Secure Dependable Stream Data Management

Vana Kalogeraki (UC Riverside)

Dimitrios Gunopulos (UC Riverside)

Ravi Sandhu (UT San Antonio)

Bhavani Thuraisingham (UT Dallas)

May 2008

Outline

Dependable Information Management

- Integrating Real-time and Security Policies Secure Real-Time TMO

- Apply RBAC and UCON models Stream Data/Information Management

- Overview, Data Manager, Security Policy, Directions QoS-based Stream Execution Model

Dependable Sensor Information Management Dependable sensor information management includes

- secure sensor information management

- fault tolerant sensor information

- High integrity and high assurance computing

- Real-time computing Conflicts between different features

- Security, Integrity, Fault Tolerance, Real-time Processing

- E.g., A process may miss real-time deadlines when access control checks are made

- Trade-offs between real-time processing and security

- Need flexible security policies; real-time processing may be critical during a mission while security may be critical during non-operational times

Secure Dependable Information Management Example: Next Generation AWACS

Technology

provided by

the project

Technology

provided by

the project

Hardware

Display Processor

&Refresh

Channels

Consoles(14)

Navigation

Sensors

Data LinksData Analysis Programming

Group (DAPG)

FutureApp

FutureApp

FutureApp

Multi-SensorTracks

SensorDetections

MSIApp

DataMgmt. Data

Xchg.

Infrastructure Services

•Security being considered after the system has been designed and prototypes implemented

•Challenge: Integrating real-time processing, security and fault tolerance

Real-time Operating System

Secure Dependable Information Management: Directions

Challenge: How does a system ensure integrity, security, fault tolerant processing, and still meet timing constraints?

Develop flexible security policies; when is it more important to ensure real-time processing and ensure security?

Secure dependable models and architectures for the policies; Examine real-time algorithms – e.g., query and transaction processing

Research for databases as well as for applications; what assumptions do we need to make about operating systems, networks and middleware?

Developing dependable sensor objects

RBAC (Sandhu et al) and ABAC (Network Centric Enterprise Services)

RBAC

- Access to information sources including structured and unstructured data both within the organization and external to the organization

- Access based on roles

- Hierarchy of roles: handling conflicts

- Controlled dissemination and sharing of the data ABAC (Attribute based access control)

- User presents credentials

- Depending on the user credentials user is granted access

- Suitable for open web environments

UCON (Sandhu et al) RBAC model is incorporated into UCON and useful for

various applications

- Authorization component Obligations

- Obligations are actions required to be performed before an access is permitted

- Obligations can be used to determine whether an expensive knowledge search is required

Attribute Mutability

- Used to control the scope of the knowledge search Condition

- Can be used for resource usage policies to be relaxed or tightened

UCON (Sandhu et al))

TMO (Kane Kim et al)

TMO model

A TMO object

ODSS1 ODSS2

Object Data Store (ODS)

SpM1

Deadlines

AAC

SpM2AAC

SvM1

ConcurrencyControl

SvM2

AAC: Autonomous Activation Condition

ServiceRequestQueue

RemoteTMOClients

Lock/Condition/CREW for Concurrent AccessTime-triggered(TT) Spontaneous Methods(SpMs)

Message-triggered(MT) Service Methods(SvMs)

EAC

Capability for accessing other TMOs and network environment including logical multicast channels and I/O devices

Access Control mechanisms

- Role Based Access Control (RBAC) model

Users (TMO objects) are associated with roles

Roles are associated with permissions (Write, Read, Execution, All)

A user has permission only if the user has an authorized role which is associated with that permission

- Inadequate for distributed real-time system

Server side centralized model

Need constraints on temporal behaviors of spontaneous methods in TMO

RT-RBAC (Jungin Kim and Thuraisingham)

RT-UCON (Jungin Kim and Thuraisingham)

Basic authorization components for access control in TMO

• Continuity: dynamic and seamless constraints

• Mutability: control the scope of access

• Conditions: control the amount of access, access time

• Obligations: pre-conditions for determining access decisions

Adequate for distributed real-time system

• Space and Time domain; Server and Client side control; Dynamic and Flexible

Implemented access control through a separated object

Checks access right, maintain access policies in the system

• ODS: stores static and dynamic access policies

• SpM: controls access policies in ODS

• SvM: handles access decision requests

Secure CAMIN (Jungin Kim and Thuraisingham)

Mission: Defend target objects both in the sea and on the land from the hostile objects in the sky

Access control checks policies and security levels Some malicious objects are added

Secure Sensor/Stream Information Management Sensor network consists of a collection of autonomous and

interconnected sensors that continuously sense and store information about some local phenomena

- May be employed in battle fields, seismic zones, pavements Data streams emanate from sensors; for geospatial applications

these data streams could contain continuous data of maps, images, etc. Data has to be fused and aggregated

Continuous queries are posed, responses analyzed possibly in real-time, some streams discarded while rest may be stored

Recent developments in sensor information management include sensor database systems, sensor data mining, distributed data management, layered architectures for sensor nets, storage methods, data fusion and aggregation

Secure sensor data/information management has received very little attention; need a research agenda

Secure Sensor/Stream Information Management: Data Manager

Stable Sensor Data Storage

Sensor Data Manager

Update ProcessorProcesses input data, Carries out action, Stores some data in stable storage, Throws away transient data

Query ProcessorProcesses continuous queries and gives responses periodically

Input Data Transient Data

Data to and from Stable Storage

Continuous QueryResponse

Stable Sensor Data Storage

Sensor Data Manager

Update ProcessorProcesses input data, Carries out action, Stores some data in stable storage, Throws away transient data;Checks access control rulesand constraints

Query ProcessorProcesses continuous queries and gives responses periodically;.Checks access control rulesand constraints

Input Data Transient Data

Data to and from Stable Storage

Continuous QueryResponse

Policy Specification and Enforcement: Elena Ferrari and Barbara Carminati et al

Example: Aurora Stream Model develop by Stonebraker et al Model Operators

- Filter: Select on streams based on predicates; results is a sequence of streams

- Map: Project onto attributes by applying certain functions

- Aggregate: Aggregate/fuse streams Secure Model Operators

- Secure Filter: Form of secure selection where access to resulting streams are controlled

- Secure Map: Access to resulting attributes are controlled

- Secure Aggregation: Access to resulting stream is controlled

- Access to original streams are controlled but not to the results

Secure Sensor/Stream Information Management: Inference/Aggregation Control

Stable Sensor Data Storage

Sensor Data Manager

Data to and from Stable Storage

Stable Sensor Data Storage

Update Processor

Data to and from Stable Storage

Query Processor

Security Manager

Inference ControllerInference Controller

Stable Sensor Data Storage

Sensor Data Manager

Data to and from Stable Storage

Stable Sensor Data Storage

Update Processor:Processes constraintsand enters sensor data at the appropriate levels

Data to and from Stable Storage

Query Processor:Processes constraints during query operation and prevent certain information from being retrieved

Security Manager:Managesconstraints

Inference Controller

Inference Controller:Controls aggregation

Secure Sensor/Stream Information Management:Security Policy Integration (MURI Project)

ExportEngine

Component Data System for Agency A

Federated Data Management

ExportEngine

ComponentData SystemFor Agency C

ComponentData Systemfor Agency B

ExportEngine

Federated Privacy Controller

Privacy Controller

Privacy Controller

Privacy Controller

ExportPolicy

Component Policy

for Sensor A

Integrated Policy for the Sensor Network

ExportPolicy

ComponentPolicy

for Sensor CComponent

Policyfor Sensor B

ExportPolicy

GenericPolicy for A

GenericPolicy for B

Generic Policy for C

Additional security constraints for Inference Control

ExportEngine

Component Data System for Agency A

Federated Data Management

ExportEngine

ComponentData SystemFor Agency C

ComponentData Systemfor Agency B

ExportEngine

Federated Privacy Controller

Privacy Controller

Privacy Controller

Privacy Controller

ExportPolicy

Component Policy

for Sensor A

Integrated Policy for the Sensor Network

ExportPolicy

ComponentPolicy

for Sensor CComponent

Policyfor Sensor B

ExportPolicy

GenericPolicy for A

GenericPolicy for B

Generic Policy for C

Additional security constraints for Inference Control

Real-time Knowledge Discovery (RT-KDD)

How does a data mining technique meet the timing constraint?

- E.g., if an association rule mining algorithm has a 5 minutes constraint, then should it output as many rules as possible within 5 minutes

- How does this affect the accuracy of the results?

- Will there be an increase in false positives and negatives? Approximate data mining

- Are there techniques analogous to techniques in approximate query processing

- Are incomplete results better than no results What are the applications for RT-KDD

- Give the results to the first responder/law enforcement official in 5 minutes so that he can take appropriate actions

Secure RT-KDD?

Secure Sensor/Stream Information Management: Directions

Individual sensors may be compromised and attacked; need techniques for detecting, managing and recovering from such attacks

Aggregated sensor data may be sensitive; need secure storage sites for aggregated data; variation of the inference and aggregation problem?

Security has to be incorporated into sensor database management

- Policies, models, architectures, queries, etc. Evaluate costs for incorporating security especially when the sensor

data has to be fused, aggregated and perhaps mined in real-time Data may be emanating from sensors and other devices at multiple

locations

- Data may pertain to individuals (e.g. video information, images, surveillance information, etc.); Data may be mined to extract useful information; Need to maintain privacy

Secure Stream based Execution Model:Integrate Kalogeraki stream model with UCON

QoS based Infrastructure support for hosting stream based applications

Component Discovery

- Data summarization and dissemination to propagate components and resource information to the appropriate nodes

- Bloom filter data structure based techniques QoS aware composition

- For each application request the user specifies the data source, application graph (describing the application components and their invocations) and real-0time requirements

Apply UCON model as the basis for security

- Integrate concepts from RT-UCON with stream based policies Our approach: Specify security policies and prove that the resulting

system is secure