Enabling Information Confidentiality in Publish
advertisement
Enabling Information Confidentiality in
Publish/Subscribe Overlay Services
Hui Zhang Haifeng Chen Guofei Jiang
Xiaoqiao Meng
Kenji Yoshihira
NEC Labs America
Abhishek Sharma
University of Southern California
©NEC Laboratories America
1
Outline
Problem statement
Information confidentiality in pub/sub overlay services
Information foiling
Mechanism description
Performance metrics
Fake message generation schemes
Evaluation
Conclusions & future work
©NEC Laboratories America
2
Publish/Subscribe overlay services
Subscription
Publisher X
Event
Subscriber A
Broker network
Subscriber B
Publisher Y
©NEC Laboratories America
3
Information confidentiality in pub/sub services
Publish/subscribe decouples publishers and subscribes.
Events are characterized into classes, without knowledge of what (if
any) subscribers there may be.
Subscribers express interest in one or more classes, and only receive
messages that are of interest, without knowledge of what (if any)
publishers there are.
New confidentiality problems in this content-based routing
process
Can the broker network perform content-based routing without the
publishers trusting the broker network with the event content?
Information confidentiality
Can subscribers obtain dynamic data without revealing their
subscription functions (content) to the publishers or broker network?
Subscription confidentiality
Can publishers control which subscribers may receive particular
events?
Publication confidentiality
©NEC Laboratories America
4
Problem definition
Formulation of pub/sub confidentiality as a
communication problem.
Upon an event e, the broker determines if each subscription s
in the active subscription set matches the event based on a
function f(e; s), but without learning the information contained
in e and s.
Threat model: a broker is assumed to be computationally
bounded and exhibits a semi-honest behavior.
©NEC Laboratories America
5
Information foiling – the mechanism
©NEC Laboratories America
6
Information foiling – the mechanism
1. Subscriber: for each active subscription, generates ks foiling
subscriptions, and send them in a random order to the broker
which store them all as active subscriptions.
2. Publisher: for each event, generates kp foiling events, and send
them in a random order to the broker.
3. Broker: upon each arriving event e, decides the subset of the
active subscription set and send one notification for each
matched subscription.
4. (optional) Subscriber: upon a notification associated with one
authentic subscription, sends a confirmation request to the
publisher.
5. (optional) Publisher: upon a confirmation request, sends a reply
to the subscriber upon the authenticity of the related event.
©NEC Laboratories America
7
Information foiling – performance metrics
Assume the attacker has a function F : f{e, Ee} -> G,
that takes the composite message set {e, Ee} as input
and outputs a message set G {e, Ee} consisting of
messages that the attacker perceives as useful.
Metric 1: indistinguishability
defined as
, where I(e, G) = 1 if e 2 G; 0 otherwise.
Metric 2: truth deviation
dened as
, where D(e, g) is the difference
between the values of messages e and g.
Metric 3: communication overhead
it depends not only on the information foiling mechanism but
also on the actual data distributions of the authentic events
and subscriptions.
©NEC Laboratories America
8
Fake message generation – a probabilistic model
Consider an event message m with L attributes.
Let the value Vi for attribute Ai in m be a random variable taking
values in V according to a probability mass function pVi .
Let Vm = (V1, V2, …, VL), represent m, i.e., a vector of random
variables associated with message taking values in VL.
Each of the K foiling messages generated by the information
foiling scheme for m can be thought of as a random variable
vector taking values in VL.
We discussed three scenarios where different fake message
generation schemes are designed with the performance
requirements defined on the 3 metrics.
The scenarios are differentiated based on the foiler/attacker’s
knowledge on the pmf for Vm:
©NEC Laboratories America
9
Evaluation - methodology
Pub/sub service: stock quoting
Stock price volatility is a random walk with variance a normal
distribution [Black-Scholes model]
Fake message generation:
Sit = St + ni , where Sit is the i-th fake message for the authentic
stock price information St, and ni is white Gaussian noise.
Attacker’s strategy:
Uniform Sampling: The attacker picks each of the K+1 messages as
the correct message with the same probability.
Extended Kalman Filter : Use an extended Kalman filter to generate
estimates
, and then picks the observed message j which is
data trace:
finance.yahoo.com
©NEC Laboratories America
10
Evaluation results - 1
The curve labeled
“Sig. Events” shows
the probability of
correct guess by
the attacker when
the stock price
changes by a large
amount.
©NEC Laboratories America
11
Evaluation results - 2
A value of
“Factor-10”
means the
variance of the
noise was 10
times the variance
of stock price.
higher variance
for the added
noise achieves
a higher truth
deviation.
©NEC Laboratories America
12
Conclusion and Future Work
We propose a security mechanism called “information foiling” to
address new confidentiality problems arising in pub/sub overlay
services.
Information foiling extends Rivest’s ”Chaffing and Winnowing” idea.
Our scheme is complementary to the traditional cryptography-based
security schemes and offers probabilistic guarantees on information
confidentiality.
Many interesting open problems for future work.
The need for a stronger guiding theory to better understand
An analytic study on the fundamental trade-off between the fake
message number, indistinguishability, and truth deviation is
important.
Investigating the interaction between a foiler and an attacker in
game theory.
The designs of optimal FMG schemes for other interesting and
important application scenarios are needed.
©NEC Laboratories America
13
Thank you!
Questions?
©NEC Laboratories America
