William Luh

Security and Privacy for Distributed Multimedia Sensor Networks

There is a critical need to provide privacy and security assurances for distributed multimedia sensor networking in applications including military surveillance and healthcare monitoring. Such guarantees enable the widespread adoption of such information systems, leading to large-scale societal benefit. To effectively address protection and reliability issues, secure communications and processing must be considered from system inception. Due to the emerging nature of broadband sensor systems, this provides fertile research ground for proposing more paradigm-shifting approaches. This paper discusses issues in designing for security and privacy in distributed multimedia sensor networks. We introduce the heterogeneous lightweight sensornets for trusted visual computing framework for distributed multimedia sensor networks. Protection issues within this architecture are analyzed, leading to the development of open research problems including secure routing in emerging free-space optical sensor networks and distributed privacy for vision-rich sensor networking. Proposed solutions to these problems are presented, demonstrating the necessary interaction among signal processing, networking, and cryptography.

Distributed privacy for visual sensor networks via Markov shares

Visual sensor networks (VSNs) can be used to acquire visual data (i.e. images) for applications such as military reconnaissance, surveillance, and monitoring. In these applications, it is of utmost importance that visual data be protected against eavesdropping to uphold confidentiality and privacy rights. Furthermore, protection mechanisms for these sensor nodes must be efficient and robust to node capture and tampering. This paper considers a distributed approach to privacy in which highly correlated images within a dense sensor cluster are obfuscated. The particular approach, in which nodes within a cluster work together to create and transmit shares (called Markov shares) makes it necessary for an attacker to capture several correlated visual nodes and/or shares in order to gain improved semantic information of the observation area. The proposed technique does not require that the individual sensor node readings be exactly registered, nor the correlation model be known a priori. Simulation results based on a cluster of 18 nodes show: (1) most Markov shares use fewer bits per pixel than the original image hence providing compression capability; (2) a denial of service attack on a single node (e.g., corrupting a region of interest) has minimal impact on the reconstructed data at the sink; (3) five or more Markov shares need to be intercepted by an attacker before the semantic content of the desired image can be understood; and (4) authorized reconstruction of unregistered individual images with random rotation transformations up to 10 degrees is possible

Attacks on Sensing in Hostile Wireless Sensor-Actuator Environments

Wireless Sensor Networks (WSNs) deployed in hostile environments are susceptible to various attacks directed at their data. In this work we focus on an emerging and largely unexplored issue arising from the presence of actuator (or actor) nodes in the form of Wireless Sensor Actuator Networks (WSANs). Specifically, we consider the case where hostile WSAN nodes belonging to a foreign network directly perturb the readings of WSN nodes during sensing. The attack is modeled as affecting the decision that a WSN node reports about the presence or absence of a phenomenon to its cluster head. To assess the potential loss of sensing fidelity due to the opposing network, we employ a game theoretic analysis. We focus on determining the probability that the WSN cluster head becomes alerted to such an attack given some statistical information about the phenomenon. Our results show that an actuation attack may go unnoticed even if such an attack is not coordinated among the hostile WSAN nodes. Importantly, the number of WSN nodes in a cluster affects the probability of WSAN attack success. For clusters consisting of only a few nodes, the hostile WSAN may achieve a stealthy attack with a wider range of attack parameters. We also determine that natural phenomena with certain characteristics are more susceptible to the attack and require further sensing-verification mechanisms.

A novel distributed privacy paradigm for visual sensor networks based on sharing dynamical systems

Visual sensor networks (VSNs) provide surveillance images/video which must be protected from eavesdropping and tampering en route to the base station. In the spirit of sensor networks, we propose a novel paradigm for securing privacy and confidentiality in a distributed manner. Our paradigm is based on the control of dynamical systems, which we show is well suited for VSNs due to its low complexity in terms of processing and communication, while achieving robustness to both unintentional noise and intentional attacks as long as a small subset of nodes are affected. We also present a low complexity algorithm called TANGRAM to demonstrate the feasibility of applying our novel paradigm to VSNs. We present and discuss simulation results of TANGRAM.

Separate Enciphering of Correlated Messages for Confidentiality in Distributed Networks

This paper studies distributed joint secrecy and compression suitable for sensor networks. A capacity region that characterizes the tradeoff between compression and secrecy is derived. We demonstrate for the two-node case that under the restriction of separate enciphering (i.e., no inter-node collaboration) unconditional secrecy by both parties cannot be achieved simultaneously. A fundamental design rule for lightweight encoder implementation critical for secrecy based on distributed source coding using syndromes and Reed-Solomon codes is presented highlighting practical feasibility.

Distributed Keyless Secret Sharing Over Noiseless Channels

In traditional secret sharing, a central trusted authority must divide a secret into multiple parts, called shares, such that the secret can only be recovered when a certain number of shares are available for reconstruction [1], [2]. In this paper, we consider a secret sharing problem in which each share must be created separately by independent entities such that no collaboration or shared cryptographic keys are required; we call this the distributed keyless secret sharing problem. For this problem, general tradeoffs between compression and secrecy are characterized yielding the impossibility result that perfect secrecy is unachievable. In response to this impossibility, we define a practical measure of secrecy and design a low-cost solution based on this measure of secrecy.

Distributed Secret Sharing for Discrete Memoryless Networks

This correspondence studies the distributed secret sharing problem which is a twist of the classical secret sharing problem. In this new problem, each user needs to encode his or her own unique secret message without collaboration with other users and without the use of any common secret materials or cryptographic keys. The goal is to ensure that an adversary without access to all of the encoded messages learns as little as possible about the secret messages, while a legitimate joint decoder with all the encoded messages can decode all of them without cryptographic keys. Furthermore the users do not know the channels that will be compromised ahead of time, and thus must protect all channels. Specifically, we study two related variants of this problem. The first problem deals with source coding and secrecy, while the second problem deals with channel coding and secrecy. From the results of these two problems, we conclude that interference is necessary for unconditional secrecy.

Secure distributed source coding with side-information

This letter develops codes for the scenario in which users with correlated messages are to encipher and compress their messages without collaboration and without the use of cryptographic keys or other secret materials. We consider an eavesdropper that has access to an encoded message and in addition, some side-information in the form of uncoded symbols corresponding to the encoded message. Our codes are an extension of distributed source coding using syndromes (DISCUS) with the additional requirement of providing secrecy for the scenario described above. We state a secrecy condition that the subcodes of DISCUS must satisfy, and develop a general encoding algorithm meeting these conditions. We analyze the performance of the proposed code for the case of multiple eavesdropped messages.

G-E-M sensor networks for mission critical surveillance in hostile environments

The gathering of surveillance data such as visual intelligence from potentially hostile areas has long played a pivotal role in attaining various safety and security objectives. The methodology of gathering such surveillance is increasingly shifting towards rapid-deployment autonomous networks that limit the need for human exposure, and that cover large unattended areas while operating over extended periods of time. To achieve the surveillance objectives, such networks must be dependable and secure even in the presence of a potentially hostile counter-surveillance opponent. In this work we explicitly model and consider the presence of such an opponent in the form of a hostile sensor network with eavesdropping and actuation capabilities. We present a methodology for addressing the security and dependability issues arising in such extreme settings, which we collectively refer to as G-E-M. Specifically, we wish to ensure the legitimacy and authenticity of the gathered (G-E-M) visual surveillance in the presence of a hostile network engaged in stealthy disinformation activities. We also wish to ensure that the collected surveillance can be encrypted (G-E-M) for transmission even if keys between the nodes and the sink are temporarily compromised or otherwise unavailable. Finally we wish to ensure that the network design both inherently prolongs the lifetime of the network and also mitigates (G-E-M) deliberate energy drains. These issues are not typically examined collectively though the dependability of all these components is required to maintain the functionality and longevity of the network. Though developed and presented for the case of an attacker in the form of a hostile network, the methodologies have applicability to networks with a subset of subverted nodes that behave maliciously.

Distributed Secret Sharing over the Gaussian Interference Wiretap Channel

In the process of secret sharing, a single secret is encoded into multiple entities called shares. These shares possess the special properties that they jointly contain no information about the original secret unless a sufficient quantity of them are available for decoding [19]. There has been a recent trend in applying secret sharing to mobile ad hoc networks [21] because the process of encoding and decoding does not require the use of keying and key management. Furthermore, secret sharing is inherently robust to limited degrees of insider attacks, in which partial knowledge of shares become available to an attacker. However, in many other network scenarios, secret sharing is deemed unsuitable for two reasons. First, each user is required to create multiple shares leading to excessive overhead and unnecessary bandwidth expansion in the network. Second, the routing of the shares to the destination(s) must remain as separated as possible so that enough of them do not easily fall into the hands of a restricted enemy who may then successfully decode the original secret. Spatially-restricted enemies can be thwarted somewhat through the use of mobility of intermediate network nodes that provide avenues for different shares to be sent along non-overlapping routes [21].