3: Computer Network Popular Applications, John Wiley & Sons. D. Chen, D. Z. Du, X. Hu, G. Lin, L. Wang, and G. Xue. 2000. Approximations for Steiner trees with minimum number of Steiner points. Journal of Global Optimization, 18(1): 17-33. X. Cheng, D. Du, L. Wang and B. Xu. 2008. Relay sensor placement in wireless sensor networks. Wireless Networks, 14(3):347 – 355. L. Errol and G. Xue. 2007. Relay node placement in wireless sensor networks. IEEE Transactions on Computers, 56(1):134-138, 2007.. W. Zhang, G. Xue and S. Misra. 2007. Fault-tolerant relay node placement in wireless sensor networks: Problems and algorithms. In Proc. 26th Conference on Computer Communications, INFOCOM 2007, 1649-1657. S.Chakraborty. A study of several privacy-preserving multi-party negotiation problems with applications to supply chain management. Fellow Progamme dissertation (unpublished), Indian Institute of Management Calcutta, 2007. S. Chakraborty, Digital defense : Verification of security intelligence. Technical report. 2012. J.Douceur. 2002. The sybil attack. Proceedings of Workshop on P2P systems (IPTPS). A.K.Pal, D. Nath and S. Chakraborty. 2010. A Discriminatory Rewarding Mechanism for Sybil Detection with Applications to Tor, WASET. Brazil. T. H. Cormen, C. E. Leiserson, R.L. Rivest and C. Stein. 2001. Introduction to Algorithms. The MIT Press, Cambridge, MA, 2nd edition, 2001.

Reference of document : Technical Report TR/ SIVA/ V1.0 DATED 15.08.2014

9