• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
User Controlled Privacy in Participatory Sensing

User Controlled Privacy in Participatory Sensing



Most of the sensor network applications in military ...

Most of the sensor network applications in military
and civilian use are surreptitious. If these are used for the
benefit of society in addition to the individual needs a new set
of applications can be developed. This paper describes
infrastructure monitoring based on collaboration between
sensor networks. The solution provides a reputation based
hybrid network where collaborative trust is established based
on referrals (opinions). Depending on the trust, the
information is exchanged between one entity and another with
different authorization levels. The outcome of the paper is
collaborative data collection with privacy levels controlled by
individual users.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    User Controlled Privacy in Participatory Sensing User Controlled Privacy in Participatory Sensing Document Transcript

    • ACEEE Int. J. on Network Security, Vol. 01, No. 03, Dec 2010 User Controlled Privacy in Participatory Sensing Ramaprasada R. Kalidindi, KVSVN Raju1, V. Valli Kumari2, C.S. Reddy3 Dept. of Computer Science and Engineering, S.R.K.R. Engineering College, Bhimavaram-534204, India. rrkalidindi@computer.org Dept. of Computer Science and Systems Engineering, AUCE(A), Andhra University, Visakhapatnam-533003, India. 1 kvsvn.raju@gmail.com, 2vallikumari@ieee.org, 3csatyanand@gmail.comAbstract—Most of the sensor network applications in military First, the civic authorities in metropolitan citiesand civilian use are surreptitious. If these are used for the provide general amenities and security to public dependingbenefit of society in addition to the individual needs a new setof applications can be developed. This paper describes on the time variant density of population during work hoursinfrastructure monitoring based on collaboration between in offices, evening at parks, and night at clubs etc. Thissensor networks. The solution provides a reputation based may vary during week days, weekends, festivals, functionshybrid network where collaborative trust is established based and meetings. Estimating the requirement and deployingon referrals (opinions). Depending on the trust, theinformation is exchanged between one entity and another with the security personnel and ambulances and other amenitiesdifferent authorization levels. The outcome of the paper is dynamically is not precise, as getting the real time data iscollaborative data collection with privacy levels controlled by difficult and costly. Assuming that each person has a cellindividual users. phone, the population density of people at a point of timeKeywords- privacy control; trust; reputation; collaborative can be identified using cell phone location [7].networks; urban sensing; participatory sensing; sensornetworks. Second, the spread of a contagious disease and its consequences are known to public and health authorities I. INTRODUCTION only after certain causalities. But estimating the disease spread in real time depending on the people queries to Widespread use of low cost tiny sensors in civilianapplications and their eventual integration with Internet has health websites (viz Google flu trends) minimizesmade them pervasive [1, 2, 3]. Often data collected from causalities and certain areas can be quarantined in advancesensor networks in the urban environments inhabited by [8]. Sharing person specific data for this type ofhumans constitute personal information. The acceptance of applications is not possible without the consent of itsthese sensor networks as public infrastructure will need owner. If the granularity of the data is high, there will becitizens’ participation and collaboration. This type of more applications of this kind.applications in urban areas is entirely different from habitat Automatic collection of higher granular data ismonitoring, where privacy is not a concern. Deployingthese networks without addressing the security and privacy possible with networked sensors at higher densities. Whenconcerns will turn against those whom it is meant to these are used around human habitats they will collectbenefit. And user acceptance depends on the provision of human related data, but people do not want to make privateappropriate mechanisms to deal with these concerns. The life public. Most of the todays sensor network applicationsmain privacy problem in sensor networks is; they generate are pervasive in nature in which a centralized authority islarge volumes of information which is easily available used to collect data from individuals. But the individualsthrough remote access. Ensuring that sensed informationstays within sensor network and is accessible only to are not having any control over their private data. Fortrusted parties is an essential step toward achieving privacy example, giving cell phone location to unauthorized[4]. agencies is not allowed under privacy laws. If an individual Allowing individual’s control on how personal data is is willing, this information can be shared with others.collected, distributed and processed addresses privacy People may not be willing to share this information at all(information privacy) issues. This can be achieved by times. If the individual is having control over when toproviding a resolution control in the hands of the user. share and what to share, more people will allow sharing.High resolution data is more useful, but this choice couldbe left to the individual provider so that privacy control can This will lead to new applications like location advertising,be done at the source [5, 6]. In an urban environment alerting nearest emergency services etc., whereestablishing a sensor network over large area is not collaborative and opportunistic sensing is used to realizepractically feasible due to cost, but with people’s pervasive applications [9]. More people will participate inparticipation this can be done with minimum cost. For these endeavors if privacy control is with individual ratherexample, consider these two applications. than with centralized authority.© 2010 ACEEE 34DOI: 01.IJNS.01.03.187
    • ACEEE Int. J. on Network Security, Vol. 01, No. 03, Dec 2010 For infrastructure monitoring applications in gated applications in medical and vehicular network scenarios.communities, apartment buildings and rented commercial The authors integrated this mechanism into the hybridcomplexes, solutions are provided with different networks hierarchical WSN using anonymization and controlledfor different tasks like power management, water information disclosure.management, security and surveillance etc. With theavailability of sensors with multi-sensing capabilities and III. COLLABORATION BASED INFRASTRUCTUREInternet connectivity, these independent networks can be MONITORINGconverted to a single IP based Building InformationNetwork [10] to reduce the overall cost. This development A. Application Scenarioin sensor networks will reduce man power and other costs Monitoring the flats in apartment buildings, houses infor the infrastructure developer and facilitate monitoring of gated communities and shops in commercial complexes usethe property remotely by the owners. If the owner iswilling, these networks can be integrated to have pre- video surveillance networks for maintaining security andinstalled sensor networks by the developer. The owner will other sensor networks for maintenance by the developer.not accept developer control over his/her private data. If The owners of the flats (or houses/shops) can also havesolutions are available to have control with the owner, their own sensor networks to monitor their property. Thehe/she may be interested to share some data willingly. Each model describes sensor networks in apartment buildings,owner can establish or can accept pre-installed individual but it can also be applied to the other applications above.network and it can be integrated with other individualsensor networks to form an integrated network and B. Network Modelmaintained by a third party. These sensor networksmaintained at a residential locality can be integrated with Internet Base stationanother network through Internet. This will create an urbaninfrastructure for solid waste management, pollution Cluster headcontrol, disaster management, etc., for the benefit ofcitizens. B To this end, we described a model for infrastructure C Cmonitoring by collecting data from individual wirelesssensor networks (WSNs). The rest of the paper isorganized as follows: Section II describes related work, Csection III describes collaboration based information Sensor fieldmonitoring, section IV contains description of the model s4and the trust value representation and assumptions, section s1 s2 Sensor nodeV provide the evaluation of the model and section VI s3 s1concludes the paper and suggests possible future directions. Wired link Wireless link Figure 1 Hierarchical Wireless Sensor Network II. RELATED WORK The proposed model in Fig. 1 is a hierarchical Giang et al. [11] proposed a scheme to control privacy architecture for integration of sensor networks withexposure by trust evaluation on the basis of previous Internet.transactions and peer recommendation. The authors Wireless sensors ease the deployment1. The sensorsdeveloped a methodology to estimate trust value and deployed in a flat (sensor field) are connected to a stationdepending on this trust, users can have a privacy policy to called Cluster Head (C) stationed in each flat. Each Sensordecide about how much data can be given to others. The Node sends data to cluster head. The cluster head storessolution is for sharing personal data in the computer in a data from all sensors, so that the owner of the flat canubiquitous environment. decide with whom he/she can share the data. If the flat was The hybrid trust management scheme by Shaik et al. rented, the owner can delete private data from the cluster[12] minimizes resource utilization at sensor nodes with a head and after that the tenant will be the owner of the data.hierarchical distributed WSN, where the group has a trust These cluster heads are connected to a Base Station (B)value. The authors presented a trust model which maintained by maintenance authority and in turn the basecalculates trust in three phases at node, cluster head and station is connected to Internet. The cluster head will sharebase station. certain infrastructure related data like overhead water tank Chen et al. [13] presented a scheme for trust rating level etc. with the base station. The base station willpropagation by on demand and trigger methods in WSNs.The authors aggregated the trust rating from other nodes The sensor nodes are installed through a cluster head and the security keywith node’s trust value from its own observation. is only known to the particular cluster head. Since the wireless signal can Mitseva et al. [14] presented a privacy protection be received by any cluster head within the range, the data is encrypted and only the corresponding cluster head can decrypt. Unidirectional wirelessmechanism with context aware trust establishment for links shown in Fig. 1 are secure links connected to cluster head.© 2010 ACEEE 35DOI: 01.IJNS.01.03.187
    • ACEEE Int. J. on Network Security, Vol. 01, No. 03, Dec 2010maintain shared data and participate in urban infrastructure A user authorized at level A1 can have access to entirethrough Internet. data at cluster head level, has privileges to give The data collection mechanism is composed of four authorization for other users and can configure the sensor network. At level A2 data from sensors s2, s3 and s4 can belevels viz. sensor node, cluster head, base station and accessed. At level A3 data from s3 and s4 sensors can beemergency agencies through Internet. Sensor nodes collect accessed. At level A4 data from s4 sensors can be accessed.data from physical activity and send it to cluster head. The The data from s4 sensors is generated in emergencies and iscluster head updates data at the base station periodically. available through base station. Since the owner ofEmergency management agencies can access data at base information can authorize others for different levels ofstation through Internet to deal with emergencies or the authorization, the access control will be with owner. Allbase station can alert the agency in case of emergencies. cluster heads send data from s3 and s4 sensors to base station. The data from s1 sensors is personal and isAuthorized users can access data at the cluster heads and accessible to the owner only. The data from sensors s2, s3base station. This work attempted to give access to data and s4 can be shared with neighbors. They can access thisamong trusted parties by finding the trustworthiness using data at their cluster head through a secured link providedreputation. by base station, since each cluster head is connected to base Sensor Nodes (s1-s4) collect data about the physical station.activity like state of bedroom door, light, overhead water The authorization level A2, assigned to differenttank level, fire alarm etc. They transmit this data to Cluster cluster heads may be withdrawn if the occupant of a flat does not have the trust on them. In a social community,Head (C). The cluster heads are connected to Base Station trust between two individuals is developed based on their(B). The base station sends emergency data to emergency transactions over time. When a flat owner who is inservices which are connected through Internet. The links control of cluster head wants to share information withbetween sensor nodes and cluster head are unidirectional. friendly neighbors, he/she can trust only few neighbors.The link between cluster head and base station is When these neighbors are changing continuously (newbidirectional. These links are secured and the base station is owners and new tenants) trusted neighbors are to be identified dynamically. For example, if the owner of a flatconnected to Internet. gives it for rent, the sensor network collects tenant’s data. This model assumes a multi-owner and multi-user The tenant may not be interested in sharing his/her datanetwork with sensor nodes, which continuously produce with owners trusted friends, who may not be his/her trusteddata. The owners of different cluster heads can categorize friends. This requires calculation of trust about othersensors as s1 to s4. Table I gives the type of data from cluster heads at the cluster head periodically. When facedvarious sensors. with uncertainty, individuals trust and rely on the previous transactions and opinions of others who have good TABLE I TYPES OF SENSORS transactions with them in the past. Sensor Data of interest Initially when a new owner approaches maintenance s1 State of bed room door, light, etc. (Personal) authority for a flat, they will undertake an agreement which s2 State of living room door, water heater, A/C etc. (Flat is a legally binding document on two parties. This utilities) document will give an initial trust, which is called as s3 Overhead tank water level, power meter reading, etc. (Maintenance utilities) institutional trust, between them. An owner develops a s4 Fire, theft alarm, earth quake detection, etc. (Emergency) reputation for each other owner by making direct observations about other owners in the neighborhood. This The owners of cluster heads, administrator at base reputation is used to help an owner evaluate thestation and disaster management teams which are using the trustworthiness of others and make a decision to share dataemergency sensors data will be the users of network. At within the network.  each cluster head, there are four authorization levels A1 toA4 to access different types of data. Table II gives the IV. PROPOSED MODELauthorization levels. These levels will determine to whatextent the user can have access to data. In social environment, we trust people depending on past interactions with them. These past interactions will be TABLE II USER AUTHORIZATION LEVELS used to build reputation of a particular person. In the absence of these interactions, we take the opinion of others Level Users A1 Self to build initial trust. In the network model described in A2 Trusted friends Section III.B, the data is stored with the cluster head and it A3 Infrastructure maintenance authority is exchanged with base station and other cluster heads, A4 Emergency services (Fire services, police, disaster depending upon their authorization levels. We have to trust management teams, etc.) the entities behind these cluster heads and authorization levels are to be entrusted to each entity. Since this trust is© 2010 ACEEE 36DOI: 01.IJNS.01.03.187
    • ACEEE Int. J. on Network Security, Vol. 01, No. 03, Dec 2010needed in between the entities which are dealing with value is one (i.e., Rii = 1 ). All transactions to itself are eauthorization, only the network of base station and clusterheads is considered. The terminology used in the successful transactions (i.e., t ii = t ii ). sremaining sections is given below. Fig.2 shows transactions between base station andBase station (B) is the maintenance authority, which will nodes. Thick line indicates transaction and dashed linemaintain data coming from the cluster heads pertaining to indicates a request to get opinion.certain sensors and is connected to all cluster heads and theInternet. Node (N) is the cluster head which will collect data B N1 N2 Ni Nj Nnfrom sensor nodes and forward certain type of sensors’data to the base station. Neighbor is one of the remaining cluster heads which Transaction Request for opinionis connected to base station with which a cluster headwants to share information or collect opinion. Figure 2. Interactions with nodes to obtain Nj’s reputation Opinion ( O xy ) is the value given by a node x When a node Ni wants to calculate the trust of a particular node Nj it sends a broadcast request to basedepending upon the reputation of y. station and all other nodes. These nodes will respond toA. Reputation this request by sending the reputation of Nj, and the total Reputation of a node is the satisfaction of usage of number of transactions with Nj, which are available in theirshared data and its reciprocation in sharing data. As part of respective reputation tables. Responding to the request isinfrastructure, the nodes are sharing part of the data with treated as positive transaction which will increase thebase station. The base station gives reputation ratings reputation of responding node there by encouragingdepending on their participation in sharing the data. A node responses. Every time a node interacts with other node itcan also share data with another node and it gives updates its reputation table.reputation rating depending on how the other node is using B. Direct Reputationthe shared data and whether it is sharing data with it or not. eA node can take reputations from other nodes and can The direct reputation Rij is the ratio of successful and totalderive an opinion value considering the reputations and its transactions of node Ni with node Nj. When a nodeown transactions. requests for information from a node, if other node Let there are n nodes (N1 - Nn) connected to base responds by sending the information it will be treated asstation, B. The Reputation of a neighbor Nj at node Ni is successful transaction; no response will be treated asderived from direct reputation of Nj at Ni and observed unsuccessful transaction. When a node Ni is having t ijreputation of Nj collected from other nodes and base station s total transactions and among them t ij is the successful eat Ni. The direct reputation, R ij is an event driven number of transactions with Nj, the direct reputation is given as in (1).reputation of a node Nj as perceived by node Ni when it is sdirectly transacting with node Nj and Rij ∈ [0,1] . e t ij The Rij = e (1) t ij oobserved reputation Rij of a node Nj as perceived by node In a social environment, when we deal with persons,Ni reflects the Nj’s behavior with neighbors in the we form an opinion taking the reputation of that person incommunity and Rij ∈ [0,1] . o The base station is having the community into account. It may be a positive or negative opinion depending on various inputs we havetransactions with all other nodes. The nodes may or may about that person. The definition of opinion, as given bynot have transactions with other nodes; t ij is the total and Oxford dictionary, is a belief or judgment about a s particular thing, which is not necessarily based on fact ort ij is the successful number of transactions between nodes knowledge. If reputation is considered to form an opinion,Ni and Nj. more than half of successful transactions be considered as The base station and each node will maintain a positive and less than half be as negative. The personalreputation table consisting of direct reputation of the nodeand total number of transactions with that node for base opinion Oijp of node Ni about Nj is given as in (2).station and all nodes in the network. The self reputation© 2010 ACEEE 37DOI: 01.IJNS.01.03.187
    • ACEEE Int. J. on Network Security, Vol. 01, No. 03, Dec 2010 ⎪ Oijp = ⎨ ij ( ⎧ R e − 0.5 ) if t ij ≠ 0 (2) nt ∑ n t kj ⎪0 t ij = 0 k = b ,1 ij if wi = if t ij < (6) ⎩ n n ∑ t kj Oijp ∈ [− 0.5,0.5] , a positive value represents positive k = b ,1 Users at cluster heads collect opinions and consideropinion and negative value represents negative opinion. them in establishing trust with neighbors. Depending on this trust they authorize users to different levels, therebyC. Observed Reputation o having the control to which they have to share their data. The observed reputation Rbj is derived from thereputation collected from base station by node Ni about Nj V. MODEL EVALUATIONand base station reputation at node Ni. For example, if Ni In the housing infrastructure having hundreds ofrequests base station to send data about Nj, the base station houses at particular place is quite common, but having e osends Rbj and t bj values. The reputation Rij is derived thousands of houses in a single project is very rare. For e evaluating our model we have taken one hundred nodesfrom the direct reputation value Rbj received from base having trasactions upto ten thousand. Opinions were e derived from the reputations and majority opinion is takenstation and direct reputation Rib stored at node Ni about for consideratrion for other’s opinion as shown in Fig.3.base station as in (3). Rbj = Rib ⋅ Rb j o e e (3) Opinion ( obj ) of base station about node Nj is given asin (4). ⎧ o( ⎪ R − 0.5 obj = ⎨ bj ) if t bj ≠ 0 (4) ⎪0 ⎩ if t bj = 0 obj ∈ [− 0.5,0.5] , since the opinions collected frombase station and other nodes may not match with eachother, these are rounded to one decimal place so that The Fig.4 shows majority opinion when the number of (majority opinion is selected. Let S = obj , o1 j , o 2 j ,.......o nj ) responidng nodes for giving the opinon are varying. The average opinion, which will vary with the values given bybe the set of opinions (rounded to one decimal place) from responding nodes, is also shown. The majority opinion isbase station and other nodes. The majority of the observed almost constant except one, for sufficient number ofopinions Oij is given as Oij = M (S ) , where M is a function o o transactions.to find the mode of given set of opinions S from basestation and other nodes.D. Evaluating the Opinion The overall opinion Oij is node Ni’s opinion on Nj andis given as in (5). Oij = wi Oijp + (1 − wi )Oij o (5) Where wi is the weight assigned to personal opinionamong personal and other’s opinion at Ni. When a node ishaving sufficient number of transactions to judge, there isno necessity of taking other’s opinions. If a node is havingtotal transactions more than the average total transactions In this paper, we presented a procedure to evaluatedone by other nodes, the node will take only its opinion opinion values. These values are used to establish trust andinto account ( wi = 1 ) otherwise other’s opinion is also thereby to give authorization. But the behavior of nodesconsidered then the weight wi is given as in (6). with bad intentions and colluding with other nodes to get good opinion are hindrance to the trust establishment.© 2010 ACEEE 38DOI: 01.IJNS.01.03.187
    • ACEEE Int. J. on Network Security, Vol. 01, No. 03, Dec 2010 VI. CONCLUSION AND FUTURE DIRECTIONS [5] D. Cuff, M. Hansen, and J. Kang, “Urban sensing: Out of the woods,” Communications of ACM, vol.51, March 2008, pp. With the emergence of widespread use of sensors in an 24-33.urban environment, the need for a proper trust management [6] D. Wright, D. et al., “The illusion of security,”between the collaborative entities and the need of the Communications. of ACM, vol. 51, March 2008, pp. 56-63.privacy control with each collaborative entity is strongly [7] K. Shilton, “Four billion little brothers? Privacy, mobile phones, and ubiquitous data collection,” Communications offelt. Privacy control at the source will enable willing and ACM, vol. 52, November 2009, pp. 48-53.engaged participation of citizens to create urban [8] Google, “Google flu trends,” 2010,infrastructure with reduced cost. This work considered the http://www.google.org/flutrends (2nd August 2010).problem of establishing trust with neighbors in a [9] C. Cornelius, A. Kapadia, D. Kotz, D. Peebles, M. Shin, andsufficiently large residential community by collecting N. Triandopoulos, “AnonySense: Privacy-aware people centric sensing,” Proc. ACM MobiSys’08, 2008, pp.2 11-opinions from others. The data is shared by setting 224.authorization levels to others depending on trust. Trust [10] Cisco, “Cisco Connected Real Estate for healthcare:estimation under malicious behavior of nodes, collusion Changing how hospital real estate is developed, used, andbetween nodes to get authorization is a problem. Taking managed,” 2009, www.cisco.com/.../healthcare/08CS1312-risk factor into consideration along with trust to exchange HC_Conn_RealEst_20090208.pdf (2nd August 2010), 6 pages.data are the areas to be considered for further study to have [11] P.D. Giang, L.X. Hung, R.A. Shaikh, Y. Zhung, S. Lee, Y.K.a robust trust management for participatory sensor Lee, and H. Lee, “A trust based approach to control privacynetworks. exposure in ubiquitous computing environments,” Proc. IEEE Int. Conf. on Pervasive Services, 2007, pp. 149-152. REFERENCES [12] R.A. Shaik, H. Jameel, S. Lee, S. Rajput, and Y.J. Song, “Trust management problem in distributed wireless sensor[1] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. networks,” Proc. 12th IEEE Int. Conf. on Embedded and Real Cayirci, “A survey on sensor networks,” IEEE Commn. Time Computing and Applications, IEEE Computer Society, Mag., vol. 40, August 2002, pp. 102-114. 2006, 4 pages.[2] C. Chong, and S.P. Kumar, “Sensor networks: Evolution, [13] H. Chen, H. Wu, X. Cao, and C. Gao, “Trust propagation opportunities, and challenges,” Proceedings of the IEEE, and aggregation in wireless sensor networks,” Proc. Japan- vol.91, August 2003, pp. 1247-56. China Joint Workshop on Frontier of Computer Science and[3] D. Estrin, R. Govindan, J. Heidemann, and S. Kumar, “Next Technology, IEEE Computer Society, 2007, 8 pages. century challenges: Scalable coordination in sensor [14] A. Mitseva, M. Gerlach, and N.R. Prasad, “Privacy networks,” Proc. ACM Mobicom’99, 1999, pp. 263-270. protection mechanisms for hybrid hierarchical wireless[4] H. Chan, and A. Perrig, “Security and privacy in sensor sensor networks,” Proc. IEEE ISWCS 2007, pp. 332-336. networks,” IEEE Computer, vol. 36, October 2003, pp. 103- 105.© 2010 ACEEE 39DOI: 01.IJNS.01.03.187