Secure Dependable Stream Data Management
Vana Kalogeraki (UC Riverside)
Dimitrios Gunopulos (UC Riverside)
Ravi Sandhu (UT San Antonio)
Bhavani Thuraisingham (UT Dallas)
May 2008
Outline
Dependable Information Management
- Integrating Real-time and Security Policies Secure Real-Time TMO
- Apply RBAC and UCON models Stream Data/Information Management
- Overview, Data Manager, Security Policy, Directions QoS-based Stream Execution Model
Dependable Sensor Information Management Dependable sensor information management includes
- secure sensor information management
- fault tolerant sensor information
- High integrity and high assurance computing
- Real-time computing Conflicts between different features
- Security, Integrity, Fault Tolerance, Real-time Processing
- E.g., A process may miss real-time deadlines when access control checks are made
- Trade-offs between real-time processing and security
- Need flexible security policies; real-time processing may be critical during a mission while security may be critical during non-operational times
Secure Dependable Information Management Example: Next Generation AWACS
Technology
provided by
the project
Technology
provided by
the project
Hardware
Display Processor
&Refresh
Channels
Consoles(14)
Navigation
Sensors
Data LinksData Analysis Programming
Group (DAPG)
FutureApp
FutureApp
FutureApp
Multi-SensorTracks
SensorDetections
MSIApp
DataMgmt. Data
Xchg.
Infrastructure Services
•Security being considered after the system has been designed and prototypes implemented
•Challenge: Integrating real-time processing, security and fault tolerance
Real-time Operating System
Secure Dependable Information Management: Directions
Challenge: How does a system ensure integrity, security, fault tolerant processing, and still meet timing constraints?
Develop flexible security policies; when is it more important to ensure real-time processing and ensure security?
Secure dependable models and architectures for the policies; Examine real-time algorithms – e.g., query and transaction processing
Research for databases as well as for applications; what assumptions do we need to make about operating systems, networks and middleware?
Developing dependable sensor objects
RBAC (Sandhu et al) and ABAC (Network Centric Enterprise Services)
RBAC
- Access to information sources including structured and unstructured data both within the organization and external to the organization
- Access based on roles
- Hierarchy of roles: handling conflicts
- Controlled dissemination and sharing of the data ABAC (Attribute based access control)
- User presents credentials
- Depending on the user credentials user is granted access
- Suitable for open web environments
UCON (Sandhu et al) RBAC model is incorporated into UCON and useful for
various applications
- Authorization component Obligations
- Obligations are actions required to be performed before an access is permitted
- Obligations can be used to determine whether an expensive knowledge search is required
Attribute Mutability
- Used to control the scope of the knowledge search Condition
- Can be used for resource usage policies to be relaxed or tightened
UCON (Sandhu et al))
TMO (Kane Kim et al)
TMO model
A TMO object
ODSS1 ODSS2
Object Data Store (ODS)
SpM1
Deadlines
AAC
SpM2AAC
SvM1
ConcurrencyControl
SvM2
AAC: Autonomous Activation Condition
ServiceRequestQueue
RemoteTMOClients
Lock/Condition/CREW for Concurrent AccessTime-triggered(TT) Spontaneous Methods(SpMs)
Message-triggered(MT) Service Methods(SvMs)
EAC
Capability for accessing other TMOs and network environment including logical multicast channels and I/O devices
Access Control mechanisms
- Role Based Access Control (RBAC) model
Users (TMO objects) are associated with roles
Roles are associated with permissions (Write, Read, Execution, All)
A user has permission only if the user has an authorized role which is associated with that permission
- Inadequate for distributed real-time system
Server side centralized model
Need constraints on temporal behaviors of spontaneous methods in TMO
RT-RBAC (Jungin Kim and Thuraisingham)
RT-UCON (Jungin Kim and Thuraisingham)
Basic authorization components for access control in TMO
• Continuity: dynamic and seamless constraints
• Mutability: control the scope of access
• Conditions: control the amount of access, access time
• Obligations: pre-conditions for determining access decisions
Adequate for distributed real-time system
• Space and Time domain; Server and Client side control; Dynamic and Flexible
Implemented access control through a separated object
Checks access right, maintain access policies in the system
• ODS: stores static and dynamic access policies
• SpM: controls access policies in ODS
• SvM: handles access decision requests
Secure CAMIN (Jungin Kim and Thuraisingham)
Mission: Defend target objects both in the sea and on the land from the hostile objects in the sky
Access control checks policies and security levels Some malicious objects are added
Secure Sensor/Stream Information Management Sensor network consists of a collection of autonomous and
interconnected sensors that continuously sense and store information about some local phenomena
- May be employed in battle fields, seismic zones, pavements Data streams emanate from sensors; for geospatial applications
these data streams could contain continuous data of maps, images, etc. Data has to be fused and aggregated
Continuous queries are posed, responses analyzed possibly in real-time, some streams discarded while rest may be stored
Recent developments in sensor information management include sensor database systems, sensor data mining, distributed data management, layered architectures for sensor nets, storage methods, data fusion and aggregation
Secure sensor data/information management has received very little attention; need a research agenda
Secure Sensor/Stream Information Management: Data Manager
Stable Sensor Data Storage
Sensor Data Manager
Update ProcessorProcesses input data, Carries out action, Stores some data in stable storage, Throws away transient data
Query ProcessorProcesses continuous queries and gives responses periodically
Input Data Transient Data
Data to and from Stable Storage
Continuous QueryResponse
Stable Sensor Data Storage
Sensor Data Manager
Update ProcessorProcesses input data, Carries out action, Stores some data in stable storage, Throws away transient data;Checks access control rulesand constraints
Query ProcessorProcesses continuous queries and gives responses periodically;.Checks access control rulesand constraints
Input Data Transient Data
Data to and from Stable Storage
Continuous QueryResponse
Policy Specification and Enforcement: Elena Ferrari and Barbara Carminati et al
Example: Aurora Stream Model develop by Stonebraker et al Model Operators
- Filter: Select on streams based on predicates; results is a sequence of streams
- Map: Project onto attributes by applying certain functions
- Aggregate: Aggregate/fuse streams Secure Model Operators
- Secure Filter: Form of secure selection where access to resulting streams are controlled
- Secure Map: Access to resulting attributes are controlled
- Secure Aggregation: Access to resulting stream is controlled
- Access to original streams are controlled but not to the results
Secure Sensor/Stream Information Management: Inference/Aggregation Control
Stable Sensor Data Storage
Sensor Data Manager
Data to and from Stable Storage
Stable Sensor Data Storage
Update Processor
Data to and from Stable Storage
Query Processor
Security Manager
Inference ControllerInference Controller
Stable Sensor Data Storage
Sensor Data Manager
Data to and from Stable Storage
Stable Sensor Data Storage
Update Processor:Processes constraintsand enters sensor data at the appropriate levels
Data to and from Stable Storage
Query Processor:Processes constraints during query operation and prevent certain information from being retrieved
Security Manager:Managesconstraints
Inference Controller
Inference Controller:Controls aggregation
Secure Sensor/Stream Information Management:Security Policy Integration (MURI Project)
ExportEngine
Component Data System for Agency A
Federated Data Management
ExportEngine
ComponentData SystemFor Agency C
ComponentData Systemfor Agency B
ExportEngine
Federated Privacy Controller
Privacy Controller
Privacy Controller
Privacy Controller
ExportPolicy
Component Policy
for Sensor A
Integrated Policy for the Sensor Network
ExportPolicy
ComponentPolicy
for Sensor CComponent
Policyfor Sensor B
ExportPolicy
GenericPolicy for A
GenericPolicy for B
Generic Policy for C
Additional security constraints for Inference Control
ExportEngine
Component Data System for Agency A
Federated Data Management
ExportEngine
ComponentData SystemFor Agency C
ComponentData Systemfor Agency B
ExportEngine
Federated Privacy Controller
Privacy Controller
Privacy Controller
Privacy Controller
ExportPolicy
Component Policy
for Sensor A
Integrated Policy for the Sensor Network
ExportPolicy
ComponentPolicy
for Sensor CComponent
Policyfor Sensor B
ExportPolicy
GenericPolicy for A
GenericPolicy for B
Generic Policy for C
Additional security constraints for Inference Control
Real-time Knowledge Discovery (RT-KDD)
How does a data mining technique meet the timing constraint?
- E.g., if an association rule mining algorithm has a 5 minutes constraint, then should it output as many rules as possible within 5 minutes
- How does this affect the accuracy of the results?
- Will there be an increase in false positives and negatives? Approximate data mining
- Are there techniques analogous to techniques in approximate query processing
- Are incomplete results better than no results What are the applications for RT-KDD
- Give the results to the first responder/law enforcement official in 5 minutes so that he can take appropriate actions
Secure RT-KDD?
Secure Sensor/Stream Information Management: Directions
Individual sensors may be compromised and attacked; need techniques for detecting, managing and recovering from such attacks
Aggregated sensor data may be sensitive; need secure storage sites for aggregated data; variation of the inference and aggregation problem?
Security has to be incorporated into sensor database management
- Policies, models, architectures, queries, etc. Evaluate costs for incorporating security especially when the sensor
data has to be fused, aggregated and perhaps mined in real-time Data may be emanating from sensors and other devices at multiple
locations
- Data may pertain to individuals (e.g. video information, images, surveillance information, etc.); Data may be mined to extract useful information; Need to maintain privacy
Secure Stream based Execution Model:Integrate Kalogeraki stream model with UCON
QoS based Infrastructure support for hosting stream based applications
Component Discovery
- Data summarization and dissemination to propagate components and resource information to the appropriate nodes
- Bloom filter data structure based techniques QoS aware composition
- For each application request the user specifies the data source, application graph (describing the application components and their invocations) and real-0time requirements
Apply UCON model as the basis for security
- Integrate concepts from RT-UCON with stream based policies Our approach: Specify security policies and prove that the resulting
system is secure