Privacy Attack Countermeasures for IoT

Project Objectives

Privacy is a crucial factor inhibiting the proliferation of IoT devices and systems. Privacy concerns are aggravated in applications such as smart home and smart healthcare where sensing data containing personal information is continuously generated and often transmitted wirelessly onto the cloud. The sheer volume of this data poses huge challenges for privacy protection and (network) resource management. This project aims to design effective and resource-efficient countermeasures for IoT devices/systems against privacy attacks on different OSI layers. More importantly, the countermeasures should satisfy emerging security/privacy standards that accommodates the unique characteristics of IoT networks and their implications on privacy and resource requirements.

Technology Rationale

Data generated by ubiquitous IoT devices/systems contains rich information about privacy user attributes/activities. When passing over the OSI stack, adversaries can take different forms of the data and extract sensitive user information, causing privacy breach. Many recent works demonstrate successful attacks on various forms of IoT data to accurately recover personal information (e.g., the activity level of a fitness tracker user from its BLE signal and a patient’s health conditions from encrypted medical sensor data). It is necessary to model potential privacy attacks and design countermeasures against them. For example, a countermeasure can take the form of perturbing or quantizing raw sensor data on physical layer against untrusted application servers. It can also take the form of shaping packetized traffic on network layer against adversarial eavesdroppers.

Privacy protection, however, comes at the cost of data utility loss or communication resources. Due to the limitation and heterogeneity of resources in IoT networks/systems, being able to optimally trade off utility/resources with privacy becomes a crucial desideratum for countermeasure design. On the other hand, directly applying existing technology well studied for traditional Internet neglects the continuous sensing nature of IoT networks and will result in suboptimal performances. Therefore, we need to design novel countermeasures tailored for IoT systems satisfying forward-facing security/privacy standards which offer direct tunability between privacy and utility/resources.

Technical Approach

Privacy/Security Standard: We choose Differential Privacy (DP) as the formal privacy definition for countermeasure design. DP has emerged over the last decade as a compelling framework for measuring the worst-case privacy risk in various applications. It offers privacy guarantees independent of the prior data distribution and resilient to arbitrary side information possessed by an adversary. Besides many advantages over information-theoretic (entropy and mutual information) and accuracy-based privacy measures, it provides a simple knob to directly configure the privacy parameter(s) for trading off privacy for data utility/network resources.

Model, Design & Theoretical Analysis: For different types of IoT data (e.g., raw sensor data and network packet traces), we create abstract data models. We then design different countermeasures (e.g., data obfuscator/quantizer and network traffic shaper) that take these input data models and generate random outputs from the same input data space for privacy protection. These random mappings from inputs to outputs must conform to the notion of DP and optimize for appropriate utility/resource measures. We model the optimization of such random mappings under privacy and utility/resource requirements as linear/convex programs which can be efficiently solved in practice. Moreover, given the structure of the optimization problems, we provide theoretical analysis for the privacy-utility/resource tradeoffs which are important guidelines for practical system designers.

Prototype Evaluation on ORBIT: On top of evaluating the prototypical countermeasures on either synthesized data or in simulated network environment. We want to evaluate their effectiveness/performances in more realistic network settings such as ORBIT. This enables us to understand the advantages/disadvantages when deploying such solutions in real systems, as well as factors not included in the theoretical modeling but substantially affect performances in practice.

Project Status

We have successfully designed data quantization (to counter inference attacks on raw sensor data) and traffic shaping mechanisms (to counter inference attacks on encrypted packet traces) satisfying DP. In simulated experiments, we have promising results showing the effectiveness and efficiency of these mechanisms at privacy protection with improvements upon existing and well-studied approaches. Some results are already in print in conference proceedings, more recent results are due to appear in journal. We have constructed experiments on ORBIT to evaluate a prototype of DP traffic shaper and obtained preliminary results, and more comprehensive evaluations are underway.

References

Sijie Xiong, Anand D Sarwate, and Narayan B Mandayam. Network Traffic Shaping for Enhancing Privacy in IoT Systems. (In submission to IEEE Transactions on Networking).

Sijie Xiong, Anand D Sarwate, and Narayan B Mandayam. “Defending Against Packet-Size Side-Channel Attacks in IoT Networks”. In: 2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE. 2018, pp. 2027–2031. [PDF]

Sijie Xiong, Anand D Sarwate, and Narayan B Mandayam. “Randomized Requantization with Local Differ- ential Privacy”. In: 2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE. 2016, pp. 2189–2193. [PDF]