ai/iot/blockchain: enabling high integrity solutions … · –blockchain can be used to certify...
TRANSCRIPT
AI/IOT/BLOCKCHAIN: ENABLING HIGH INTEGRITY SOLUTIONS IN THE REAL WORLD
PHIL LAPLANTE, CSDP, PE, PHD
PROFESSOR OF SOFTWARE AND SYSTEMS ENGINEERING
PENN STATE
VISITING COMPUTER SCIENTIST
NIST
All images hold Creative Commons licenses (CC BY-SA 3.0) except where noted.
INTERNET OF THINGS (IOT)
2
‘This technology’ (IoT) employs a mixture of sensing, communication,
computation, actuation.
• IDC expects the worldwide market for IoT
solutions to grow at a 20% CAGR from $1.9 trillion
in 2013 to $7.1 trillion in 2020.
• By 2025, Internet of things applications could have
$11 trillion impact
• “By 2020, More Than Half of Major New Business
Processes and Systems Will Incorporate Some
Element of the Internet of Things” (Gartner Group)
ABSTRACT COMPONENTS OF AN IOT SYSTEM
Sensor -- measures physical properties such as temperature, acceleration,
weight, sound, location, presence, identity, etc.
Aggregator -- a software implementation based on mathematical function(s)
that transforms groups of raw data into intermediate, aggregated data.
Communication channel -- any medium by which data is transmitted.
eUtility – (external utility) a software or hardware product or service.
Decision trigger -- creates the final result(s) needed to satisfy the purpose,
specification, and requirements.
3
AI
Here
INTERNET OF THINGS (IOT)
4
Source: NIST SP 800-183
Can use simple if-
then logic through
complex machine
learning algorithms.
IOT SECURITY
• Security is a trust concern for all “things” in IoT systems.
• AI can be used to increase trust (e.g. by identifying fraudulent transmissions or nodes) and Blockchain
can help us understand why the AI made the decision it made by providing an “audit trail”.
• Data Integrity focuses
• Where is the cloud?
• Can the data be leaked from that location?
• Leased data can originate from anywhere and from vendors at the time of their choosing and with the
integrity of their choosing.
• “Visibility and discovery based on AI and Blockchain in IoT systems increases trust
• A basic goal may be to ensure that life-critical IoT devices adhere to sound standards for secure
development but estimating risk for such systems is likely to remain a challenge.
5
Source: NIST Trust Concerns white paper
IOT SECURITY
• No regulations on the security of IoT devices.
• No oversight on the licensing of IoT device manufacturers.
• No governing authorities evaluating the security of IoT devices.
• Compounded by the economics behind IoT:
• Low barriers to entry for device manufacturers
• Many different devices and models (standards?)
• Many different manufacturers
• Foreign and dubious sources
• New regulations pertaining to IoT may require Blockchain based protections certifying:
• Device manufacturing processes
• Testing and verification
• Chain of custody
• More6
EXAMPLE SECURITY VULNERABILITIES
• Sensor: In a smart building, an attacker substitutes the firmware in a sensor with one that responds to remote
commands. These sensors then become part of a botnet and can contribute to distributed denial-of-service (DDoS)
attacks.
• Aggregator: An attacker introduces a rogue sensor into a network that produces fake readings. These readings are
passed as inputs to the aggregator function without any validation. The attacker launches a buffer overflow attack to
gain root access to the entire middleware infrastructure (gateway).
• Communication channel: A wearable activity tracker is attached to a person’s wrist and measures heart rate and
blood pressure. It communicates via Bluetooth Low Energy (BLE) with the wearer’s smartphone and forwards the data
to a physician. Despite the fact that BLE takes specific actions to randomize the MAC address of the devices, the
manufacturer neglected this feature. An attacker with a high-gain antenna can track the presence of the wearer in a
crowd and create a movement profile.
• eUtility: A ‘smart home’ has a security camera installed at the front door that sends data to a corresponding cloud
application that then forwards notifications and video footage to the homeowner’s device after motion at the door is
detected. An attacker conducts a DDoS attacks on the application provider’s servers for two hours. They’re able to
break into the house without the user being notified. This is an example of a DDoS attack.
• Decision trigger: The decision trigger implementation accepts malicious inputs or potentially the outputs from the
trigger are sniffed and released to competitors unbeknownst to the legitimate owner of the trigger. 7
Source: NIST Trust Concerns white paper
IOT & CRITICAL INFRASTRUCTURE
• IoT attacks can cripple critical infrastructures and high-value services
8
May require
Blockchain
based
protections and
auditing
Increase use of
AI used for
anomaly /
exception
detection
OTHER FACTORS FOR AN IOT
• Environment – The operational profile.
• E.g. weather profiles for an aircraft operates in or a particular factory setting.
• Cost – Financial, opportunity, security risks.
• Geographic location – this can change as items move from place to place.
• Owner – Person or Organization that owns a particular sensor, communication.
• Snapshot – a timestamp that may be tampered with
9
Source: NIST SP 800-183
“IoT systems need to combine real-
time analyses (AI) with machine-to-
machine, machine-to-infrastructure,
and user-to-machine communications
so that they can adapt continually to
changing circumstances.” Daniels et al
BLOCKCHAIN (REVIEW)
• Blockchains are comprised of blocks, each block being a group of transactions.
• Each transaction involves one or more addresses and a recording of what happened, and it is digitally signed.
• All the transactions in a block are grouped together, along with a cryptographic hash of the previous block.
• Finally, a new hash is created for the current block’s header to be recorded within the block data itself as well
as within the next block.
• Over time, each block is then chained to the previous block in the chain by adding the hash of the previous
block to the header of the current block.
• Each technology used in a blockchain system takes existing, proven concepts and merges them together in a
way that can address problems that were previously difficult.
10
Source: NISTIR 8202
Blockchain with Merkle Tree
BLOCKCHAIN (REVIEW)
• Blockchain: “enables developers to create markets, store registries of debts or promises, move
funds in accordance with instructions given long in the past (like a will or a futures contract) and
many other things that have not been invented yet, all without a middleman or counterparty
risk.” [Ethereum]
• Smart contract –software which is deployed on the Blockchain itself, and can be
executed on each computer with access.
11
Public Blockchain – where anyone with the tools to
access the ledger can do so using public and private
keys (e.g. Bitcoin)
Private Blockchain -- where the Blockchain is used
with an entity or consortium but authority is
invested in a single entity (e.g. Ripple)
Federated Blockchain or Consortium – where the
Blockchain is shared by a trusted group and they all
share in the authority of the Blockchain (e.g. R3)
CONSENSUS MODELING
• Determining if a new addition to the ledger is legitimate.
• Proof of work -- a mining node obtains the right to publish the next block via solution of a
cryptographic puzzle. Miners receive rewards.
• Proof of stake -- locking an amount of cryptocurrency into the blockchain system(staking).
Participants with more stake in the system are more likely to want it to succeed and to not be
subverted, which gives them more weight during consensus.
• Pseudorandom -- for private blockchains. Nodes are pseudorandomly selected to create blocks, but a
node must wait several block creation cycles before being chosen again.
• Ensures that no one participant creates the majority of the blocks, and it benefits from a straightforward
approach, lacking cryptographic puzzles, and having low power requirements.12
Ref: NISTIR 8202
Example PoW:
Let b be the block the miner wants to append to the
ledger, H() a cryptographic has function and “+”
represent the concatenation of binary string function.
The puzzle is to find a value c such that H(b+c) < D
where D is a difficulty setting (a lower D is more
difficult).
Because H is difficult to invert, there is no way to find c
substantially more efficiently than an exhaustive search.
Byzantine Agreement – Uses consensus
voting.
Various algorithms provide different
protection. E.g. classic algorithm can protect
m untrustworthy devices if there are 2m + 1
trustworthy devices and m + 1 rounds of
information exchange
BLOCKCHAIN AT THE EDGE
• Lightweight nodes do not need to store full copies of the blockchain and often pass their data on to full
nodes to be processed.
• Lightweight nodes are generally found on smartphones and IoT devices
• with limited computational and/or storage capability.
• Any node may propose new transactions. Proposed transactions are propagated between nodes until
they are eventually added to a block.
• A simpler data structure (“The Tangle”) is required for the Blockchain
• The transactions can be thought of as vertices of a Directed Acyclic Graph (DAG), with arrows representing
approvals.
• When someone decides to issue a new transaction, must choose two existing transactions, and “attach” the new
one to them.
13
Miners must do expensive
computations and store the
entire Blockchain (e.g. Bitcoin’s is
about 158GB).
IOTA
• A “block less Blockchain” cryptocurrency for IoT
• offers “zero transaction costs” and potential for indefinite scalability and offline transactions
• uses a tangle structure
• Uses quantum-resistant signature schemes
• important because in IoT environment there will be devices that should work for years unattended
• must protect against possible future advances in cryptography and computing
• IOTA network relies on a transaction finality device (the “Coordinator”) which is maintained by
the IOTA Foundation;
• digitally signs each transaction
• ongoing research on designing a safe Coordinator-free network
14
Source: www.iota.org
TRUST PROBLEMS FOR BLOCKCHAIN TECHNOLOGIES
• Blockchain Control – no one controls with whom and when you can perform transactions, within the rules of the
blockchain system.
• Malicious Users – Blockchains can perform hard forks to combat them.
• Whether financial loses can be reversed is up to the particular Blockchain community.
• No Trust – no third party certifications (yet).
• Resource Usage –Lots of storage and network bandwidth burden.
• Transfer of Burden of Credential Storage to Users – Since blockchains are not centralized, there is no
intrinsic central place for user key management.
• Users must manage their own private keys.
• There is no “forgot my password” or “recover my account” feature for blockchain systems.
• Centralized management solutions can be put into place, but they create central points of failure.
• Private/Public Key Infrastructure and Identity – typical blockchain implementations are not designed to serve
as standalone identity management systems.
• There is more to having secure digital identities than simply implementing a blockchain.
15
Source: NISTIR 8202
Miners must do expensive computations and
store the entire blockchain (e.g. Bitcoin’s
blockchain is around 158GB)
IOT/BLOCKCHAIN/AI STANDARDS
16
• IEEE Standard 2418.4 Standard for the Framework of Distributed Ledger Technology DLT)• IEEE P825, Guide for Interoperability of Transactive Energy Systems with Electric Power
Infrastructure (Building the Enabling Network for Distributed Energy Resources)• IEEE P2418.1, Standard for the Framework of Blockchain Use in IoT Industry Connections• IC17-002-01, Digital Inclusion through Trust and Agency (DITA)• IC17-012-01, Supply Chain & Trials Standardized Technology and Implementation• IC17-017-01, Blockchain Asset Exchange• Hyperledger etc. from the Linux foundation and supported by companies like IBM and Intel.• More…
• IEEE lists more than 200 standards related to IoT• Standards also exist for ethical considerations of autonomous systems, use of personal data,
etc. • AI Standards https://www.iso.org/committee/6794475.html
• Standards confusion, harmonization, blending (show screenshot of paper with Jeff)
BLOCKCHAIN APPLICATIONS FOR IOT
Sensor – Regulations could require Blockchain based auditing to certify the chain of custody of sensors and
other devices from manufacturing through delivery and installation.
Aggregator – as decision makers are AI. Blockchain auditing could be used to certify the decision making.
Communication channel – Blockchain can be used to certify the “chain of custody” of data.
eUtility – Blockchain can be used to credential the eUtility and certify qualities of the byproducts of these
and/or the functioning of the eUtility itself.
Decision trigger – as a decision maker this is an AI function in the IoT. Blockchain auditing could be used to
certify the decision making.
17
AI AND BLOCKCHAIN
• AI is essentially pattern matching and/or decision making
• AI and encryption work very well together
• e.g. using neural networks and evolutionary computing
• Blockchain → track, understand and explain decisions made by AI
• E.g. identifying fraudulent financial transactions or counterfeit IoT devices
• AI can manage blockchains efficiently
• E.g. in more efficient/adaptive consensus algorithms
• Blockchains could be used to manage certificates of authority for AI algorithms
18
Source: Marr
• Supervised learning: Using training
data to make decision
• Unsupervised learning: seeking
unknown patterns from data
AI/IOT/BLOCKCHAIN – FUTURE
• IoT devices integrated with robotic process automation (RPA) allow secure
robust communication among sensors, actuators, and power sources.
• AI is being deployed on wide ranging systems from quantum computers to edge
devices.
• Systems are becoming more responsive in thinking, perceiving, and acting within
time performance constraints.
• Designers are more confident in applying multiple technology advancements to
solve volatile, uncertain, complex, and ambiguous challenges.
19
Source: Daniels, et al
Source: NIST
USE CASE 1 : MEDICAL RECORDS AND DEVICES CONNECTED INSTRUMENTATION AND DEVICES
• Private Blockchain in Public Cloud
• Handheld /implanted devices transmit/receive biometric information
• transmit to the Blockchain
• smart contracts possible for certain applications
• Medical records and personal information updated and secured via Blockchain
• auditing function protects against spoofing and malware injection
• Some issues with EMI at clinical sites
• Many issues with standards compliance
20
USE CASE 2 : LIMITED SHELF-LIFE LOGISTICS
• Supply chain tracking of a spilable product (e.g. cheese).
• Private blockchain ledger.
• Third party cloud storage to holds ledger.
• IoT temperature devices for each cheese container.
• Implements a Byzantine fault-tolerant consensus protocol to insure temperature data is not tampered with.
• At regular intervals sensors reach consensus on temperature of cheese container. This temp is recorded and timestamped
and hashed with prior record in the Blockchain ledger and stored in the cloud.
• Any attempts to alter temperature record will be detected.
• Cheese container thus is transferred from origin to destination with an immutable record of temperature along the way –
guaranteeing the cheese is fresh.
• Can be used for any spoilable product (e.g. produce, meat, fish, even organ donations – National Kidney Registry).
21
Walmart and IBM Food Safety
Alliance to improve traceability and
safety
USE CASE 3: IOT FINANCIAL TRANSACTIONS
• Connected payment systems, vending machines, toll booths bar code scanners
• Blockchain can process large volumes of data
• users can track data, including the data source and valid timestamp
• Useful for a wide variety of transactions
• exchange of confidential business documents,
• confirmation of orders
• tracking of shipping documents or orders
• Smart Contracts can be used for automated execution of payments
• triggered by in-quality measures
• on-time delivery 22
Bajaj Electricals (India) uses a
blockchain-based vendor
financing solution (Yes Bank)
for supplier payment.
USE CASE 4 : AUTOMOTIVE
• Private Blockchain, public cloud
• Fleet tracking and management
• already being used by insurance companies to set premiums based driver behavior, rather than driving
history.
• Blockchain ensures that the data is collected and delivered is true.
• Tolling and traffic control (already happening)
• Can insure the security of in-car payments for movies, apps, and other services
23
State Farm is developing
Blockchain-based solution
to speed up the
subrogation processes.
USE CASE 5 : GAMBLING
• Private Blockchain
• Public cloud
• Connected
• slot/game machines
• ATMs
• vending machines
• room keys (for validating ID)
• Sports betting?
24
Smart contracts can be used for
payment upon validation of
winning situation, proof of
identity, etc.
Dapp.com says the majority of dApps
being deployed on Ethereum are
related to the gaming and betting
industries.
During the third quarter of 2018, 110
out of 244 dApps released
on Ethereum were related to the
gambling industry.
USE CASE 6 : BUILDING MANAGEMENT
• Home, commercial, public
• Private Blockchain/public or private clouds
• access control, HVAC, security, entertainment
• Blockchain protects against
• malware injection
• invasion of privacy (unauthorized access)
• alteration of records
• turning site into botnet for DDOS
• etc.
• Lots of commercial components available
• https://www.nccoe.nist.gov/projects/building-blocks/iot-sensor-security
25
SUMMARY
26
AIIoT
BlockchainConsensus
algorithms,
Blockchain
supervision of
AI
Sensor data fusion,
error detection and
correction, fraud
detection
Trusted
cyberphysical
systems
Protecting
data moving
through an
IoT
THANKS
• Tareq Ahram, University of Central Florida
• Ben Amaba, IBM
• Irena Bojanova, NIST
• Jeff Daniels, University of Maryland
• Rick Kuhn, NIST
• Arman Sargolzaei, Florida Polytechnic University
• Saman Sargolzaei, UCLA
• Jeff Voas, NIST
• Tom Costello, UpStreme
27
ADDITIONAL REFERENCE INFORMATION• Jianwen Chen, et al. "An AI Based Super Nodes Selection Algorithm in BlockChain Networks." arXiv preprint arXiv:1808.00216 (2018).
• Jeff Daniels, Saman Sargolzaei, Arman Sargolzaei, Tareq Ahram, Phillip A. Laplante, Ben Amaba, "The Internet of Things, Artificial Intelligence,
Blockchain, and Professionalism," IT Professional, Nov./Dec., 2018, pp. 15-19.
• Maurice Herlihy, "Blockchains and the future of distributed computing," Proceedings of the ACM Symposium on Principles of Distributed
Computing, pp. 155-155. ACM, 2017.
• Laplante, P. A. and N. L. Laplante, "The Internet of Things in Healthcare: Potential Applications and Challenges," IT Professional, May/June 2016, pp.
2-4.
• B. Marr, “Artificial intelligence and blockchain: 3 major benefits of combining these two mega-trends,” Forbes, Mar. 2018.
• Jeffrey Voas, “Networks of ‘Things’”, NIST SP 800-183, July 2016.
• Jeffrey Voas, Bill Agresti and Phillip A. Laplante, "A Closer Look at IoT's 'Things'," IT Professional, No. 18, May/June 2018, pp. 6-10.
• Jeffrey Voas, Rick Kuhn and Phillip A. Laplante, "IoT Metrology," IT Professional, No. 18, May/June 2018, pp. 11-14.
• Jeffrey Voas and Phillip A. Laplante, "IoT's Certification Quagmire," Computer, vol. 51, no. 4, 2018, pp. 86-89.
• Jeffery Voas, Rick Kuhn, Phillip Laplante, Sophia Applebaum, NIST White Paper, Internet of Things (IoT) Trust Concerns, October, 2018.
• Dylan Yaga, Peter Mell, Nik Roby, Karen Scarfone, NISTIR 8202, Blockchain Technology Overview (Draft), January, 2018. 29